Source attribution for network address translated forensic captures

Network Address Translation (NAT) is a technology allowing a number of machines to share a single IP address. This presents a problem for network forensics since it is difficult to attribute observed traffic to specific hosts. We present a model and algorithm for disentangling observed traffic into discrete sources. Our model relies on correlation of a number of artifacts left over by the NAT gateway which allows identification of sources. The model works well for a small number of sources, as commonly found behind a home or small office NAT gateway.