forensic carving of network packets and associated data
play

Forensic Carving of Network Packets and Associated Data Structures - PowerPoint PPT Presentation

Sep 11, 2022 •31 likes •351 views

Forensic Carving of Network Packets and Associated Data Structures Robert Beverly, Simson Garfinkel, Greg Cardwell Naval Postgraduate School {rbeverly,slgarfin,gscardwe}@nps.edu August 2, 2011 DFRWS Conference 2011 R. Beverly, S. Garfinkel,

  1. Forensic Carving of Network Packets and Associated Data Structures Robert Beverly, Simson Garfinkel, Greg Cardwell Naval Postgraduate School {rbeverly,slgarfin,gscardwe}@nps.edu August 2, 2011 DFRWS Conference 2011 R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 1 / 28

  2. Overview Outline Overview 1 Background 2 Methodology 3 Results 4 Conclusions 5 R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 2 / 28

  3. Overview Networks and Forensics Forensic Value of Network Information: Devices are (invariably) connected to network(s) Users, applications, and operating systems interconnect (both explicitly and in the background) Network activity is invaluable forensic information: Commonly visited web sites Network attachment point(s) File transfer etc. R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 3 / 28

  4. Overview Hypothesis Networks and Forensics Our Approach: Not looking at network traffic on the wire Not looking at logs (IDS/Firewall/Anomaly detector, etc) Instead – a storage-centric view Post-facto residual network data Are low-level binary network data structures persisted to non-volatile storage? R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 4 / 28

  5. Overview Hypothesis Networks and Forensics Our Approach: Not looking at network traffic on the wire Not looking at logs (IDS/Firewall/Anomaly detector, etc) Instead – a storage-centric view Post-facto residual network data Are low-level binary network data structures persisted to non-volatile storage? R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 4 / 28

  6. Overview Hypothesis Network Carving In this work, we ask: Are low-level binary network data structures persisted to non-volatile storage? R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 5 / 28

  7. Overview Hypothesis Network Carving In this work, we ask: Are low-level binary network data structures persisted to non-volatile storage? e.g.: struct ip { u_int ip_v:4, /* version */ ip_hl:4; /* header length */ u_char ip_tos; /* type of service */ u_short ip_len; /* total length */ u_short ip_id; /* identification */ u_short ip_off; /* fragment offset field */ u_char ip_ttl; /* time to live */ u_char ip_p; /* protocol */ u_short ip_sum; /* checksum */ struct in_addr ip_src,ip_dst; /* source and dest address */ } R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 5 / 28

  8. Overview Hypothesis Network Carving In this work, we ask: Are low-level binary network data structures persisted to non-volatile storage? e.g.: struct ip { u_int ip_v:4, /* version */ ip_hl:4; /* header length */ u_char ip_tos; /* type of service */ u_short ip_len; /* total length */ u_short ip_id; /* identification */ Surprisingly, yes! u_short ip_off; /* fragment offset field */ u_char ip_ttl; /* time to live */ u_char ip_p; /* protocol */ u_short ip_sum; /* checksum */ struct in_addr ip_src,ip_dst; /* source and dest address */ } R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 5 / 28

  9. Background Outline Overview 1 Background 2 Methodology 3 Results 4 Conclusions 5 R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 6 / 28

  10. Background Prior Work Network Carving Prior Work: Network data in ASCII form, e.g. web cache, cookies, etc. Fully-qualified Domain Names, e.g. www.cnn.com E-Mail Domain Names, e.g. rob@nps.edu “Dotted Quads,” e.g. 157.166.224.26 Volatility [Walters] Volatility memory analysis framework “ connscan2 ” closest in spirit to our effort Carves memory dumps and intact Windows hibernation files for Windows TCP connection structures R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 7 / 28

  11. Background NPS Research Our Contributions Using ground-truth corpus, develop methodology for carving binary network data: Windows _TCPT_OBJECT IP Packets Ethernet Frames Socket Structures Opportunistic hibernation decompression, including fragments Filtering and Validation techniques Working implementation in the bulk_extractor ( http://afflib.org/ ) tool Evaluation on ground-truth and large (1800 drive) corpus R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 8 / 28

  12. Methodology Outline Overview 1 Background 2 Methodology 3 Results 4 Conclusions 5 R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 9 / 28

  13. Methodology Developing Carving Signatures Ground Truth Ground-Truth Corpus: In order to find binary network carving structure signatures, we carefully create a ground-truth corpus Experimented with: Windows, OSX, Linux Wipe drive with DBAN to ensure no residual data From a virgin OS install, we establish several HTTP and SCP connections to known destination IPs Image the host’s disk after each connection R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 10 / 28

  14. Methodology Developing Carving Signatures Finding Signatures Finding Signatures: A binary IPv4 address is simply an unsigned 32-bit integer To find network addresses, we find discriminatory surrounding context Determine if there exist common predecessor/successor patterns surrounding instances of the known IP R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 11 / 28

  15. Methodology Developing Carving Signatures Frequency Analysis Finding Signatures Tempting to use intuitive heuristics: “a four byte IP address is preceded by a variable fragment field and a protocol field equal to six.” But heuristics brittle, difficult to define, and inaccurate Instead: Search for IP address Collect (within 20 Bytes offset) preceding and surrounding N -grams Where a “gram” is simply a byte R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 12 / 28

  16. Methodology Developing Carving Signatures Frequency Analysis IPv4 2-Gram Analysis Predecessor Freq Successor Freq Count 2-gram Count 2-gram 434 0x4000 428 0x0016 421 0x0800 426 0x0447 368 0xF202 412 0x0A79 368 0x4006 374 0xAC14 368 0x4508 374 0x694A 368 0x0017 41 0x0000 66 0x4500 12 0x2000 . . . . . . . . . . . . R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 13 / 28

  17. Methodology Developing Carving Signatures Frequency Analysis IPv4 2-Gram Analysis Predecessor Freq Successor Freq Count 2-gram Count 2-gram Decoding: 434 0x4000 428 0x0016 421 0x0800 426 0x0447 0x4000: IP Flags=Don’t Fragment 368 0xF202 412 0x0A79 To our surprise, discovered Ethernet 368 0x4006 374 0xAC14 frame data! 368 0x4508 374 0x694A 0x0800: Ethernet “type”=IP 368 0x0017 41 0x0000 66 0x4500 12 0x2000 . . . . . . . . . . . . . . . R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 13 / 28

  18. Methodology Developing Carving Signatures Frequency Analysis IPv4 2-Gram Analysis Predecessor Freq Successor Freq Decoding: Count 2-gram Count 2-gram Manual inspection on N -Gram 434 0x4000 428 0x0016 frequency leads to robust signatures 421 0x0800 426 0x0447 0x4508/0x4500: IPv4, w/ & w/o 368 0xF202 412 0x0A79 ToS 368 0x4006 374 0xAC14 0x4006: IP TTL=64, Proto=TCP 368 0x4508 374 0x694A 368 0x0017 41 0x0000 While TTL=64 is common here, 66 0x4500 12 0x2000 doesn’t generalize . . . . . . . . . . . . . . . R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 14 / 28

  19. Methodology Signatures Carving Signatures Key Signatures: Manual Inspection + = Required = Carved N -Gram Analysis = Wildcard = Validation IP Carving 0 7 15 23 31 0x45 0x00/0x40 0x00 0x06/0x11 Checksum Discovered IP Discovered IP R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 15 / 28

  20. Methodology Signatures Carving Signatures Socket Carving 0 7 15 23 31 0x02 16 common ports Discovered IP 0x00000000 0x00000000 Ethernet Carving 0 7 15 23 31 39 47 Discovered Ethernet Address Discovered Ethernet Address 0x0800 0x45 Note: False positives possible, particularly with long strings of zeros; see paper for theoretical false positive analysis R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 16 / 28

  21. Methodology Hibernation Hibernation Decompression Why Focus on Hibernation Network data structures in system memory Persist to hibernation Windows overwrites beginning of hibernation files when resuming Prevents existing systems from analyzing hibernation We find an 8-byte XPress compression signature within compressed memory page header R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 17 / 28

  22. Methodology Hibernation Hibernation Decompression Opportunistically decompress XPress pages Address Count Decompressed Count 172.20.105.74 25 600 172.20.104.199 41 434 18.26.0.230 43 162 172.20.20.11 0 4 . . . . . . . . . Improves recall by an order of magnitude on our test image! R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 18 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BRO FILE CARVING Using scripts to scarf files from pcaps and the wire by Bill Stackpole File

BRO FILE CARVING Using scripts to scarf files from pcaps and the wire by Bill Stackpole File

BRO FILE CARVING Using scripts to scarf files from pcaps and the wire by Bill Stackpole File carving Common desire to extract files from network stream Tools (tcpextract / network miner / etc) can do this Usually w/out protocol

555 views • 19 slides
Network Coding Network Coding Jie Gao Existing network Existing network Independent data

Network Coding Network Coding Jie Gao Existing network Existing network Independent data

Network Coding Network Coding Jie Gao Existing network Existing network Independent data stream sharing the same network resources Packets over the Internet Signals in a phone network An analog: cars sharing a highway.

1.01k views • 46 slides
Tom Ceriani- Chainsaw Carving Tools and Technology- Update Dawna Ceriani- Production Carving &

Tom Ceriani- Chainsaw Carving Tools and Technology- Update Dawna Ceriani- Production Carving &

Tom Ceriani- Chainsaw Carving Tools and Technology- Update Dawna Ceriani- Production Carving & the Quick Carve Dawna and Tom Ceriani, Boot Jack, Mtn, PA are one of the few husband and wife chainsaw carving teams in our country. Tom

575 views • 21 slides
Example Protocol Layers* Exchange a file over a network that corrupts packets Networks

Example Protocol Layers* Exchange a file over a network that corrupts packets Networks

Example Protocol Layers* Exchange a file over a network that corrupts packets Networks are complex! o but doesnt lose or reorder them many pieces: A simple protocol o send file as a series of packets hosts Question:

200 views • 6 slides
the day of Question to send a message containing h Packets I want chambers am using corrupts K

the day of Question to send a message containing h Packets I want chambers am using corrupts K

CS 70 July 9,2020 the day of Question to send a message containing h Packets I want chambers am using corrupts K of the Packets The network I don't know which k Packets are corrupted we is fixed regardless of the length of the K message

538 views • 12 slides
Chainsaw 201 - Safety, always, safety -Gasoline Powered Carving Equipment -Carving Efficiently

Chainsaw 201 - Safety, always, safety -Gasoline Powered Carving Equipment -Carving Efficiently

Chainsaw 201 - Safety, always, safety -Gasoline Powered Carving Equipment -Carving Efficiently and Effectively: a bear bench in an hour! -Be Inspired by Everything You See! TIM KLOCK, Altoona, PA.. Prerequisites: Chainsaw 101

330 views • 7 slides
A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.

379 views • 36 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Packets Example Packets Networking Sirindhorn International Institute of Technology Thammasat

Packets Example Packets Networking Sirindhorn International Institute of Technology Thammasat

Networking Packets Terminology Example: IP Packet Size Packets Example Packets Networking Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2 September 2013 Common/Reports/packets.tex, r676

668 views • 29 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

11/5/2015 The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

389 views • 24 slides
TCP as a Reliable Transport How things can go wrong Lost packets Corrupted packets

TCP as a Reliable Transport How things can go wrong Lost packets Corrupted packets

TCP as a Reliable Transport How things can go wrong Lost packets Corrupted packets Reordered packets Malicious packets Requirements for Reliability Error Detection Receiver Feedback Retransmission Requirements

457 views • 23 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

1.29k views • 67 slides
Priority Queues Implementations An internet router receives data packets, and forwards them in

Priority Queues Implementations An internet router receives data packets, and forwards them in

CS206 CS206 Priority Queues Implementations An internet router receives data packets, and forwards them in The abstract data type Priority Queue provides three main the direction of their destination. When the line is busy, methods: packets

223 views • 5 slides
Patented Object Level DRM, e-Commerce, Content Security and Tracking Centralized Content

Patented Object Level DRM, e-Commerce, Content Security and Tracking Centralized Content

Patented Object Level DRM, e-Commerce, Content Security and Tracking Centralized Content Infrastructure High overhead, marketing and support costs The New Content Infrastructure Decentralized, Low to No Overhead The Business Model for

373 views • 36 slides
TCUSD Wellness Plan Development Fall 2019 -2020 Adverse Childhood Experience Study (ACES)

TCUSD Wellness Plan Development Fall 2019 -2020 Adverse Childhood Experience Study (ACES)

TCUSD Wellness Plan Development Fall 2019 -2020 Adverse Childhood Experience Study (ACES) Childhood Adversity Research on ACES ACES began in the 1990s by Kaiser Between infancy and age 18 Permanente & the Centers for Disease

549 views • 15 slides
OPPOSITION TO W ESTLAWN S URGERY C ENTER , LLC Project No. CN1911-046 TriStar StoneCrest Medical

OPPOSITION TO W ESTLAWN S URGERY C ENTER , LLC Project No. CN1911-046 TriStar StoneCrest Medical

OPPOSITION TO W ESTLAWN S URGERY C ENTER , LLC Project No. CN1911-046 TriStar StoneCrest Medical Center Physician Pavilion Surgery Center StoneCrest Surgery Center Clark Spoden & Matt Kroplin, Burr & Forman Lou Caputo CEO

240 views • 20 slides
REAL-TIME 8K WORKFLOW | RED R3D SDK ABOUT RED EVOLUTION OF RED Jim Jannard founded the

REAL-TIME 8K WORKFLOW | RED R3D SDK ABOUT RED EVOLUTION OF RED Jim Jannard founded the

REAL-TIME 8K WORKFLOW | RED R3D SDK ABOUT RED EVOLUTION OF RED Jim Jannard founded the company, and has had a lifelong interest in imagery. RED is his brainchild. RED is a technology company (both sensor and camera technology). RED

581 views • 23 slides
MODEM Analysis 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301)

MODEM Analysis 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301)

MODEM Analysis 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1 1 What are they ? Short for modulator-demodulator. A modem is a device or

191 views • 17 slides
Architec(ng Digital Twins for Model-Centric Engineering: Seman(c and Machine Learning Approach

Architec(ng Digital Twins for Model-Centric Engineering: Seman(c and Machine Learning Approach

Architec(ng Digital Twins for Model-Centric Engineering: Seman(c and Machine Learning Approach Sponsor: OUSD(R&E) | CCDC By Dr. Mark Aus(n (PI), Maria Coelho, Dr. Mark Blackburn 11 th Annual SERC Sponsor Research Review November 19, 2019

327 views • 8 slides
M ontclair Ach ievem en t Program (MAP) Charles H Bullock Elementary School Th e Mon tclair

M ontclair Ach ievem en t Program (MAP) Charles H Bullock Elementary School Th e Mon tclair

M ontclair Ach ievem en t Program (MAP) Charles H Bullock Elementary School Th e Mon tclair Ach ievem en t M ontclair Program is com m itted to providin g studen ts with Ach ievem en t disabilities th e n ecessary Program (MAP)

265 views • 26 slides
THIS IS YOUR PRESENTATION TITLE 1. Challenge DEFINING OUR PROBLEM SPACE Questions we

THIS IS YOUR PRESENTATION TITLE 1. Challenge DEFINING OUR PROBLEM SPACE Questions we

THIS IS YOUR PRESENTATION TITLE 1. Challenge DEFINING OUR PROBLEM SPACE Questions we asked ourselves in the beginning: How can we improve the experience in AVs to make them feel more safe, reliable, and accessible for all types of

448 views • 32 slides

More recommend