Forensic Carving of Network Packets and Associated Data Structures Robert Beverly, Simson Garfinkel, Greg Cardwell Naval Postgraduate School {rbeverly,slgarfin,gscardwe}@nps.edu August 2, 2011 DFRWS Conference 2011 R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 1 / 28
32
Embed
Forensic Carving of Network Packets and Associated Data ...old.dfrws.org/2011/proceedings/forensic-carving.pdf · Forensic Carving of Network Packets and Associated Data Structures
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Forensic Carving of Network Packets andAssociated Data Structures
R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 1 / 28
Overview
Outline
1 Overview
2 Background
3 Methodology
4 Results
5 Conclusions
R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 2 / 28
Overview
Networks and Forensics
Forensic Value of Network Information:
Devices are (invariably) connected to network(s)
Users, applications, and operating systems interconnect (bothexplicitly and in the background)Network activity is invaluable forensic information:
Commonly visited web sitesNetwork attachment point(s)File transferetc.
R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 3 / 28
Overview Hypothesis
Networks and Forensics
Our Approach:
Not looking at network traffic on the wire
Not looking at logs (IDS/Firewall/Anomaly detector, etc)
Instead – a storage-centric view
Post-facto residual network dataAre low-level binary network data structures persisted to non-volatile
storage?
R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 4 / 28
Overview Hypothesis
Networks and Forensics
Our Approach:
Not looking at network traffic on the wire
Not looking at logs (IDS/Firewall/Anomaly detector, etc)
Instead – a storage-centric view
Post-facto residual network dataAre low-level binary network data structures persisted to non-volatile
storage?
R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 4 / 28
Overview Hypothesis
Network Carving
In this work, we ask:
Are low-level binary network data structures persisted to non-volatilestorage?
R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 5 / 28
Overview Hypothesis
Network Carving
In this work, we ask:
Are low-level binary network data structures persisted to non-volatilestorage?
e.g.:
struct ip {u_int ip_v:4, /* version */
ip_hl:4; /* header length */u_char ip_tos; /* type of service */u_short ip_len; /* total length */u_short ip_id; /* identification */u_short ip_off; /* fragment offset field */u_char ip_ttl; /* time to live */u_char ip_p; /* protocol */u_short ip_sum; /* checksum */struct in_addr ip_src,ip_dst; /* source and dest address */
}
R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 5 / 28
Overview Hypothesis
Network Carving
In this work, we ask:
Are low-level binary network data structures persisted to non-volatilestorage?
e.g.:
struct ip {u_int ip_v:4, /* version */
ip_hl:4; /* header length */u_char ip_tos; /* type of service */u_short ip_len; /* total length */u_short ip_id; /* identification */u_short ip_off; /* fragment offset field */u_char ip_ttl; /* time to live */u_char ip_p; /* protocol */u_short ip_sum; /* checksum */struct in_addr ip_src,ip_dst; /* source and dest address */
}
Surprisingly, yes!
R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 5 / 28
Background
Outline
1 Overview
2 Background
3 Methodology
4 Results
5 Conclusions
R. Beverly, S. Garfinkel, G. Cardwell (NPS) Network Carving DFRWS 2011 6 / 28
Background
Prior Work
Network Carving Prior Work:
Network data in ASCII form, e.g. web cache, cookies, etc.