Title: Network Forensics Analysis of Man in the Middle Attack Using Live Forensics Method

Issue Number: Vol. 8, No. 1
Year of Publication: March - 2019
Page Numbers: 66-73
Authors: Dedy Saputra, Imam Riadi
Journal Name: International Journal of Cyber-Security and Digital Forensics (IJCSDF)
- Hong Kong


The security of based internet information system is a must to care about. Because the network which is public and global basically are not safe. When the data sent from a personal computer to another personal computer, the data will across several personal computers it will give another user a chance to steal the data. It almost happened every day in the whole world. One of the way to steal the data is Man In The Middle Attack which attacks the server. Intrusion detection system is implemented with sniffing, traffic data watch process, and log traffic snort analyze are open source. Intrusion Detection System Snort analyze all the traffic system to sniff and search for several kinds of cybercrime in the network. The research is implemented with a Live Forensic method which basically has the same traditional forensic technique that is identification of saving, analyze and presentation. This research is expected to get the information such as log with sets the snort into personal computer to detect attack of web server, and then analyze the log file to explore the evidence forensic digital from log snort file. This research generates information in the form of alerts from attacks displayed by IDS Snort that are already installed on the web server. The log file is analyzed using Wireshark for exploration of digital forensics evidence in the form of an IP Address that attacks, when the attack occurred, how the attack occurred, and where the attack occurred. Based on the implementation of IDS Snort to detect Man in the Middle Attack. The results of the exploration of digital forensics evidence are obtained in the form of IP Address and port used by attackers to access the web server. Mitigation of attacks is done by blocking the IP Address and port used by the attacker to access the web server. This research has been successfully carried out.