1 / 12

Network Based File Carving

Network Based File Carving. OR I know what you downloaded last night! By: GTKlondike. Who Am I?. Oh hey, that guy…. I Am…. Hacker/independent security researcher/subspace half-ninja

vivien-cooper
Download Presentation

Network Based File Carving

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Based File Carving OR I know what you downloaded last night! By: GTKlondike

  2. Who Am I? Oh hey, that guy…

  3. I Am… • Hacker/independent security researcher/subspace half-ninja • Several years of experience in network infrastructure and security consulting as well as systems administration (Routing, Switching, Firewalls, Servers) • Passionate about networking • I’m friendly, just come up and say hi Contact Info: • Email: gtklondike@gmail.com • Zombie-Blog: gtknetrunner.blogspot.com

  4. What should you know already? • Assumed basic knowledge of: • Protocol analyzers (Wireshark/TCPdump) • OSI and TCP/IP model • Major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.)

  5. Tools I Will Be Using • Wireshark • Network Miner • Hex editor • Scalpel • File Signature Databasehttp://www.garykessler.net/library/file_sigs.html

  6. What Is File Carving? • It’s a word search on steroids!

  7. Pcap Analysis Methodology • Pattern Matching – Identify and filter packets of interest by matching specific values or protocol meta-data • List Conversations – List all conversation streams within the filtered packet capture • Export - Isolate and export specific conversation streams of interest • Draw Conclusions – Extract files or data from streams and compile data

  8. Demo Time! Yeah…. Security Onion: /opt/samples/fake_av.pcap

  9. Security Onion: /opt/samples/fake_av.pcap

  10. Security Onion: /opt/samples/fake_av.pcap

  11. Additional Information (Pcap Files) • http://www.netresec.com/?page=PcapFiles • http://forensicscontest.com/puzzles • http://www.honeynet.org/node/504 • https://www.evilfingers.com/repository/pcaps.php • http://code.google.com/p/security-onion/wiki/Pcaps

  12. Further Reading • Network-Based File Carving • http://blogs.cisco.com/security/network-based-file-carving/ • Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems • By: Chris Sanders • Network Forensics: Tracking Hackers Through Cyberspace • By: Sherri Davidoff, Jonathan Ham • Guide to Integrating Forensic Techniques into Incident Response • http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf • File Signatures • http://www.garykessler.net/library/file_sigs.html

More Related