AccountingQueen
$16/per page/Negotiable
One of the most exhaustive sources of data used in forensic investigation and related to security incidents such as cybercrime, online fraud and information leakages can be found in network traces. Just by observing both internal and external network traffic, forensic investigators can reconstruct events in computer security breaches and also assist in the understanding of incident root causes including identifying liable parties. Investigations which are centered on HTTP traffic is increasingly becoming an important sphere in digital forensics since this protocol is primarily used in most client- to-server type communications. On the other hand, malicious activities and botnets are relying on this protocol for their nefarious activities due to the ubiquitous nature of the Web (Gugelmann, Gasser, Ager & Lenders, 2015).
Explain what forensic problems are being investigated and what solutions are proposed
When intrusion reports, alerts on virus or other malicious activities are received by a security administrator, there is the need for a thorough investigation on network traffic collected to verify whether they are real security events. The prevalence of web traffic however, requires that details of HTTP protocols are dug into by administrators to access the trustworthiness of the flow of network packets. Embedded images in their hundreds such as videos, images, or JavaScript code are exhibited by web pages generating large numbers of HTTP requests when users visit websites (Gugelmann, Gasser, Ager & Lenders, 2015).
The use of a traffic analyzer known as Hviz (HTTP(S) traffic analyser) in the reconstruction and visualization of HTTP(s) traffic gathered from computer systems was presented as the solution in the research. Digital forensics is facilitated by this approach in the aggregation, structuring, and correlation of HTTP traffic to further reduce the number of events that are made available to forensic investigators. The reduction HTTP events by Hviz is achieved by combining data aggregation methods, grouping based on domain name and heuristics that identifies HTTP request pages. The tool also aids in identifying anomalies in traffic by highlighting unique traffic patterns on the specific computers being analysed (Gugelmann, Gasser, Ager & Lenders, 2015).
Explain if the problems are gaps in knowledge, limitations, and/or something else
Analyzing HTTP traffic manually without the right tool is quite a daunting task. Even a single workstation is able to generate millions of packets in a day. Whereas the individual packets from HTTP sessions can be reassembled, the number of traffic requests still poses a challenge due to the size of data gathered. The high number of requests generated from websites are due to how these sites were designed. “When a browser first loads a Web page from a server, dozens to hundreds of additional HTTP requests are triggered to download further content, such as pictures” (Pries et al, 2012 & Butkiewicz et al, 2011). This makes it quite difficult to easily identify suspicious activities.
Provide an example of how you might apply this research to forensics investigations
The sheer magnitude of data correlation and analysis required in gathering forensic evidence for network activity makes it advantageous for malicious actors. The use of the HTTP protocol which is being used to transport malware and botnet traffic to C & C servers have seen some significant increases (Gugelmann, Gasser, Ager & Lenders, 2015). The aim of this research therefore was to aid investigators in analysing HTTP traffic from computer networks in an effort to identify malicious activities so that:
1. Investigators could easily understand websites visited by users and
2. Recognize patterns of malicious traffic activity through large amounts of generated web requests. For example, the tool should be able to isolate instances where activities related to HTTP traffic do not point to known websites but rather C&C sites used for malware activities.