Thesis Details

Methods for Intelligent Network Forensics

Ph.D. Thesis Student: Pluskal Jan Academic Year: 2022/2023 Supervisor: Ryšavý Ondřej, doc. Ing., Ph.D.
Czech title
Inteligentní síťové forenzní metody

This dissertation is a collection of the author's peer-reviewed papers, with a common topic of computer network forensic analysis, published in journals and conferences in computer science, digital forensics. In contrast to understanding network forensics as a discipline of network security monitoring, this work's merit is to aid law enforcement agency (LEA) officers in conducting network forensic investigations. The distinction lies in putting emphasis on extracting evidence from illicit activities rather than detecting network attacks or security incidents.

This work revisits methods used for the forensic investigation of captured network traffic by critically analyzing tools commonly used by LEA investigators. The objective is to identify weaknesses, design solutions, and propose new approaches. Particular interest is given to processing incomplete network communication that typically occurs in low-quality interception provided by Internet Service Providers (ISPs). The proposed method involves omitting missing parts and intelligently rewinding the protocol parsers to pass the missing segments using information from transport and internet layers. This process allowed the creation of novel features for the application protocol identification, thus additionally enabling application protocol identification and finer-grained application identification. Subsequent research analyzed the performance characteristics of single-machine captured network communication and designed, implemented, and evaluated a linearly scalable architecture for distributed computation. Lastly, the problem of overlay and tunneled communication was tackled by thoroughly analyzing Generic Stream Encapsulation (GSE). The presented research is publicly available, except for the limitations enforced by the publishing houses. When applicable, methods have been implemented into the open source network forensic investigation and analysis tool, Netfox Detective, and verified using enclosed datasets. All data sets and results are available and referenced in their respective publications.


network forensic analysis, application protocol identification, captured network traffic processing

Degree Programme
4 May 2023
PLUSKAL, Jan. Methods for Intelligent Network Forensics. Brno, 2022. Ph.D. Thesis. Brno University of Technology, Faculty of Information Technology. 2023-05-04. Supervised by Ryšavý Ondřej. Available from:
    author = "Jan Pluskal",
    type = "Ph.D. thesis",
    title = "Methods for Intelligent Network Forensics",
    school = "Brno University of Technology, Faculty of Information Technology",
    year = 2023,
    location = "Brno, CZ",
    language = "english",
    url = ""
Back to top