Network forensics is the monitoring and analysis of network traffic.
Network information is volatile, it is designed to be transmitted and then lost, so monitoring it requires a proactive approach. Many countries have built network monitoring centers that store massive amounts of network information for days, months, or years to be analyzed later. An adversary can also monitor your network traffic with the collaboration of your Internet Service Provider, by compromising your home router with malware, or by snooping on your wired or wireless network connection from a surveillance vehicle outside your home.
Because most websites, email providers, and messaging applications use SSL/TLS encryption (the “s” in “https”), an adversary monitoring your network traffic usually knows what websites you visit, but not what you do on those websites. If you use Tor[1], an adversary monitoring your network traffic knows that you use Tor, but not what websites you visit or what you do on those websites.
Tor is vulnerable to correlation attacks, but such attacks are difficult to set up even for powerful adversaries. An example of a successful correlation attack can be found in the prosecution of anarchist hacker Jeremy Hammond, in which the times when the alias he used in chat rooms was “online” (obtained through network traffic analysis[2]) were correlated with the times when a physical surveillance effort observed him at home to prove that the alias belonged to him.
Used in tactics: Incrimination
Mitigations
| Name | Description |
|---|---|
| Compartmentalization | Different digital identities can be correlated through the footprints left by their network traffic. To limit this risk, you can compartmentalize different digital identities by using Tails[3] and rebooting between each session, or on Qubes OS[4] by using different Whonix[5] virtual machines non-simultaneously. |
| Digital best practices | If you use Tor[1] or a VPN, it is harder for an adversary to analyze your network traffic. |
| Encryption | If you encrypt your network traffic with Tor[1] or a VPN, it is harder for an adversary to analyze it. |