Professional Documents
Culture Documents
Ahmad Al-Qerem
Zarqa University/Department of Computer Science, Zarqa, 13132, Jordan
Email: ahmad_qerm@zu.edu.jo
Abstract—Nowadays, cyber crimes are increasing and such processes start right after the detection of the cyber
have affected large organizations with highly sensitive crime.
information. Consequently, the affected organizations Network forensic systems can be classified into two
spent more resources analyzing the cyber crimes rather approaches: proactive and reactive. Proactive network
than detecting and preventing these crimes. Network forensics is a new approach in live investigation that
forensics plays an important role in investigating cyber deals with the phases of network forensics during an
crimes; it helps organizations resolve cyber crimes as attack. In contrast, reactive network forensics is a
soon as possible without incurring a significant loss. This traditional approach that deals with cyber crime cases
paper proposes a new approach to analyze cyber crime after a period of time, which consumes a considerable
evidence. The proposed approach aims to use cyber crime amount of time during the investigation phase. As
evidence to reconstruct useful attack evidence. Moreover, reported by [4-7], proactive forensic approaches reduce
it helps investigators to resolve cyber crime efficiently. the time and cost of investigation by identifying potential
The results of the comparison of the proposed approach evidence and reducing the resources needed in the
prove that it is more efficient in terms of time and cost investigation phase. These approaches are utilized in the
compared with the generic and the modern process preliminary analysis of a cyber crime and help improve
approach for network forensics. and accelerate the decision making process.
This paper is proposed a new approach to resolve cyber
Index Terms—Cyber crime, network forensics, proactive crime for network forensics, the process of the proposed
approach, evidence investigation component. approach will be described in section 3. The approach
will be compared with the generic process model for
network forensics as mentioned in [8], which will be
I. INTRODUCTION described in section 4. The next section will present a
related work of network forensics approaches.
According to the Cyber Security Watch Survey [1],
cyber crime attacks incurred an average monetary loss of
$123,000 per organization in the USA in 2011. Ponemon
II. RELATED WORK
[2] reported that the annual cost of solving cyber crimes
is $5.9 million. The Ponemon’s study is based on a The first Digital Forensics Research Workshop
representative sample of 50 organizations in various (DFRWS) [3] defined the first network forensic reactive
industrial sectors in the USA. The cost incurred by cyber approach as a generic investigation framework that can
crimes per company ranges from $1.5 million to $36.5 be applied to network environments and to most
million each year. In reality, a strong relationship exists investigations. The framework includes six classes of
between the time required to resolve a cyber crime and tasks, i.e., identification, preservation, collection,
the cost. Based on a previous study [2, 25], cyber crimes examination, analysis, presentation, and decision making.
could become costly if they are not resolved quickly. Reith M. refined the DFRWS framework in 2002 and
Current investigation techniques are very costly and proposed a new model called Abstract Digital Forensics
time consuming because extensive effort is required to (ADF) [9]. This model consists of nine phases, i.e.,
analyze the overwhelming amount of evidence presented identification, preparation, approach strategy,
in each cyber crime case. In addition, gathering useful preservation, collection, examination, analysis,
evidence is difficult because most techniques utilize presentation, and returning evidence. The model creates a
active and reactive processes to analyze cyber crimes; standardized framework for network forensics.
Copyright © 2015 MECS I.J. Computer Network and Information Security, 2015, 2, 25-32
26 PNFEA: A Proposal Approach for Proactive Network Forensics Evidence Analysis to Resolve Cyber Crimes
The first general process model for network forensics ReDF includes six sub phases, which are incident
was proposed by [16]. The model includes six steps, i.e., response and confirmation, physical investigation, digital
capture, copy, transfer, analysis, investigation, and investigation, incident reconstruction, presentation of
presentation. A new framework called the step-by-step findings to the management or authorities, dissemination
framework was proposed by [17] to clarify the definition of the result of the investigation, and incident closure.
of network forensics. The framework studies previous ActDF includes four sub phases: incident response and
research to establish a step-by-step framework, which confirmation, ActDF investigation, event reconstruction,
groups all the existing processes in three stages, namely, and ActDF termination. The ProDF component defines
preparation, investigation, and presentation, which are and manages the processes and procedures of the
implemented as guidelines in network forensics. The comprehensive digital evidence. The same authors
guideline proposed by [18] based on existing frameworks proposed a theoretical framework [7] to guide the
to integrate forensic techniques into incident response implementation of proactive digital forensics and to
through a set of processes that contains four stages: ensure the forensic readiness of the evidence available for
collection, examination, analysis, and reporting. the investigation process. This framework helps
The generic process model for network forensic organizations reduce the cost of the investigation process
analysis proposed by [8] is based on various existing because it provides manageable components and live
digital forensic models. The framework, divides the analysis. The reactive and proactive digital forensic
phases into two groups. The first group relies on actual investigation process approaches were studied by [4] and
time and includes five phases: preparation, detection, generated the Systematic Literature Review (SLR). SLR
incident response, collection, and preservation. The four reports the gap and limitations of the digital forensic
phases in the second group act as post-investigation investigation process approaches. The researchers
phases, which include the examination, analysis, mentioned that from 2001 to 2010, 18 research studies
investigation, and presentation phase. that deal with digital forensic phases were conducted.
According to proactive network forensic concepts as One of these studies focused on the proactive digital
mentioned by [6, 21], the first five phases work forensic approach [6], and the others focused on the
proactively because they work during the occurrence of reactive approach. This fact indicates the need for more
the cyber crime. The other four phases of this model work focus on proactive forensics.
after the investigation phase and act as a reactive process. The oldest models that were proposed before 2009
Given that all the activities of network forensics are have disadvantages that the categories that may be
included in this model, the present research adopts the extremely general defined for practical use, which is
phases of this model as a baseline to show how the difficult for testing, and more cumbersome to use. The
analysis phase integrates with the other phases. modern process proposed by [8, 22, 23] conducted
Based on the fundamentals of proactive approach [6, through designing a generic process model for network
21], we conclude, that each phase in the first five phases forensic analysis based on various existing digital
requires a certain amount of time to accomplish its forensics models. The framework includes the following
processes. However, each phase works in real time; thus, phases: preparation, detection, incident response,
the phases require the same amount of time and collection, preservation, examination, analysis,
processing cost to accomplish their processes. Given that investigation, and presentation. In this paper, we
the other four phases work reactively, we assume that determine the phases of this model as a baseline phase for
they require more time and processing cost compared proposing a new approach in analyzing evidence in order
with the first five phases. The reason for this assumption to integrate the analysis phase with other phases.
is that reactive phases work after the cyber crime happens;
therefore, the required amount of time and cost increases
during the investigation process. III. PNFEA APPROACH
The study in [22] reviewed the existing frameworks
until 2007 to construct the mapping process between the This section presents a new approach called Proactive
phases of digital forensics frameworks. It summarizes the Network Forensics Evidence Analysis (PNFEA), which
mapping of processes into five appropriate phases as the extended from the proposed approach by [21]. The
following, preparation, collection and preservation, proposed approach by [21] is characterized as proactive
examination and analysis, presentation and reporting, and because it retrieves and preserves evidence before and
disseminating the case. The result of this study simplified after analyzing the cyber crime. The proposed approach
the overall processes of existing frameworks in order to includes five phases, i.e., preservation, capture,
identify the critical and important phases for any digital classification, analysis, and investigation. The PNFEA
forensics framework as the collection and preservation supports evidence analysis phase in network forensics.
phase, examination and analysis phase, and presentation The new approach contains a chain of components; each
and reporting phase. one includes a set of a process to conduct a useful data
The multi-component view of digital forensics was for analyzing phase. The process shows the attack
proposed by [6]. The view includes three components, i.e., intention and strategy analyzing, and present the methods
proactive digital forensics (ProDF), active digital and techniques used for this goal. The approach contains
forensics (ActDF), and reactive digital forensics (ReDF). predefined components such as a proactive network
Copyright © 2015 MECS I.J. Computer Network and Information Security, 2015, 2, 25-32
PNFEA: A Proposal Approach for Proactive Network Forensics Evidence Analysis to Resolve Cyber Crimes 27
forensics depository, which was ready with previous This paper applies PERT analysis as a stochastic
phases of the general network forensics model. method for handling uncertainties in time and cost
Furthermore, the approach presents the environments of planning. The PERT method used to calculate the
networks and devices, for capturing and monitoring the variation in cost and time needed to resolve the criminal
network traffic. case through the network forensics approach phases. This
The first component of the PNFEA is about attack research assumes that the criminal case passes to the all
intention will be presented. The second component is phases of the network forensics approach. The PERT
about attack strategy. Evidence analysis integrated estimates the critical path as an optimal solution to
through a set of components work together to improve the resolve the criminal case, which requires the most time to
quality of analysis phase outcome in network forensics. manipulate with the criminal case from the first phase to
The PNFEA approach contains six components, each one the final one. The evaluation of the analysis phase as an
divided into a set of the process. This approach aims to individual phase it doesn’t make any sense without other
present the integration and relationship between the phases. Hence, the PNFEA approach compared with the
analysis phase in one side with previous phases and the generic process model of network forensics, which
next phases of the general model of network forensics. In proposed by [8]. The reason for the choice the generic
general, previous phases are preparation, detection, process model that it is based on various existing digital
collection, preservation and examination of evidence, and forensics frameworks proposed till 2010. The generic
next phases are investigation and presentation phase. process model has a nine phases (preparation, detection,
Moreover, The PNFEA approach shows the relation incident response, collection, preservation, examination,
between the analysis phase with the incident response analysis, investigation and presentation) acts as a
activities. combined of reactive and proactive activities. The
The PNFEA distributed through a multi type of PNFEA approach has a five phases (preservation,
components as a predefined proactive network forensics capturing, classification, analysis and investigation) work
depository (component number 1); network capturing, proactively as described previously.
monitoring and network forensics analysis tools as a
manageable component to detect and collect cybercrime
evidence (component number 2); and an evidence V. EXPERIMENTAL RESULTS AND ANALYSIS
classification (component number 3). In addition, it has
The experiments used to evaluate the proposed
an attack intention analysis (component number 4) and
strategy analysis (component number 5). Moreover, approach depend on the backdoor and worm attacks as a
component number 6 presents the connectivity case study. However, each criminal case acts as an
individual problem needs to resolve using the network
relationship between analysis and investigation phases
forensics approach. The PERT method estimates the
through the incident response. Therefore, the retrieval of
similar incident response using Cased-based Reasoning critical path for resolving the criminal cases of backdoor
(CBR) approach. and worm attacks as individual criminal cases, which
manipulated through all phases of both PNFEA and
generic approaches. Moreover, each case will be
compared with a real statistical analysis data based on the
IV. COMPARISONS WITH GENERIC NETWORK FORENSICS
time and cost in each case as mentioned in [2]. The three
APPROACH
values estimation form used in PERT time and cost
The effectiveness of PNFEA approach is minimizing criminal case analysis. The three values present the best,
the time and the cost of the investigation process in expected and worst case scenarios either for time or cost
advance to improve the quality of decision-making. The estimation. The values combined to compute the expected
quality conducted when resolves the criminal case average value of time or cost to find the critical path of
through passing network forensics phases with a resolving the criminal case.
minimum time and low cost. The time and cost are The main assumption in this evaluation that the
management issues, which try to find an efficient path estimated time and cost values depends on the experience
that could be reduced the time and cost. In general, to and the judgment of the network forensics approach
identify this path the critical path method implemented, manger. This assumption built on the fundamental of the
which uses one time estimate to identify the duration of PERT three time estimations. Thus, the evaluation
each phase to accomplish its activity. The critical path is estimate the best case scenario of the time and cost that
a path which there phase activities accomplished without needed for each phase, and the other two estimations
any delay. The delay of any phase, activity will be computed depending on the best case value to increase
delayed the resolution of the criminal case. Accordingly, the reliability of the evaluation. Obviously, the estimated
the critical path used when the management level sure value of proactive activities will take less than of reactive
about the duration of each phase. The alternative way to activities value. To be more reliable, the same best case
identify the critical path is used Program Evaluation and scenario estimation values will assigned to proactive
Review Technique (PERT) method. The PERT used in a activities on both approaches.
more uncertain situation to identify the time and cost of
A. Time Estimations Analysis
resolving the criminal case.
Copyright © 2015 MECS I.J. Computer Network and Information Security, 2015, 2, 25-32
28 PNFEA: A Proposal Approach for Proactive Network Forensics Evidence Analysis to Resolve Cyber Crimes
The time needed to accomplish each phase activity of Table 1. Instance of Three Time Estimations and Variances for Generic
Approach Activities
network forensics depends on some of criteria such as the
network forensics infrastructure like hardware and
software. In addition, it depends on the human resource
and how they will be responding to the criminal case.
However, the three times estimate for each phase used to
compute the expected average time to accomplish
activities of each phase of the network forensics approach.
The first estimation time called the optimistic time, which
can define for each phase based on the PERT three time
estimation method, as the following:
Definition 1: Given a minimum time period called at,
which can be in microsecond, second … day, week, Table 2. Instance of Three Time Estimations and Variances for PNFEA
months to accomplish all the activities of one phase of the Approach Activities
network forensics approach (In this paper the time will be
measured in days).This time presents a best case scenario
for the duration of the phase that everything proceeded
better than expected.
The second estimated time is the most likely time value,
which called mt. It estimates the expected average time
period to accomplish one phase activities when it's
The frequency of occurrence the average expected time
requested. This value presents the expected average
(te) for each approach is close to the most likely
scenario. Accordingly, this value is greater than or equal
estimation time (mt), as shown in Fig. 1. That means to
to the optimistic time. So, in this evaluation the most
accomplish the activity phase it needs the average
likely time can be calculated using this formula:
expected time. Accordingly, the expected time presents
mt = (1+v) * at, where v ϵ ℝ and ≥ 0 (1) the approximately of the duration time for each phase.
ϭ2 = ((bt - at) / 6)2 (4) To measure the confidence of time resolving the
criminal case, the standard deviation, which called (Ϭc)
Table 1 and Table 2 show the instance three time will be computed as the follows:
estimations and the variance for each phase of the both
generic network forensics, and PNFEA approach
respectively. σ c = σ c2
(6)
Copyright © 2015 MECS I.J. Computer Network and Information Security, 2015, 2, 25-32
PNFEA: A Proposal Approach for Proactive Network Forensics Evidence Analysis to Resolve Cyber Crimes 29
The standard deviation means that the time needed to resolve the criminal case. The same rules of time analysis
accomplish the resolving of criminal case need ( Ϭc). To
achieve as described above will apply to the cost estimation. The
acceptable value, the result of experiments in this paper PERT method used a form of three cost estimates
will be on both plus and minces standard deviation, and combined by formula into an expected cost similar to
always it finds the same duration to accomplish resolving determining expected time in PERT time.
the criminal case. The probability of accomplishing the The three cost estimate form is subject to probabilistic
resolving the criminal case conducted from the formal analysis in advance to identify the expected cost for each
normal distribution table, after converted and computed phase in network forensics approach. The three cost
the z-score as the follows: estimate is an optimist, most likely, and pessimistic cost
estimate, which presents the best, expected average and
worst cost scenario for each phase. This evolution values
z ( Due Date Expected Date) / c will be based on the information listed in [2], which
(7) indicate that the average cost to resolve the cyber attack
is 22,986 USD per day. This evaluation assumes that this
Where the Due Date is the time duration to accomplish value presents the best cost case scenario to accomplish
resolving the criminal case which equal the sum of all the phase activities. In other word, it presents the
expected average time (te) for all phases. The Expected optimistic cost estimate, which named (co). The cost
Date presents the Due Date plus or minus the standard includes the estimation of the direct, indirect and
deviation (Ϭc). Table 3 shows the instance of the research opportunity costs, which associated with the criminal
experiments that shows the duration and normal case resolving. In addition, it distributes to all the
distribution of all phases for both PNFEA and generic activities of network forensics centers as detection,
approach. analysis, recovery and preservation, and presentation
It is a uniform for both PNFEA and general network activities as well as the cost of hardware and software.
forensics approaches had the probability 84.13% chance The second estimated cost is the most likely cost value,
to accomplish resolving the criminal case. This ratio is which called (cm). It estimates the expected average cost
acceptable in this evaluation that depends on uncertainty value to accomplish one phase activities. This value
values and methods to estimate the time. Taking in the presents the expected average scenario. Accordingly, this
account there is 15.87% risk to uncover the resolving the value is greater than or equal to the optimistic cost (co).
criminal case at the average expected time. From the So, in this evaluation the most likely cost can be
experimental results the PNFEA approach minimizes the calculated using this formula:
time by the average 59.45%. The experiment related to
the backdoor and worms attack, the PNFEA minimize the cm = (1+v) * co, where v ϵ ℝ and ≥ 0 and co = 22986 (8)
time by 55.04% and 56.43 respectively, with error ration
equal to 0.0005% and 0.0028% from the expected The third estimated value is a pessimistic cost, which is
average time. called (cp). It is the highest cost value to accomplish one
phase activities and presents the worst case scenario. This
Table 3. Duration and Normal Distribution for PNFEA and Generic value estimated when the phase or one of it is actively not
Approach
works properly and something wrong happened such as
user error, hardware or software stop working, This cause
the necessity to use other resources which raise the
resolving the of the criminal case. In fact, this value is
greater than or equal to the expected average estimated
value. So, in this evaluation the pessimistic cost can be
calculated as the following:
Copyright © 2015 MECS I.J. Computer Network and Information Security, 2015, 2, 25-32
30 PNFEA: A Proposal Approach for Proactive Network Forensics Evidence Analysis to Resolve Cyber Crimes
Table 4 and Table 5 show the instance three cost sum of all expected average cost (ce) for all phases. The
estimations and the variance for each phase of the both Expected Cost presents the Actual Cost plus or minus the
generic network forensics and PNFEA approach standard deviation (Ϭc). Table 6 shows the instance of the
respectively. research experiments that shows the expenditure cost and
normal distribution of all phases for both PNFEA and
Table 4. Instance of Three Cost Estimations and Variances for Generic generic approach.
Approach Activities
Table 6. Instance Experiments of the Expenditure Cost and Normal
Distribution(P:PNFEA, G: Generic Approach)
Copyright © 2015 MECS I.J. Computer Network and Information Security, 2015, 2, 25-32
PNFEA: A Proposal Approach for Proactive Network Forensics Evidence Analysis to Resolve Cyber Crimes 31
Copyright © 2015 MECS I.J. Computer Network and Information Security, 2015, 2, 25-32
32 PNFEA: A Proposal Approach for Proactive Network Forensics Evidence Analysis to Resolve Cyber Crimes
How to cite this paper: Mohammad Rasmi, Ahmad Al-Qerem,"PNFEA: A Proposal Approach for Proactive Network
Forensics Evidence Analysis to Resolve Cyber Crimes", IJCNIS, vol.7, no.2, pp.25-32, 2015.DOI:
10.5815/ijcnis.2015.02.03
Copyright © 2015 MECS I.J. Computer Network and Information Security, 2015, 2, 25-32