A Research Configuration for a Digital Network Forensic Lab

Abstract

Summary form only given. The digital forensic network lab is implemented with the goal of providing all students and faculty with a configurable research environment ideally suited for conducting network forensic testing on all TCP/IP network protocols passing through it. Of particular interest are protocols that are commonly used for file sharing, message passing, and those that actively obfuscate or encrypt message traffic. Notably, Bit Torrent protocol, P2P protocols, IM (instant messaging) protocols, and anonymizing protocols such as I2P, Thor, and Freenet. Items of interest in protocol analysis include packet payload, sender and receiver real IP address, and crypto analysis.The forensic test bed consists of an a main node populated with a Cisco WAN router. This is the master router for the lab. It routes internal traffic between the three research nodes and selected outside networks. Populating the a node and the two remote nodes, B and C, are a combination of a Cisco routers, Cisco firewalls, Cisco switches, and computers. Each node has five dual core X86 computers capable of running combinations of Linux x86- 32 or -64 OS's, Microsoft x86-32 or -64 OS's, and, if necessary, both OS's can be configured to either use Microsoft, VMWare or Xen virtualization software. The a main node is connected remotely to the C node via a campus fast Ethernet circuit. While the B node, co-located with the a main node, is connected together via a fast Ethernet and Tl circuit. To increase the infrastructure component of the lab we have the ability to selectively place the forensic lab into an existing classroom domain for wider access to students and faculty researchers.