TC-NetTrack: an Approach for Creating Digital Evidences for Flows in IP Networks

Effective network forensics analysis necessitates the capability to reproduce any network event, irrespective of the user’s motivation, the characteristics of earlier events, and whether the origin of the events was an unauthorized intruder or a legitimate user. Numerous packet analyzers, network monitoring systems, and intrusion detection tools today enable network measurement and analysis through packet capturing, which facilitates the examination and reconstruction of network events and user activities. However, they lack the ability to offer cryptographic proof for the packet flows that have been captured. Building on this motivation, we provide the initial steps toward the development of TC-NetTrack: a device that utilizes trusted computing to generate digital proof for specific packet flows captured either on a node’s network interface or across a network link. Since TC-NetTrack needs to produce evidence that holds probative value, the most suitable method to achieve this is through digital signatures. However, signing each packet individually is not practical or efficient; therefore, we adopted a method known as tree chaining. We implemented this using Merkle trees alongside an optimized algorithm for traversing the tree, which conserves both space and time when the signer generates packet flow evidence. We assessed the tree chaining technique on three different platforms, each featuring varying processors and memory capacities. TC-NetTrack could be beneficial in application scenarios or use cases that demand verification of the recorded packet flows, including stock trading, financial applications, attack analysis, or military operations.