Reconstructing File Versions and Timestamps: Challenges and Guidelines in Network Forensics

Extracting files from a network capture file sounds like an easy task solved by modern network analysis and forensic tools. Upon closer examination, however, it becomes evident that numerous highly relevant forensic aspects remain unaddressed or inadequately explored. The apparent lack of awareness regarding this issue is even more problematic. Our paper intends to address and close this gap. We provide a systematic presentation of current challenges in extracting and reconstructing files from network traffic in the context of digital forensics, along with their causes. Moreover, we discuss solutions and guidelines to overcome these challenges. While some of our proposed approaches generally hold for all protocols, some are protocol-dependent. Hence, we use the SMB protocol as an example illustrating how several challenges can be addressed using protocol-inherent information. This discussion is accompanied by a ready-to-use implementation, which we incorporated into an open-source network forensic tool. Our paper highlights current research and tooling gaps and provides directions to tackle them. Hence, we hope to spawn and foster new research in this area. Moreover, we are confident that our paper helps practitioners conduct network forensic analyses and provides important guidelines and considerations for analysts and investigators. Finally, our paper highlights facets that current commercial and open-source tools consider not sufficiently enough, hoping that they incorporate these aspects in future developments.