Network Based File Carving
Download
Report
Transcript Network Based File Carving
OR
I know what you downloaded last night!
By: GTKlondike
Oh hey, that guy…
I Am…
Hacker/independent security researcher/subspace half-
ninja
Several years of experience in network infrastructure and
security consulting as well as systems administration
(Routing, Switching, Firewalls, Servers)
Passionate about networking
I’m friendly, just come up and say hi
Contact Info:
Email: [email protected]
Zombie-Blog: gtknetrunner.blogspot.com
What should you know already?
Assumed basic knowledge of:
Protocol analyzers (Wireshark/TCPdump)
OSI and TCP/IP model
Major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP,
ARP, IP, etc.)
Tools I Will Be Using
Wireshark
Network Miner
Hex editor
Scalpel
File Signature Database
http://www.garykessler.net/library/file_sigs.html
What Is File Carving?
It’s a word search on steroids!
Pcap Analysis Methodology
1. Pattern Matching – Identify and filter packets of
interest by matching specific values or protocol
meta-data
2. List Conversations – List all conversation streams
within the filtered packet capture
3. Export - Isolate and export specific conversation
streams of interest
4. Draw Conclusions – Extract files or data from
streams and compile data
Yeah….
Security Onion: /opt/samples/fake_av.pcap
Security Onion: /opt/samples/fake_av.pcap
Security Onion: /opt/samples/fake_av.pcap
Additional Information (Pcap Files)
http://www.netresec.com/?page=PcapFiles
http://forensicscontest.com/puzzles
http://www.honeynet.org/node/504
https://www.evilfingers.com/repository/pcaps.php
http://code.google.com/p/security-onion/wiki/Pcaps
Further Reading
Network-Based File Carving
http://blogs.cisco.com/security/network-based-file-carving/
Practical Packet Analysis: Using Wireshark to Solve Real-
World Network Problems
By: Chris Sanders
Network Forensics: Tracking Hackers Through Cyberspace
By: Sherri Davidoff, Jonathan Ham
Guide to Integrating Forensic Techniques into Incident
Response
http://csrc.nist.gov/publications/nistpubs/800-86/SP800-
86.pdf
File Signatures
http://www.garykessler.net/library/file_sigs.html