Network Forensics of SSL/TLS Encrypted Channels

Network forensics is increasingly hampered by the ubiquitous use of encrypted channels by legitimate and illegitimate network traffic. Both types of traffic are frequently tunneled over application-layer encryption mechanisms, generally using the ubiquitous TLS (SSL) protocol. This results in traditional network forensics tools being largely limited to recording external characteristics (source and origin addresses and ports, time and traffic patterns), but with little insight into content and purpose of the traffic. We propose that a precise characterization of encrypted traffic not only in the form of the external characteristics but also through the analysis of the exact mechanisms, variants and options used for the encrypted channel but visible without access to key material along with a fine-grained analysis of the traffic patterns itself incorporating domain knowledge of the SSL/TLS protocol can yield valuable insights and help to classify traffic into legitimate traffic, illegitimate immediate traffic (e.g. as caused by a Trojan). It can also characterize traffic that is added to an existing data stream by an illegitimate source. In this paper, we therefore present and characterize different traffic types and subsequently analyze this traffic, including the SSL/TLS protocol data units using selected sequence mining techniques.