EXAMINATION PHASE NETWORK FORENSIC FRAMEWORK FOR IDENTIFICATION AND CORRELATION OF ATTACK ATTRIBUTES

Abstract

Network forensics is a science of determining and retrieving evidential information in a computer networked environment about a criminality in such a way as to make it admissible. The established computer networks forensic field lays a strong foundation for network forensics as standard security frameworks, tools and techniques are in place for phase detection, collection, preservation and presentation of evidence. However, little has been done to address phase examination. The main challenge identified on this phase is identification and correlation. The objectives of the study were to; analyse, investigate, identify, develop and evaluate a network forensic framework which addresses the challenge in examination. A methodology was specifically formalized on real time and post attacked network traffic investigation based on datasets prototype implementation. The proposed technique in examination phase is identification and correlation of traced datasets. The identification provided attempts made in compromising a system and assist during reconstruction of intruded information. The correlation validated the particular intrusion and guide in decision to proceed with investigation. The techniques resulted in confirmation of DDoS, Portscan and cross-site scripting attacks dataset.