Design for network file forensics system based on approximate matching

Abstract

Network forensics is a comparatively new field of forensics science. The growing popularity of the Internet means that computing has become network-centric and data is now available outside of disk-based digital evidence. To collect certain network data for forensics, real-time network file packet inspection becomes a hot topic as it is needed in many applications such as virus detection, intrusion and attack forensics. Most of the traditional techniques use exact matches on keyword and/or white/black MD5 lists to have an efficient inspection. However, it is well-known that exact matches may not be effective to identify similar files such as the same videos with small changes, e.g. titles, posted by different users or metamorphic viruses (mutated computer viruses). Approximate matching is known to be more robust to identify similar files and has been proven to be effective in digital forensics. In this paper, we design a network forensics system by recording objective network files for future analysis. We try to confirm that by using an appropriate approximate matching approach, it is feasible and effective to inspect real-time traffic in order to identify similar files. Our experiments with real data show that our solution achieves good usability in practical.