Network Forensic Investigation Protocol to Identify True Origin of Cyber Crime

An increase in digitization is giving rise to cybercrimes. The existing network protocols are insufficient for collecting the required digital evidence of cybercrime, which eventually makes the process of forensic investigation difficult. In the current scenario of network forensics, the investigator with current capabilities can reach only up to the ISP. This is not primary evidence. Currently, available tools work only at the network layer. In this work, we propose a protocol that ensures tracking up to the true source by collecting beforehand forensically sound evidence. The proposed protocol can collect target data from the device in the form of a device fingerprint with the help of an agent process. The proposed methodology will help in proving non-repudiation, which is a well-known challenge in forensic cases. The fingerprint evidence generated by the proposed method has the capability of not getting obsolete even if the criminal tries to destroy evidence. The fingerprinting technique deployed uses a hash tree and generates evidence in such a way that this fingerprint can act as legal evidence. The security validation of the proposed system is done using the BAN logic. Formal verification is performed using the AVISPA tool. The system has been implemented as a prototype and hosted on AWS.