The increasing importance of network forensics in the investigations conducted by Law Enforcement Agencies is indisputable. Today's Internet does not carry ordinary TCP/IP traffic but utilizes many other encapsulations and tunneling protocols. In this paper, we overview the most used tunneling protocols and their features concerning digital forensic analysis. A case study of generic stream encapsulation describes how the investigator can obtain encapsulated application data from within.

Keywords: Network traffic forensics, Generic stream encapsulation, Network forensic and analysis tool