or i know what you downloaded last night! by: gtklondike
TRANSCRIPT
Network Based File Carving
ORI know what you downloaded last night!
By: GTKlondike
Who Am I?Oh hey, that guy…
I Am…Hacker/independent security researcher/subspace
half-ninjaSeveral years of experience in network infrastructure
and security consulting as well as systems administration (Routing, Switching, Firewalls, Servers)
Passionate about networkingI’m friendly, just come up and say hi
Contact Info:Email: [email protected]: gtknetrunner.blogspot.com
What should you know already?Assumed basic knowledge of:
Protocol analyzers (Wireshark/TCPdump)OSI and TCP/IP modelMajor protocols (I.e. DNS, HTTP(s), TCP, UDP,
DHCP, ARP, IP, etc.)
Tools I Will Be UsingWireshark Network MinerHex editorScalpelFile Signature Database
http://www.garykessler.net/library/file_sigs.html
What Is File Carving?It’s a word search on steroids!
Pcap Analysis Methodology1. Pattern Matching – Identify and filter
packets of interest by matching specific values or protocol meta-data
2. List Conversations – List all conversation streams within the filtered packet capture
3. Export - Isolate and export specific conversation streams of interest
4. Draw Conclusions – Extract files or data from streams and compile data
Demo Time!Yeah….
Security Onion: /opt/samples/fake_av.pcap
Security Onion: /opt/samples/fake_av.pcap
Security Onion: /opt/samples/fake_av.pcap
Additional Information (Pcap Files)http://www.netresec.com/?page=PcapFileshttp://forensicscontest.com/puzzleshttp://www.honeynet.org/node/504https://www.evilfingers.com/repository/
pcaps.phphttp://code.google.com/p/security-onion/
wiki/Pcaps
Further ReadingNetwork-Based File Carving
http://blogs.cisco.com/security/network-based-file-carving/Practical Packet Analysis: Using Wireshark to Solve Real-
World Network ProblemsBy: Chris Sanders
Network Forensics: Tracking Hackers Through CyberspaceBy: Sherri Davidoff, Jonathan Ham
Guide to Integrating Forensic Techniques into Incident Responsehttp://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
File Signatureshttp://www.garykessler.net/library/file_sigs.html