(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No.7, July 2012 Log Analysis Techniques using Clustering in Network Forensics Imam Riadi1 Jazi Eko Istiyanto2, Ahmad Ashari2, Subanar3 1Department of Information System, Faculty of 2Department of Computer Science and Electronics, Mathematics and Natural Science, 3Department of Mathematics, Ahmad Dahlan University, 2,3Faculty of Mathematics and Natural Sciences, Yogyakarta,Indonesia Gadjah Mada University, Yogyakarta, Indonesia [email protected] {jazi,ashari}@ugm.ac.id, [email protected] Abstract — Internet crimes are now increasing. In a row with for digital investigators. However posting child pornography many crimes using information technology, in particular those on the Internet can help lead investigators to the victim. As using Internet, some crimes are often carried out in the form of well as threatening letters, fraud, intellectual property theft is a attacks that occur within a particular agency or institution. To be crime that leaves a digital footprint [2]. able to find and identify the types of attacks, requires a long Cyber crime, a crime using information technology process that requires time, human resources and utilization of as instrument or target, have led to the birth of network information technology to solve these problems. The process of identifying attacks that happened also needs the support of both forensic in response to the rise of the case. Improving the hardware and software as well. The attack happened in the quality of tools and techniques for network forensic analysis is Internet network can generally be stored in a log file that has a needed to deal with cyber criminals that are more and more specific data format. Clustering technique is one of methods that sophisticated. Digital forensics, in essence, answer the can be used to facilitate the identification process. Having question: when, what, who, where, how and why related to grouped the data log file using K-means clustering technique, digital crime [3]. In conducting an investigation into the then the data is grouped into three categories of attack, and will computer system as an example: when referring to the activity be continued with the forensic process that can later be known to observed to occur, what activities related to what is done, who the source and target of attacks that exist in the network. It is related to the person in charge, where related to where the concluded that the framework proposed can help the investigator evidence is found, how related to activities conducted and in the trial process. why, the activities related to why the crime was committed. Keywords : analysis, network, forensic, clustering, attack Legal regulation of criminal act in the field of information technology is arranged in Law No 11 of 2008 that contains about information and electronic technologies (ITE) contained I. INTRODUCTION the provisions of the criminal act elements or the acts that are Together with the rapidity of internet network prohibited in the field of ITE, such as in Article 27, 28, 29, 30, development, there are countless individual and business 31, 32, 33, 34, 35 and Article 36. Currently, Indonesian transactions conducted electronically. Communities use the government and House of Representatives are processing on Internet for many purposes including communication, email, the Information Technology Crime Bill that is included in 247 transfer and sharing file, search for information as well as list of Prolegnas Bill, 2010-2014 [4]. online gaming. Internet network offers users to access Consequence with many crimes using information information that is made up of various organizations. Internet technology particularly using the Internet, some crimes are development can be developed to perform digital crimes often carried out in the form of attacks that occur within a through communication channels that can not be predicted in particular agency or institution. To find and identify the types advance. However, development of the Internet also provides of attacks, requires a long process that requires time, human many sources of digital crime scene. Internet crime is now resources and utilization of information technology to solve increasing [1], for example, employees accessing websites that these problems. The process of identifying attacks that promote pornography or illegal activities that pose a problem happened also needs the support of both hardware and software for some organizations. Pornography has become a huge as well. The attack happened in the Internet network can business and caused many problems for many organizations. generally be stored in a log file that has a specific data format. Not only easily available on the Internet but perpetrators also To simplify the process of analyzing the log, the use of frequently spreading pornography using the advances of scientific methods to help a diverse group of raw data is Internet technology to attack computer with unsolicited email needed. Clustering technique is one of methods that can be and pop up ads that are not desirable. Some form of used to help facilitate the identification process. pornography is not only illegal but also bring a big problem (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No.7, July 2012 II. CURRENT STUDIES ON NETWORK Table 2. Forensic Computer Tools FORENSICS No Software Information A. Forensics in Computer Security 1 E-Detective http://www.edecision4u.com/ The rapidity of information technology 2 Burst http://www.burstmedia.com/release/ development especially in the field of computer network has advertisers/geo_faq.htm brought a positive impact that make human activity becomes 3 Chkrootkit http://www.chkrootkit.org easier, faster and cheaper. However, behind all the 4 Cryptcat http://farm9.org/Cryptcat/ conveniences it was the development of such infrastructure 5 Enterasys http://www.enterasys.com/products/ services have a negative impact emerging in cyberspace, Dragon advanced-security-apps/index.aspx among others: the theft of data on the site, information theft, 6 MaxMind http://www.maxmind.com 7 netcat http://netcat.sourceforge.net/ financial fraud to the Internet, carding, hacking, cracking, phishing, viruses, cybersquating and cyberporn. Some crimes, 8 NetDetector http://www.niksun.com/product.php?id=4 especially that are using of information technology services 9 NetIntercept http://www.sandstorm.net/products/ spesifically the Internet network can be used to perform some netintercept 10 NetVCR http://www.niksun.com/product.php?id=3 illegal activities that harm others, such as: cyber gambling, 11 NIKSUN http://www.niksun.com/product.php?id=11 cyber terrorism, cyber fraud, cyber porn, cyber smuggling, Function cyber narcotism, cyber attacks on critical infrastructure, cyber Appliance blackmail, cyber threatening, cyber aspersion, phishing. 12 NetOmni http://www.niksun.com/product.php?id=1 The number of computer crime cases and computer 13 Network http://sourceforge.net/projects/ Miner networkminer/ related crime that is handled by Central Forensic Laboratory 14 rkhunter http://rkhunter.sourceforge.net/ of Police Headquarters at around 50 cases, the total number of 15 Ngrep http://ngrep.sourceforge.net/ electronic evidence in about 150 units over a period of time as 16 nslookup http://en.wikipedia.org/wiki/Nslookup it can be shown in Table 1. [5]. 17 Sguil http://sguil.sourceforge.net/ 18 Snort http://www.snort.org/ Table 1. The number of computer crimes and computer related 19 ssldump http://ssldump.sourceforge.net/ crime cases 20 tcpdump http://www.tcpdump.org year number of cases 21 tcpxtract http://tcpxtract.sourceforge.net/ 2006 3 cases 22 tcpflow http://www.circlemud.org/~jelson/software/ 2007 3 cases tcpflow/ 2008 7 cases 23 truewitness http://www.nature-soft.com/forensic.html 2009 15 cases 24 OmniPeek http://www.wildpackets.com/solutions/ network_forensics 2010 (May) 27 cases 25 Whois http://www.arin.net/registration/agreements /bulkwhois The forensic process began has been introduced 26 Wireshark http://www.wireshark.org/ since long time. Several studies related to the forensic process 27 Kismet http://www.kismetwireless.net/ include [5]: 28 Xplico http://www.xplico.org/ a) Francis Galton (1822-1911); conducted the research on fingerprints CERT defines the forensic as the process of b) Leone Lattes (1887-1954); conducted the research on collecting, analyzing, and presenting evidence scientifically in court. Computer forensics is a science to analyze and present blood groups (A, B, AB & O) data that have been processed electronically and stored in c) Calvin Goddard (1891-1955); conducted the research on computer media [1]. Digital forensics is the use of scientific guns and bullets (Ballistic) methods of preservation, collection, validation, identification, d) Albert Osborn (1858-1946); conducted the research on analysis, interpretation, documentation and presentation of document examination digital evidence derived from digital sources or proceeding to e) Hans Gross (1847-1915); conducted scientific research on facilitate the reconstruction of the crime scene [6]. Indonesia has a state law that can be used to help the application of the criminal investigation confirm that crime committed using information technology f) FBI (1932); conducted the research using Forensic Lab services may be subject to Article 5 of Law no. 11/2008 on The forensic process requires a few tools that can Information and Electronic