Comprehensive Study of Network Forensic

Today, as the cybercrimes are increasing rapidly, there is necessity to find the root cause o sf the loopholes that are left while taking care of cyber security. So, the evidences are searched to find the source of the cyber-attack. This can be done by detecting networks and network components used by criminals which comes under network forensic. Network forensic is a domain of computer forensic which studies internal and external network to find out important artifacts for investigators to discover the origin of the cyber-attack. The proposed survey focuses on overview of network forensic domain having different network forensic methods, methodology along with the analysis of network forensic tools (NFTs). The proposed survey a l s o concentrates on the comparison of NFTs like Network Miner, Xplico, LogRhythm, NIKSUN, Nmap, etc. based on their features, compatibility with platforms, whether they are open source or commercial, etc. Finally, this paper concludes with the basic purpose and features of e v e r y tool and its usability.

This can provide the assistance to the investigator in his perusal.

Fig.1 Domains of computer forensic
There are different branches of computer forensic.1) Operating system forensics 2) Disc and file system forensics 3) Live memory forensics 4) Web forensics 5) Email forensics 6) Network forensics 7) Multimedia forensics and others, as shown in Fig. 1 This p a p e r mainly focuses on network forensics along with its process, method, methodology and tools used for investigation followed by comparative analysis of some network forensic tool.Basically, network forensic deals with monitoring and analysis of network traffic.Network forensic is an investigation process conducted when any criminal attack is detected on a network.The purpose of network forensic is to find the source of an attack through analyzing network which is dynamic and volatile [1] [2].Furthermore, it is also concerned with determining nature of attack and storing data forensically sound way to present them in court of law.There are two aspects of forensics evidences, first is real time i.e. live forensics and second is after the event i.e. dead forensics.[16] Forensics activities include the capture and note-making of events and further analysis of them to reach the source.

Authors Proposed Work
Abdul R.J. et.[1] They proposed detailed description of computer forensic with all its domains along with the Feature Scoring Model (FSM) for good tool detection.They elaborated functionalities of NFTs.They performed analysis of different tools of all domains based on their characteristics.

Syed Rizvi et[3]
They proffered the use of artificial intelligence in network forensics with the help of machine learning, deep learning or ensemble learning.They also explained network forensic process model.
Fahad M.G. et [4] They proposed network forensic process with its architecture.Also gave comparative analysis of some network forensics tools.
Damir et.[5] They offered comparative analysis of various NFTs on different operating system Jiao [6] He proposed fuzzy decision tree reasoning method for NF.

3.Analysis Of Network Forensic A. Network forensic methods
The main aim of network forensic is to prepare plan before any type of attack performed on network.So, Syed Rizvi, Mark Scanlon and other stated that there are two methods of capturing data for fulfilling this aim.1. Catch it as you can-This approach has continuous monitoring of traffic It is proactive approach which tries to catch or save everything that is the reason it requires large storage space [1].Wireshark, TCPDump are the examples of it.
[7] 2. Stop, look and listen-This spontaneous approach is used after attack.It find out network traffic communication at the time of attack [1].NFM is classified into five categories:1) Intrusion detection 2) Traceback 3) Distributive and 4) attack graphs [2]5) fuzzy decision tree reasoning method [6]. 1. Intrusion detection system provides protection to the network infrastructure by detecting anomalies investigate anomalies by pattern matching, attack time, packet inspection etc [2].2. Traceback is a method used after attack.It gives reply of its sequential steps again for investigating effectiveness of attack to reach to its origin.3. Distributive method gives analysis of malicious traffic in distributed location of network.4. Attack graph method visualizes attack paths in network.It reduces investigation time. 5. Fuzzy decision tree reasoning method first collect information of relevant targets then establish analysis diagram with finding accurate attack target and then formulate intrusion plan from collected information [6].

B. Network Forensic process
Network forensic is a process with specific model.

Fig 1.2 Network forensic process (adapted from [3])
Network forensic process is composed of 8 stages.First one should be prepared for recovery of losses in cyber-attack.Then the next stage is detection of attack based on evidences collected after the attack.The evidences collected are preserved for further examination Then these are analyzed and investigated to reach out towards the culprit.Once the culprit is found, the proofs are presented in systematic manner.The analysis and investigation stages are in loop i.e.as many as evidences are collected ,they are investigated and analyzed [2].

C. Network forensic methodology
Sirajuddin, Saima and others in their paper proposed OSCAR methodology for the network of forensics.
In OSCAR, O means Obtaining Information, S means Strategizing, C means Collecting evidence.A means Analyzing evidences, and R means Reporting.Obtaining information is concerned with gaining information about the incident happened.It involves collection of all needful data about the attack.Strategizing involves making blueprints of a detailed plan of how the investigation will move forward.Collecting evidences includes collecting evidences from the device of victim and components associated with network along with prioritization of evidences.Analyzing involves documentation of evidences for further analysis of it.
Reporting is the most vital part of network forensic because it will show the results of all this investigation.The report should be clear and understandable by any non-technical person [15].

D. Network Forensic Tools
NFTs examine network, collect information about network traffic or data, help to analyze the situation and support in finding evidences from incident used in the court of law [4].There are different NFTs available which differ in their functionalities like netflow, OS fingerprints, port scanner, banner grabber, whether it is open source or not, threat analysis ,how it recovers data ,extraction of credentials, whether it can encrypt traffic or not, log collection, remote analysis, and others [1].Following is the explanation of functionalities of NFTs: NetFlow: When a tool supports netflow, it can find out source and destination addresses, protocols, conversations, and packet captures.Also, it may assist in discovering protocol-specific characteristics like RTP stat, response t i mes, TCP retransmission, etc. OS Fingerprints: When a tool supports OS fingerprints, it can relate to OS-related statistics.

Conclusion
This paper has successfully called out the fundamental information about Network Forensic including Network Forensic methods, process, methodology and tools.The main focus of the paper is on understanding and analysis of various Network Forensic Tools (NFT's) such as Network miner, Log Rhythm, PLIXER etc. including their functionalities.Further, the paper throws light on an important part in network forensic for defining criteria to select the most appropriate tool in a given scenario.This will help the investigators to shortlist the right set of tools while investigating a cyber-attack.This paper has also given a detailed comparison of all the NFTs based on various parameters such as NetFlow, OS Fingerprints, threat analysis and log collection etc.Finally, we conclude that each of the NFTs has its own pros and cons.However, selection of the most appropriate NFT based on the situation and various parameters defined in the paper, will be the savior for the investigators during their investigation and help identify the defaulters.

3 Fig.2 Network forensic tools 1 .
Fig.2 Network forensic tools When you want to troubleshoot network performance issues 2.When you want to trace network connection 3.When you want to identify bursts of traffic