Network Forensic Readiness: a bottom-up approach for IPv6 networks
A computer network is considered forensically ready, when crucial evidence for a forensic investigation is proactively collected and easily available. While the benefits of a forensically ready network are well understood, the exact information required to be collected to achieve forensic readiness is largely unknown. This thesis focuses on identifying and locating the information that is essential for successful forensic investigations in an IPv6 network. Without the knowledge of what information should be retained, the approach to achieving forensic readiness is likely to be unstructured and crucial information for an investigation might be missed.
This study conducted an empirical investigation to identify and extract forensic information from network protocol standards and related literature. Malicious and genuine network scenarios were run and retraced in a test bed to elicit the information that is significant for a forensic investigation. The network scenarios were grouped by network layer and the layers were processed bottom-up to resolve dependencies of the higher layers on the lower layers. A subset of network scenarios was exclusively used to ascertain the effectiveness of the identified information (hold-out approach).
This thesis identifies the information in an IPv6 network that is relevant for a successful forensic investigation. Further, the thesis also proposes an optimisation phase as an extension of the National Institute of Standards and Technology (NIST) forensic life-cycle. This phase allows to improve the forensic readiness further through the identification of missing information after conducting a forensic investigation in the network. Finally, design and deployment strategies for implementing a forensically ready network are outlined and recommendations are made for mastering key issues related to forensic readiness.