With over 67% of the global population using the internet, analysing network traffic has become crucial for law enforcement investigations.
Criminals increasingly rely on internet-based applications to communicate, making traditional Call Data Records insufficient for tracking their activities.
This is where other network analysis records, such as Internet Protocol Detail Records, Packet Capture (PCAP), PCAP Next Generation (PCAPNG), and Extensible Record Format, become essential. In this guide, we will explain different network file formats used in network analysis and their significance for law enforcement agencies.
Call Data Records (CDR)
CDRs provide details of calls made and received, including timestamps, durations, and phone numbers. Law enforcement agencies have used CDRs for years to track suspect communications. However, with the rise of internet-based messaging and calling applications, CDRs alone are no longer sufficient.
In a case at Parappana Agrahara Central Jail in India, police extracted CDRs but found them inadequate because the suspect was using internet-based apps for communication. To overcome this limitation, they turned to Internet Protocol Detail Records (IPDR).
Internet Protocol Detail Record (IPDR)
IPDR provides detailed insights into a suspect’s online activities, including:
- Applications used
- Websites visited
- IP addresses of online communications
- VoIP call details
For example, during the Delhi Riots, rioters avoided calls and text messages to escape surveillance. So, the Delhi Police used IPDR to trace a suspect who communicated through WhatsApp and Telegram. By analysing IPDR, law enforcement could identify the suspect’s online interactions.
Limitations of IPDR
While IPDR reveals network activities, it does not provide content details (payload). This means investigators can see that a suspect accessed a messaging app but cannot retrieve the messages exchanged.
For more details, check out: IPDR in Intelligence Gathering
Packet Capture File
PCAP files store raw network traffic data, capturing packet headers and, if unencrypted, the actual content.
If a criminal sends crucial instructions to an accomplice in clear text, PCAP analysis can reconstruct their contents. If encrypted, PCAP can still provide metadata insights, such as the type of file transferred. PCAP files come in various extensions such as .net, .cap, .pcap, and more.
PCAP files are flat files with no indexing, making analysis challenging when dealing with large datasets. Reading, filtering, and searching PCAP files beyond a few hundred megabytes can be cumbersome. PCAP analyser tools like CARBN.AI address this challenge by visualising data in an understandable format.
To learn how to read PCAP files, check out Understanding PCAP for Investigations
PCAP Next Generation (PCAPNG)
PCAPNG is an advanced version of PCAP, offering:
- Multi-interface support (e.g., monitoring Wi-Fi and wired connections in one file)
- Additional metadata storage
- Improved organisation for easier analysis
PCAP vs. PCAPNG: Understanding the Difference
Suppose a suspect connects to the internet using multiple devices—his laptop via Ethernet and his phone via Wi-Fi. PCAPNG can capture data from both interfaces in a single file, whereas PCAP can capture only one type of data per file. This provides law enforcement with a more comprehensive view of online activities.
While PCAPNG provides richer data, apart from PCAPNG viewers like Wireshark and CARBN.AI, it is not compatible with as many analysis tools as PCAP.
Snoop File Format
The Snoop format originates from the Sun Solaris environment and is used for network packet capturing. It functions similarly to PCAP, allowing packet data to be stored and analysed later.
Extensible Record Format (ERF)
ERF is a high-performance capture format used in high-speed network monitoring. It offers:
- Precision timestamping (accurate up to 233 picoseconds)
- Multi-record type support (Ethernet, ATM, metadata-only records)
- Seamless analysis across different network layers
For example, imagine investigating a cybercrime suspect using different network types, like Ethernet and ATM, for communication. Using the ERF, you can capture all network traffic with precise timing and detailed data in a single format. This helps accurately piece together the suspect's activities, understand network patterns, and collect better evidence.
|
Format |
Use Case |
Pros |
Cons |
Common Tools |
|
PCAP |
General packet capture |
Widely supported, simple structure |
No indexing, single interface |
Wireshark, tcpdump, CARBN.AI |
|
PCAPNG |
Multi-interface, rich metadata |
Multi-interface, extensible metadata |
Fewer compatible tools |
Wireshark, CARBN.AI |
|
Snoop |
Solaris environments |
Native to Solaris, legacy support |
Limited to a specific OS |
snoop, Wireshark, CARBN.AI |
|
ERF |
High-speed, precision capture |
High precision, multi-record support |
Niche requires specialised tools |
Endace tools |
Simplifying Network Data Analysis for Investigators
Analysing network data formats is crucial for accelerating investigations, but it can often be complex and time-consuming.
Tools like CARBN.AI simplify this process by transforming raw data into clear, visual insights.
The law enforcement investigation software allows investigators to securely analyse multiple file formats without needing deep technical expertise.