Building a digital forensic investigation technique for forensically sound analysis of covert channels in IPv6 and ICMPv6, using custom IDS signatures and firewall system logs

Lourdes Gino Dominic Savio, Purdue University


Covert Channels are communication channels used for information transfer, and created by violating the security policies of a system (Latham, 1986, p. 80). Research in the field has shown that, like many communication channels, IPv4 and the TCP/IP protocol suite has features, functionality and options which could be exploited by cyber criminals to leak data or for anonymous communications, through covert channels. With the advent of IPv6, researchers are on the lookout for covert channels in IPv6 and one of them demonstrated a proof of concept in 2006. Nine years hence, IPv6 and its related protocols have undergone major changes, which introduced a need to reevaluate the current situation of IPv6. The current research is a continuation of our (author of this thesis - Lourdes, and committee member - Prof. Hansen) previous studies (Lourdes & Hansen, 2015, 2016), which demonstrated the corroboration of covert channels in IPv6 and ICMPv6 by building a software for the same and testing against a simulated enterprise network. Our study had also explained how some of the enterprise firewalls and Intrusion Detection Systems (IDS) do not currently detect such covert channels, and how they could be tuned to detect them. The current research aimed at understanding if these detection mechanisms (IDS signatures) of IPv6 and ICMPv6 covert channels are forensically sound, and at exploring if the system logs left by such covert channels in the firewall could provide forensically sound evidence. The current research showed that the IDS signatures that detected certain covert channels in IPv6 and ICMPv6, conformed to the forensic soundness criteria of ‘validity of the scientific method’, and ‘known/potential error rates’. The current research also showed that the firewall system logs potentially detected certain covert channels in IPv6 and ICMPv6 and also conformed to the forensic soundness criteria of ‘validity of the scientific method’. Thus the current study showed that these could be used as digital forensic investigation techniques for network forensics of certain types of covert channels in IPv6 and ICMPv6.




Rogers, Purdue University.

Subject Area

Information Technology

Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server