Authorization: This phase involves obtaining legal permissions from the concernedauthority to initiate the investigation process as shown in Fig. 1. Ciardhuainproposed the authorization phase to take consent from the internal and externalorganizations 13.
Preservation: Preservation phase implicates the avoidance of tempering ofnetwork evidence 1. For example in case a mobile device is involved in the crime,then it must be switched off to avoid mitigating of call and network logs. This is thesecond phase as shown in Fig. 1.
Initial Assessment: In this stage, an initial judgment is made whether to continueor abort investigation. If there are not pre-installed tools for network trafficcollection, then the investigation is terminated 4. This phase has two outwardlinks, out of which only one is selected as displayed in Fig. 1.Strategy Planning: This phase comprises to jot down the strategy to carry outfurther investigation, i.
e., team members, duration of investigation, cost involved,and software use. This phase involves to construct a design strategy using designscience given by Lutui 9, giving more stress on efficacy and coherence.Evidence Collection: Evidence is collected at this stage which may eitherinvolve automatic or manual network traffic collection. Further, the huge datacollected from the network can be reduced by eliminating superfluous data 14.Documentation: Documentation is the process of writing all the relevantinformation required during the investigation process 4.
Network Forensic Process Model and Framework: An Alternative … 495Analysis: Analysis phase involves determination of attack patterns byemploying various machine learning techniques. This phase involves the techniquessuch as PROLOG logic techniques to analyze the data as given by Liu et al. 8.Investigation: Further investigation is done to reconstruct the attack scenario,and replay it at the investigator’s end 15.Decision and Reporting: A decision is made at this stage about the type ofattack and concerned authorities are informed to take appropriate actions.Review: A review is done to check it for further improvement.
In case of anyimprovement is required then strategy is rescheduled by taking the novelparameters.