• Tidak ada hasil yang ditemukan



Academic year: 2017

Membagikan " J00358"


Teks penuh


Topology of Network Forensic with New

Payload Attribution Method

1.Irwan Sembiring, 2. Ahmad Ashari


Internet crime is increasing rapidly and its impacts affect in many sectors. A different approach is needed to prove and find the perpetrators of this kind of crime by the authorities.Besides the conventional investigations, evidentiary support -such as proving the crime technically in network computer- is needed. Thus it can be used as clues to uncover crimes and uncover who is responsible to that crimes. One of the techniques to prove internet crimes is the network forensic technique. The common method of the verification process is syslog protocol, in which the data log files in network traffic are recorded and analized. The topologies used are also the standard ones which mean there is no specific tool to maintain this forensic process. Cunning attackers often make the proving become complicated. The current trend of attacks used is removing traces or log files after deface. This a new payload attribution. The outcome demonstrates that the process of disclosure of an internet crime cases no longer takes a long time, but only in days or even hours. It also requires less media storage.

Keywords: network forensic, new payload attribution,synapp,cyber crime


Internet crime is increasing in 2010 as many as 303.809 which is the second largest case during the last 10 years [1]. In Uganda, for example, where the use of the Internet service can be categorized as follows: electronic mail service (48%), research (38%), entertainment (7%), business (6%) and others (1%), 92% Internet users have become victims of Internet crime with the most common


network forensic process using new payload attribution method.


Network forensic

Network Forensic is the process of capturing, recording and analysis at every event on the (event) network to find the source of security attacks or incidents of other problems [4]. In other words, network forensic is the process of investigation to obtain evidence more completly, so the perpetrators can be taken to the court. The module network forensic needed includes [9]:

1. Where information can be found, what the format is, and how it can be used.

2. Tools that can be used for network forensics. 3. Host identification means (IP address, DNS,

MAC, etc) on the Internet.

4. URLs (obfuscation, variables, etc).

5. Web Pages (saving, scraping, directorystructures, header information, etc). 6. Web browsers (Where content is stored and how

it can be used).

7. Using meta data in documents to determine source

8. Email.

9. Techniques to use Internet resource to discover additional information

10. How messages get transported across the network. (Standard protocols, what the packet looks like at various locations and where the information is maintained and anonymization techniques such as onion routing.)

The parameters can be investigated as indication or even as the evidence is presented in the following table :

Table 1. Parameters of Digital Forensik [5]

From table 1, the potential evidence that can serve as clues or evidence can be seen from the four elements namely :

a. Link is a protocol governing the transfer of data packets to the network physical layer, the potential of information as evidence obtained from the protocol layers and packets. Synopsis of data used as end of this phase information is the connection records, and headerdump neoflow.

b. Link content is the look or the payload of a data type such as audio, video, text files and applications used from this content, concise information that will be used captured from neoflow, HBF and the packet dump.

c. Mappings are important in finding historical service information or mapped protocol such as MAC to IP in the OSI layer 2 and layer 3, the DNS to IP in the service domain name servers, virtual hosts to IP and AS name to IP. The overall summary of these mapping information will be captured in the MAC, DNS, BGP, and HTTP records.


Portable Network Forensic Evidence Collector

The device offers several modes of opera- tion for diferent live network evidence collectionscenarios involving single network nodes. This in-cludes the use of promiscuous packet capturing toenhance evidence collection from remote networksources, such as websites or other remote services.It operates at the link layer allowing the device tobe transparently inserted inline between a networknode and the rest of a network. It is simple to deploy, requiring no reconfiguration of the node or surrounding network infrastructure. The device can be preconfigured in the forensics lab, and deployment delegated to staff not specifically trained in forensics. Details of the architecture, construction and operation are described.[10]

Packet Attribution System

Packet Attribution System (PAS) is the process of identifying the source or destination of all packages in the network performance that consists of a summary on payload [3]. A PAS can be used as a clue to detect and trace the spread of the virus worms, phishing emails and other Internet crimes. This is certainly different from the data log that captures all data traffic, but due to the increasing volume of data traffic effectively it is impossible to store all the queries and analyze it. The proper choice of filtering technique is very important to ensure the validation of the results expected. Some of filtering techniques already applied are Bloom Filters, Rabin Fingerprinting and Winnowing. The function of the bloom filters is to reduce the size of the digest of the package produced from the history to the block, therefore the size becomes smaller and efficient.

Rabin fingerprinting function is to ensure the integrity with checksums; winnowing is the detection of partial or complete duplication or copies of documents. PAS itself has 2 pieces of work that are the payload processing and

query processing. Payload is the payload processing on all traffic passing through the network, where PAS is made, tested and stored in permanent storage. Raw packet data components stored in the unit can also be filtered based on specific types of protocols such as http traffic. The data stored in the media storage can be viewed from two timestamps that is the starting time and the ending time at specific intervals during the process of data collection. For each interval will also save flowIDs eg source and destination IP address. While the query processing is to make a quote or excerpt at certain intervals and it can retrieve the unit from the storage media. An important process after the evidence collected is how to test the evidence whether it is digitally genuine in the sense that there is no change in shape, size and content during the forensic process. Bayesian network is one method used to prove and test the evidence during the forensic process in order to keep that there is no modification of the proving process.




Domain Forensic


In Figure 1, the architecture of the forensic process consists of 4 pieces of router that represent 4 pieces of network id. The function of the router is connecting two or more networks to carry data from one network to another [6]. The router default will run routing protocols and perform packet forwarding so that data packets reach the destination. At network forensics process the router will also perform the function of recording network traffic, then it will be filtered by a SynApp tool and stored in the buffer and after that it will be sent to the server for permanent storage. Two units of synchronized forensic server are served on this research to serve the process of analyzing data captured by SynApp at each router.

Figure 2. Result of capturing traffic.

In figure 2, the traffic data will be filtered by the device SynApp and routed to be placed permanently in forensic server. The process of capturing data traffic is carried out in Faculty of Information Technology laboratory , Satya Wacana Christian University.


Based on the concept of the payload attribution, the contribution of this journal is to design a network topology with several additional components needed, so that the process of network forensics can be run on the rules of the forensic process to obtain evidence as well as keep four important things in network security that

includes confidentiality, authentication, integrity and non-repudation

1. SynApp

SynApp is the component that has the main function to make a synopsis on the network traffic, to control the limits of a query process , and to serve as a temporary media storage. Devices which enable to function are router or host.

Figure 3. Network Forensic log Architecture Capturing process performed on the data network stream is then filtered by payload attribution system. The filtered results will be stored in the buffer manager that next will be sent and stored in the forensic server, as shown in figure 3 that describes a process SynApp running on a router.

2. Server Forensic

Responsible for storing synopsis, the query process, routing, monitoring, and security policies on the domain is specified

3. ForNet Domain

Forensic domain is an area protected by a single domain and privacy policies.




[1] Internet crime complaint center(IC3). 2010. http://www.ic3.gov/media/annual


[2] Tushabe, F. 2004. Computer Forensic for cyberspace crimes. Dissertation a degree of Master of Science in Computer Science of Makerere

[3] Ponec, Miroslav, Paul Giura, Joel Wein, Herve Bronnimann. 2010. New Payload Attribution Methods for Network Forensic Investigations. ACM Transactions on Information and System Security,Vol. 13, No. 2,Article 15, Publication date:February 2010. [4] IT security incident management and IT forensics

(IMF 2011) proceedings. Reference & Research Book News Aug. 2011. Gale Art and Engineering Lite Package. Web. 23 Sep. 2011.

[5]Shanmugasundaram, K. 2011. ForNet: A Distributed Forensic Network. http://isis.poly.edu/projects/fornet/ [6] Hauger, Michael, Michael Scharf, Jochen K¨ogel,

Chawapong Suriyajan K¨ogel, Chawapong Suriyajan. 2010. Evaluation of Router Implementations for Explicit Congestion Control Schemes. Journal of Communications, Vol.5,No. 3, March 2010.

[7] Schwittay, B. 2006. Towards Automating Analysis in Computer Forensics. Diploma Thesis in Computer Science of RWTH Aachen University.

[8] Kwan Michael Y.K, K.P. Chow, Frank Y.W. Law, Pierre K.Y. Lai.2007. Computer Forensics using Bayesian Network: A Case Study. HKU Tech Report the university of hongkong.

[9] C Ronald Dodge JR, Dave Cook. 2007. “Out of the Box”Forensics Labs Proceedings of the 40th Annual Ha waii International Conference on System Sciences (HICSS'07) IEEE.


Table 1. Parameters of  Digital Forensik [5]
Figure 1. Topology of Network Forensic with  Payload
Figure  3. Network Forensic log Architecture


Dokumen terkait

Dari pemaparan terdahulu dapat disimpulkan beberapa poin berikut ini: 1) Pelaksanaan PPM telah mencapai tujuan untuk meningkatkan pemahaman guru peserta pelatihan mengenai

Panitia Pengadaan Barang/Jasa Kantor Pusat Direktorat Jenderal Perhubungan Laut Kementerian Perhubungan akan melaksanakan seleksi umum paket pekerjaan sebagai berikut :..

The concept of Personal Relationship Managers in ABC and employees’ motivation justifies the scope of the research, need-based theory explains the needs that drive

Dalam pelaksanaan penyelenggaraan kawasan khusus sebagaimana dimaksud dalam Pasal 19, menteri dan/atau pimpinan lembaga pemerintah nonkementerian terkait, gubernur, dan

Carrier Sense Multiple Access with Collision Detection atau sering disingkat menjadi CSMA/CD adalah sebuah metode media access control (MAC) yang digunakan

Rangkai skematik rangkaian minimum sistem dengan mengunakan aplikasi pada laptop, aplikasi yang digunakan pada pembuatan modul ini adalah proteus.. Gambar skematik

Berdasarkan Tabel 5, dapat dilihat bahwa portofolio yang paling optimal dari semua kombinasi saham yang ada adalah portofolio dengan kombinasi 2 saham yaitu

Untuk mengetahui pengaruh mutu pelayanan yang diukur dari lima dimensi ( tangibles , reliability , responsiveness , assurance dan empathy ) terhadap kepuasan nasabah pada