a network forensic analysis framework
play

A Network Forensic Analysis Framework Professor Patrick McDaniel - PowerPoint PPT Presentation

Oct 12, 2023 •19 likes •379 views

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.

  1. A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015

  2. About • An extensible network forensic analysis framework. • Enables rapid development of plugins to support the dissection of network packet captures. • Key features: ‣ Robust stream reassembly ‣ IPv4 and IPv6 support ‣ Custom output handlers ‣ Chainable decoders • Billy Glodek Page

  3. Page

  4. Installation (Ubuntu) > sudo apt-get install git > git clone https://github.com/USArmyResearchLab/Dshell.git > sudo apt-get install python-crypto python-dpkt python-ipy python-pypcap python-pip > sudo pip install pygeoip Download GeoLite Country, GeoLite Country IPv6, GeoLite ASN, GeoLite ASN IPv6 http://dev.maxmind.com/geoip/legacy/geolite/ > gunzip * Move the MaxMind dat files to ~/Dshell/share/GeoIP/ > cd ~/Dshell > make > ./dshell If you get a Dshell> prompt, you're good to go! Page

  5. Malware Traffic Analysis • http://www.malware-traffic-analysis.net/ > wget http://www.malware-traffic- analysis.net/2014/11/16/2014-11-16- traffic-analysis-exercise.pcap Page

  6. General Usage • To run a decoder > decode – d <decoder> *.pcap • To list all decoders > decode – l • To get help > decode – h • To learn more about a specific decoder > decode – d <decoder> Page

  7. > decode – l Page

  8. Example Uses - followstream • Generates color-coded Screen/HTML output similar to Wireshark Follow Stream. • Default filter: tcp > decode – d followstream 2014-11-16- traffic-analysis-exercise.pcap Page

  9. Example Uses - followstream Page

  10. Example Uses - web • Tracks server responses • Default filter: tcp and (port 80 or port 8080 or port 8000) > decode – d web 2014-11-16-traffic- analysis-exercise.pcap Page

  11. Example Uses - web Page

  12. Example Uses - DNS • Extracts and summarizes DNS queries/responses (defaults: A,AAAA,CNAME,PTR records), • Default filter: (udp and port 53) > decode -d dns 2014-11-16-traffic- analysis-exercise.pcap Page

  13. Example Uses - DNS Page

  14. Example Uses - DHCP • Extracts client information from DHCP messages • Default filter: (udp and port 67) > decode -d dhcp 2014-11-16-traffic- analysis-exercise.pcap Page

  15. Example Uses - DHCP Page

  16. So, how does it work? Page

  17. dpkt • An ethernet packet decoding module • Python library - Dug Song & Jon Oberheide • leveraged by Dshell • https://github.com/kbandla/dpkt Page

  18. Dshell Types Page

  19. Dshell Types Page

  20. Dshell Classes ~/Dshell/lib/dshell.py Page

  21. Dshell Classes ~/Dshell/lib/dshell.py Page

  22. Dshell Classes ~/Dshell/lib/dshell.py Page

  23. Dshell Classes ~/Dshell/lib/dshell.py Page

  24. Dshell Classes ~/Dshell/lib/dshell.py Page

  25. Dshell Classes ~/Dshell/lib/dshell.py Page

  26. Dshell Classes ~/Dshell/lib/dshell.py Page

  27. Dshell Classes ~/Dshell/lib/dshell.py Page

  28. Dshell Classes ~/Dshell/lib/dshell.py Page

  29. Dshell Classes ~/Dshell/lib/dshell.py Page

  30. Dshell Classes ~/Dshell/lib/dshell.py Page

  31. User-Agent Author: Eric Kilmer Page

  32. User-Agent Author: Eric Kilmer Page

  33. Useful tools • Python libraries: ‣ util.hexPlusAscii • Function to print hex and Ascii side-by- side ‣ binascii.hexlify / binascii.unhexlify • tcpdump • Wireshark Page

  34. Additional Notes • Decoders can be chainable ‣ see the country decoder for an example • Read the protocol’s RFCs • Make your code more pythonic ‣ Raymond Hettinger’s Tips and Tricks https://gist.github.com/JeffPaine/6213790 ‣ Youtube videos of Raymond’s talks https://www.youtube.com/watch?v=wf-BqAjZb8M https://www.youtube.com/watch?v=OSGv2VnC0go ‣ PEP 8 Style Guide for Python Code https://www.python.org/dev/peps/pep-0008/ Page

  35. Our Contributions • Dan - DHCP, NBNS, Bitcoin • Eric – User-Agent, Flash-Detect, teredo • Mark – WebColors, ether • Nate – accept-filter, asn-filter, flow-range, uaabf, entropy Page

  36. Assignment • Repeat the process in these slides using the DNS, Followstream, and Web decoders for Dshell on 3 different pcap’s (malware-traffic-analysis.net) • What information can you discover using these decoders? • Write a new decoder that parses out the ‘Referrer’ field from a HTTP Header (HINT: This will be similair to the ‘User - Agent’ decoder discussed earlier) • What will this provide us with? What else could we add to the decoder to make it more useful as an analysis tool? Page

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation

p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation

Measuring the validity and reliability of forensic analysis systems Geoffrey Stewart Morrison p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation of forensic evidence - ENFSI Guideline for

750 views • 54 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford Brookes University Oxford, United Kingdom CBlackwell@brookes.ac.uk Roadmap Three layer architectural security model Influenced by OSI

782 views • 37 slides
qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University

qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University

qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University Specialist, Swedish National Laboratory of Forensic Science Forensic science Every contact leaves a trace Edmond Locard (1877 1966) Forensic

1.32k views • 78 slides
Forensic analysis of a Linux web server 1 www.nbs-system.com Agenda Who are we ? Performing

Forensic analysis of a Linux web server 1 www.nbs-system.com Agenda Who are we ? Performing

Mathieu Deous Julien Reveret Forensic analysis of a Linux web server 1 www.nbs-system.com Agenda Who are we ? Performing forensic analysis on a compromised web server What to search, where, how ? Logs but also dynamic analysis What

603 views • 28 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
Forensic evaluation of nine miniSTR loci to aid analysis of degraded DNA in Koreans Ukhee Chung,

Forensic evaluation of nine miniSTR loci to aid analysis of degraded DNA in Koreans Ukhee Chung,

Forensic evaluation of nine miniSTR loci to aid analysis of degraded DNA in Koreans Ukhee Chung, Hwan Young Lee, Myung Jin Park, Sang-Ho Cho, Kyoung-Jin Shin and Woo Ick Yang Department of Forensic Medicine, Yonsei University College of

554 views • 13 slides
T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

11/5/2015 The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

389 views • 24 slides
Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

1.29k views • 67 slides
Outline of presentation MPS in forensic genetics Developed 3 in-house MPS panels

Outline of presentation MPS in forensic genetics Developed 3 in-house MPS panels

2017-09-05 Implementing Massively Parallel Sequencing for Forensic DNA Analysis Using In-house PCR Panels Kyoung-Jin Shin, Ph.D. Dept. of Forensic Medicine Yonsei University College of Medicine Seoul, Republic of Korea Outline of

710 views • 23 slides
p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation

p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation

Introduction to logical reasoning for the evaluation of forensic evidence Geoffrey Stewart Morrison p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation of forensic evidence - ENFSI Guideline for

936 views • 67 slides
THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations Explore various clinical presentations seen in forensic settings Implement evidence-based and novel treatment strategies to the new forensic

946 views • 80 slides
Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on

Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on

Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on Computation and Society Harvard University 1:15pm, Tuesday, August 15, 2006 1 Todays forensic tools are designed for one drive at a time.

552 views • 34 slides
Broverview Outline 2 Outline Philosophy and Architecture A framework for network traffic

Broverview Outline 2 Outline Philosophy and Architecture A framework for network traffic

The Bro Network Security Monitor Broverview Outline 2 Outline Philosophy and Architecture A framework for network traffic analysis. 2 Outline Philosophy and Architecture A framework for network traffic analysis. History From research to

1.22k views • 73 slides
Network Dissection: Quantifying Interpretability of Deep Visual Representations By David Bau,

Network Dissection: Quantifying Interpretability of Deep Visual Representations By David Bau,

Network Dissection: Quantifying Interpretability of Deep Visual Representations By David Bau, Bolei Zhou, Aditya Khosla, Aude Oliva, Antonio Torralba CS 381V Thomas Crosley and Wonjoon Goo Detectors Credit: slide from the original paper Unit

1.39k views • 39 slides
ULTIMATE A Multicenter, Prospective, Randomized Trial Comparing Intravascular Ultrasound-guided

ULTIMATE A Multicenter, Prospective, Randomized Trial Comparing Intravascular Ultrasound-guided

ULTIMATE ULTIMATE A Multicenter, Prospective, Randomized Trial Comparing Intravascular Ultrasound-guided versus Angiography-guided Implantation of Drug-Eluting Stent in All-comers Jun-Jie Zhang, MD, PhD Xiaofei Gao, Jing Kan, Zhen Ge, Leng

244 views • 9 slides
Closing the Smoothness and Uniformity Gap in Area Fill Synthesis Y. Chen , , A. B. Kahng, G.

Closing the Smoothness and Uniformity Gap in Area Fill Synthesis Y. Chen , , A. B. Kahng, G.

Supported by Cadence Design Systems, Inc., NSF, the Packard Foundation, and State of Georgias Yamacraw Initiative Closing the Smoothness and Uniformity Gap in Area Fill Synthesis Y. Chen , , A. B. Kahng, G. Robins, A. Zelikovsky A. B.

530 views • 27 slides
Dissecting media file formats with Kaitai Struct FOSDEM 2017 Mikhail Yakshin (GreyCat) Kaitai

Dissecting media file formats with Kaitai Struct FOSDEM 2017 Mikhail Yakshin (GreyCat) Kaitai

Dissecting media file formats with Kaitai Struct FOSDEM 2017 Mikhail Yakshin (GreyCat) Kaitai Project http://kaitai.io/ Twitter: @kaitai_io File formats: a problem? Media software developers have to deal with multitude of different

396 views • 25 slides
Tutorial on Interpreting and Explaining Deep Models in Computer Vision Wojciech Samek Grgoire

Tutorial on Interpreting and Explaining Deep Models in Computer Vision Wojciech Samek Grgoire

Tutorial on Interpreting and Explaining Deep Models in Computer Vision Wojciech Samek Grgoire Montavon Klaus-Robert Mller (Fraunhofer HHI) (TU Berlin) (TU Berlin) 08:30 - 09:15 Introduction KRM 09:15 - 10:00 Techniques for Interpretability

416 views • 23 slides
Combinatorics and topology of toric arrangements Emanuele Delucchi (SNSF / Universit e de

Combinatorics and topology of toric arrangements Emanuele Delucchi (SNSF / Universit e de

Combinatorics and topology of toric arrangements Emanuele Delucchi (SNSF / Universit e de Fribourg) Toblach/Dobbiaco February 21-24, 2017 The plan I. Combinatorics of (toric) arrangements. Enumeration and structure theory: posets,

514 views • 35 slides
Introduction to latin bitrades AAA 88, Warszawa, Poland, June 22, 2014 Ale s Dr apal

Introduction to latin bitrades AAA 88, Warszawa, Poland, June 22, 2014 Ale s Dr apal

Introduction to latin bitrades AAA 88, Warszawa, Poland, June 22, 2014 Ale s Dr apal drapal@karlin.mff.cuni.cz Karlova Universita, Praha (i.e., Charles University, Prague) Czech Republic Introduction to latin bitrades p. 1

1.33k views • 77 slides
Variations of Parotidectomy Variations of Parotidectomy Indications and Technique

Variations of Parotidectomy Variations of Parotidectomy Indications and Technique

Variations of Parotidectomy Variations of Parotidectomy Indications and Technique Indications and Technique Kerry D. Olsen, M.D. Kerry D. Olsen, M.D. Professor and Chair Professor and Chair Head and Neck Surgery Head and Neck

667 views • 33 slides

More recommend