In today’s landscape of increasing electronic crime, network forensics plays a pivotal role in digital investigations. It aids in understanding which systems to analyse and serves as a supplement to support evidence found through more traditional computerbased investigations. However, the nature and functionality of the existing Network Forensic Analysis Tools (N-FATs) fall short compared to File System Forensic Analysis Tools (FS-FATs) in providing usable data. Current N-FATs often present data at an overly granular level, making it challenging for investigators to extract meaningful insights in a timely manner. Moreover, the analysis tends to focus on IP addresses, which are not synonymous with user identities, a point of significant interest to investigators. This paper presents several experiments designed to create a novel N-FAT approach that can identify users and understand how they are using network-based applications whilst the traffic remains encrypted. The experiments build upon the prior art and investigate how effective this approach is in classifying users and their actions. Using an in-house dataset composed of 50 million packets, the experiments use three incremental developments for improving the performance. Building upon the successful experiments, a proposed N-FAT interface is presented to illustrate the ease with which investigators may ask relevant questions of user interactions. The experiments profiled across 27 users, has yielded an average 93.3% True Positive Identification Rate (TPIR), with 41% of users experiencing 100% TPIR. Skype, Wikipedia and Hotmail services achieved a notably high level of recognition performance. The study has developed and evaluated an approach to analyse encrypted network traffic more effectively through the modelling of network traffic and to visualise these interactions through a novel network forensic analysis tool.

Abuadlla, Y., Kvascev, G., Gajin, S. and Jovanovic, Z. (2014). Flow-based anomaly intrusion detection system using two neural network stages. Computer Science and Information Systems, 11(2), 601–622.

Ahmed, I. and Lhee, K. (2011). Classification of packet contents for malware detection. Journal in Computer Virology, 7(4), 279–295.

Al-Bataineh, A. and White, G. (2012). Analysis and detection of malicious data exfiltration in web traffic. 2012 7th International Conference on Malicious and Unwanted Software, 26–31.

Alotibi, G., Clarke, N., Fudong Li and Furnell, S. (2016). User profiling from network traffic via novel application-level interactions. 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST), 279–285.

Boukhtouta, A., Mokhov, S. A., Lakhdari, N.-E., Debbabi, M. and Paquet, J. (2016). Network malware classification comparison using DPI and flow packet headers. Journal of Computer Virology and Hacking Techniques, 12(2), 69–100.

Clarke, N., Li, F. and Furnell, S. (2017). A novel privacy preserving user identification approach for network traffic. Computers and Security, 70, 335–350.

Fernandes, G., Rodrigues, J. J. P. C. and Proença, M. L. (2015). Autonomous profilebased anomaly detection system using principal component analysis and flow analysis. Applied Soft Computing, 34, 513–525.

He, G., Zhang, T., Ma, Y. and Xu, B. (2014). A Novel Method to Detect Encrypted Data Exfiltration. 2014 Second International Conference on Advanced Cloud and Big Data, 240–246.

Hofstede, R., Bartos, V., Sperotto, A. and Pras, A. (2013). Towards real-time intrusion detection for NetFlow and IPFIX. Proceedings of the 9th International Conference on Network and Service Management (CNSM 2013), 227–234.

Khan, S., Gani, A., Wahab, A. W. A., Shiraz, M. and Ahmad, I. (2016). Network forensics: Review, taxonomy, and open challenges. Journal of Network and Computer Applications, 66, 214–235.

Leroux, S., Bohez, S., Maenhaut, P.-J., Meheus, N., Simoens, P. and Dhoedt, B. (2018). Fingerprinting encrypted network traffic types using machine learning. NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium, 1–5.

Meghdouri, F., Vazquez, F. I. and Zseby, T. (2020). Cross-Layer Profiling of Encrypted Network Data for Anomaly Detection. 2020 IEEE 7th International Conference on Data Science and Advanced Analytics (DSAA), 469–478.

Parvat, T. J. and Chandra, P. (2015). A Novel Approach to Deep Packet Inspection for Intrusion Detection. Procedia Computer Science, 45(C), 506–513.

Saevanee, H., Clarke, N., Furnell, S. and Biscione, V. (2015). Continuous user authentication using multi-modal biometrics. Computers and Security, 53, 234–246.

Shafiee Hasanabadi, S., Habibi Lashkari, A. and Ghorbani, A. A. (2020). A survey and research challenges of anti-forensics: Evaluation of game-theoretic models in simulation of forensic agents’ behaviour. Forensic Science International: Digital  Investigation, 35.

Stergiopoulos, G., Talavari, A., Bitsikas, E. and Gritzalis, D. (2018). Automatic Detection of Various Malicious Traffic Using Side Channel Features on TCP Packets. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Vol. 11098 LNCS (pp. 346–362). Springer International Publishing.

Stevanovic, M. and Pedersen, J. M. (2014). An efficient flow-based botnet detection using supervised machine learning. 2014 International Conference on Computing, Networking and Communications, ICNC 2014, 797–801.

Taylor, V. F., Spolaor, R., Conti, M. and Martinovic, I. (2016). AppScanner: Automatic Fingerprinting of Smartphone Apps from Encrypted Network Traffic. 2016 IEEE European Symposium on Security and Privacy (EuroSandP), 439–454.

Tcpdump. (2023). Tcpdump manual page. 2023. https://www.tcpdump.org/manpages/tcpdump.1.html

Tegeler, F., Fu, X., Vigna, G. and Kruegel, C. (2012). BotFinder. Proceedings of the 8th International Conference on Emerging Networking Experiments and Technologies, 349–360.

Wireshark. (2023, December). About wireshark. 2023. https://www.wireshark.org/about.html.