Abstract
In network forensics, identifying applications involved in packet transmission and reception is crucial for reconstructing the chain of events in security incidents. However, since captured packets do not contain information about specific applications, investigators must rely on other information like log data for identification, which decreases the efficiency and accuracy of the forensic process. This paper proposes a new system that uses an extended Berkeley Packet Filter (eBPF) to embed application metadata directly into the packet capture files. To demonstrate the feasibility of this concept, we implemented a prototype of the proposed system. The system associates each packet with the corresponding application name, process ID, and user ID, storing this metadata alongside packet data in PCAPNG format, enabling analysis with existing tools such as Wireshark. An experimental evaluation comparing the system’s performance to a conventional packet capture tool revealed challenges, such as packet loss due to buffer overwriting and increased resource consumption. In particular, the initial Python-based implementation recorded a packet loss rate of 55.61%, which was improved to 7.60% with the enhanced Go-based implementation. However, the proposed system increases CPU utilization by up to 22 percentage points, thus it needs further effort for optimization. Despite remaining performance challenges, the proposed approach has the potential to reduce analysis time and improve accuracy in network forensics by eliminating reliance on log data.
