Abstract
In the last few decades, networks have grown to accommodate evolved technologies on every open system for interconnection (OSI) level. On the physical and data link layers, numerous wireless innovations introduced the mobile networks and the interconnection of smart objects. The innovations in network abstraction introduced the cloud- and software-defined networking environments. The high rate and diversity of networking innovations requires adaptations in the forensics approach, so the practice remains capable of uncovering evidence. This chapter explores the operational aspect of both the traditional and the evolved network forensics.
TopTraditional Network Forensics
Network forensics in its traditional form aims to uncover evidence from Internet based communication networks. To do so, investigators collect and examine the data-in-transit itself, the logs of the supporting systems such as routers or servers, and the management data of the network. Chapter 1 outlines the techniques for forensics processing but it does not inform how they are operationalized in investigations in different networking environments. For Internet-based networks, this section details the procedures, tools, and forensics investigation challenges.
Key Terms in this Chapter
MAC: Medium access control.
IETF: Internet engineering task force.
NFV: Network functional virtualization (NFVs).
OSI: Open system for interconnection.
TCP SYN/ACK: TCP synchronization/acknowledgment protocol messages.
MME: Mobility management entity.
EPCaaS: Evolved packet core as a service.
CSP: Cloud service provider.
SSH: Secure shell.
S/P-GW: Serving/packet gateway.
BPF: Berkeley packet filtering syntax for captured network packets.
ISO/IEC: International Standardization Organization/International Electrotechnical Commission.
WEP: Wired equivalent privacy.
5G: 5 th generation of mobile networks. Still in standardization phase, the first 5G deployments are envisioned for 2020.
EPC: Evolved packet core.
WPA/WPA2: Wireless protected access/wireless protected access 2.
ARP: Address resolution protocol.
SSID/BSSID: Service set ID/basic SSID.
DHCP: Dynamic host configuration protocol.
3G: 3 rd generation of mobile networks. The most dominant technology is universal mobile telecommunication system (UMTS).
LTE: Long term evolution.
UDP: Unsolicited datagram protocol.
IoT: Internet-of-things.
mMTC: Massive machine type communications.
IDS/IPS: Intrusion detection system/intrusion protection system.
TCP/IP: Transmission control protocol/internet protocol.
IP: Internet protocol.
2G: 2 nd generation of mobile networks. The most dominant technology is the global system for mobility (GSM).
C-RAN: Cloud-based radio access network.
HSS: Home subscriber server.
4G: 4 th generation of mobile networks. The 4G technologies are long term evolution (LTE) and the advanced version, LTE-advanced. Colloquially, the terms LTE/LTE-A are used as a synonym for 4G as they are the only global standard for mobile communication from the fourth generation.
SMTP: Simple mail transport protocol.
LEA: Law enforcement agency.
WLAN: Wireless local area network.
M2M: Machine-to-machine communication.
MEC: Mobile edge computing.
DNS: Domain name system.
ITU: International Telecommunication Union.
ISM: Industry, science, and medicine spectrum in the 2.4 GHz frequency segment.
U-NII: Unlicensed national information infrastructure spectrum in the 5 GHz frequency segment.
SCTP: Session control transport protocol.
ISP: Internet service provider.
LI: Lawful interception.
VPN: Virtual private network.
SDMN: Software-defined mobile network.
3GPP: 3 rd generation partnership project.
OS: Operating system.
RAN: Radio access network.
SDN: Software-defined networks.