A Decentralized Framework for Geolocation-Based Pre-Incident Network Forensics

Throughout the last couple of years network forensics has gained higher importance due to the ever-growing quantity and quality of attacks. In contrast to conventional network forensics which relies on a central approach, both legal as well as technical guidelines nowadays favor a decentralized approach since aspects like privacy, limited data manipulation possibilities and scalability are addressed superiorly there. In this regard, however, present (decentralized) solutions are all in the need of an improvement especially in the area of protection against manipulation, i.e., falsification of relevant forensics data particularly in case of sophisticated attacks. Following the idea of strategic pre-incident preparation, this publication presents a decentralized approach, which, in advance, selectively collects data based on the suspiciousness of the connection to facilitate a (possible) investigation. To this end, we present an agent-based framework including prototype and evaluation that particularly uses Geolocation to fulfill this task.