How can network traffic lie?
| Authors | |
|---|---|
| Year of publication | 2023 |
| Type | R&D Presentation |
| MU Faculty or unit | |
| Citation | |
| Attached files | |
| Description | Network traffic is considered to be a trusted data source for digital forensics and incident response, which is typically summarized by the phrase: "The network does not lie." However, this phrase is accurate only if we fully control the packet trace from capture to analysis. In other cases (e.g., external file source, improper handling, or access by unauthorized personnel), it must be considered that the trace file may have been modified, and some data or network connections may have been removed, added, or changed. These modifications are likely to be small but could have a significant impact on the analysis outcome. The first part of the poster discusses manipulation methods and presents approaches to their identification based on the context of different protocols and connection types. We primarily focus on unwanted changes (i.e., we do not consider, for example, anonymization) whose presence is unknown to the analyst in advance. For each manipulation method, we list possible indicators that we have identified based on the analysis of individual protocols and our personal experience. The second part of the poster presents tools that can be used to manipulate the packet trace. We aim to show that general manipulation may be performed in a simple way by using these tools. However, if perfect data consistency is to be maintained, the manipulation requires significant expertise and attention to detail. In most cases, we may assume that the manipulation will not be carried out perfectly and preserve some indicators. Awareness of these indicators is crucial to ensure that unwanted packet trace manipulation does not remain hidden. |
| Related projects: |
