A Framework of Network Forensics and its Application of Locating Suspects in Wireless Crime Scene Investigation

Digital forensics is the science of laws and technologies fighting computer crimes. It can be divided into two sub-areas, computer forensics and network forensics. Network forensics is still a frontier area of digital forensics and is the focus of this paper. We propose to classify network forensic investigations into three categories based on when law enforcement officers conduct investigations in response to cyber crime incidents. We define proactive investigations as those occurring before cyber crime incidents; real time investigations as those occurring during cyber crime incidents, and retroactive investigation as those occurring after cyber crime incidents. This classification in terms of incident timing helps us understand related laws since laws differ with investigation timing. We present a holistic study of the relationship between laws and network forensic investigations and believe that this framework provides a solid guide for digital forensic research. For example, the framework tells us that certain strategies (including technologies transformed from attacks against security systems) would violate the Constitution or relevant laws of the United States, which is the focus of this paper. With the guidance of this network forensic framework, we propose HaLo, a hand-held device transferred from the Nokia n900 smartphone for the real-time localization of a suspect committing crimes in a wireless crime scene. We collect only wireless signal strength information, which requires low-level legal authorization, or none in the case of private 2 investigations on campus. The basic idea of localization is to collect wireless signal strength samples while walking. The position where the maximum signal strength is measured will be a good estimate of the suspect device‟s location. The key challenge of accurate localization via the hand-held device is that the investigator has to control its walking speed and collects enough wireless signal strength samples. We found that digital accelerator on a smartphone and GPS are very often rough for measuring walking speed. We propose the space sampling theory for effective target signal strength sampling. We validate the localization accuracy via extensive experiments. A video of HaLo is at http://youtu.be/QGhBrt26Q8Y. In this demo, we placed a laptop which was sending out ICMP packets inside one classroom, used HaLo to sniff along the corridor and finally located the laptop.