Network forensics is the monitoring and analysis of network traffic.
Network information is volatile, it is designed to be transmitted and then lost, so monitoring it requires a proactive approach. Many countries have built network monitoring centers that store massive amounts of network information for days, months, or years to be analyzed later. An adversary can also monitor your network traffic with the collaboration of your Internet Service Provider, by compromising your home router with malware, or by monitoring your wired or wireless network connection from a surveillance vehicle outside your home.
Because most websites, email providers, and messaging applications use SSL/TLS encryption (the “s” in “https”), an adversary monitoring your network traffic usually knows what websites you visit, but not what you do on those websites. If you use Tor[1], an adversary monitoring your network traffic knows that you use Tor, but not what websites you visit or what you do on those websites.
Tor is vulnerable to correlation attacks, but such attacks are difficult to set up even for powerful adversaries. An example of a successful correlation attack is the prosecution of anarchist hacker Jeremy Hammond: the times when the alias he used in chat rooms was “online” (obtained through network traffic analysis) were correlated with the times when a physical surveillance operation observed him at home to prove that the alias belonged to him[2].
Used in tactics: Incrimination
Mitigations
Name | Description |
---|---|
Compartmentalization | An adversary can establish links between different digital identities through the footprints left by their network traffic. To mitigate this, you can compartmentalize different digital identities by: |
Digital best practices | You can follow digital best practices, and in particular use Tor[1], to make it harder for an adversary to monitor and analyze your network traffic. |
Encryption | You can encrypt “in-motion” data to make it harder for an adversary to analyze the data with network forensics. |