network based file carving
DESCRIPTION
File carving is the name of the technique of pulling files out of a stream of bytes without the use of a particular file system; much like finding a word in a word search puzzle. Network based file carving is used to extract files from saved network traffic data that has been collected from tools such as Wireshark or TCPdump. This is useful for extracting viruses to be analyzed, identifying exfiltration, and forensic investigations. GTKlondike (Twitter: @GTKlondike) GTKlondike is a hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working in the industry as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.TRANSCRIPT
![Page 1: Network based file carving](https://reader035.vdocument.in/reader035/viewer/2022081422/558e03731a28ab6e6c8b46b4/html5/thumbnails/1.jpg)
Network Based File Carving
ORI know what you downloaded last night!
By: GTKlondike
![Page 2: Network based file carving](https://reader035.vdocument.in/reader035/viewer/2022081422/558e03731a28ab6e6c8b46b4/html5/thumbnails/2.jpg)
Who Am I?Oh hey, that guy…
![Page 3: Network based file carving](https://reader035.vdocument.in/reader035/viewer/2022081422/558e03731a28ab6e6c8b46b4/html5/thumbnails/3.jpg)
I Am…Hacker/independent security researcher/subspace
half-ninjaSeveral years of experience in network infrastructure
and security consulting as well as systems administration (Routing, Switching, Firewalls, Servers)
Passionate about networkingI’m friendly, just come up and say hi
Contact Info:Email: [email protected]: gtknetrunner.blogspot.com
![Page 4: Network based file carving](https://reader035.vdocument.in/reader035/viewer/2022081422/558e03731a28ab6e6c8b46b4/html5/thumbnails/4.jpg)
What should you know already?Assumed basic knowledge of:
Protocol analyzers (Wireshark/TCPdump)OSI and TCP/IP modelMajor protocols (I.e. DNS, HTTP(s), TCP, UDP,
DHCP, ARP, IP, etc.)
![Page 5: Network based file carving](https://reader035.vdocument.in/reader035/viewer/2022081422/558e03731a28ab6e6c8b46b4/html5/thumbnails/5.jpg)
Tools I Will Be UsingWireshark Network MinerHex editorScalpelFile Signature Database
http://www.garykessler.net/library/file_sigs.html
![Page 6: Network based file carving](https://reader035.vdocument.in/reader035/viewer/2022081422/558e03731a28ab6e6c8b46b4/html5/thumbnails/6.jpg)
What Is File Carving?It’s a word search on steroids!
![Page 7: Network based file carving](https://reader035.vdocument.in/reader035/viewer/2022081422/558e03731a28ab6e6c8b46b4/html5/thumbnails/7.jpg)
Pcap Analysis Methodology1. Pattern Matching – Identify and filter
packets of interest by matching specific values or protocol meta-data
2. List Conversations – List all conversation streams within the filtered packet capture
3. Export - Isolate and export specific conversation streams of interest
4. Draw Conclusions – Extract files or data from streams and compile data
![Page 8: Network based file carving](https://reader035.vdocument.in/reader035/viewer/2022081422/558e03731a28ab6e6c8b46b4/html5/thumbnails/8.jpg)
Demo Time!Yeah….
Security Onion: /opt/samples/fake_av.pcap
![Page 9: Network based file carving](https://reader035.vdocument.in/reader035/viewer/2022081422/558e03731a28ab6e6c8b46b4/html5/thumbnails/9.jpg)
Security Onion: /opt/samples/fake_av.pcap
![Page 10: Network based file carving](https://reader035.vdocument.in/reader035/viewer/2022081422/558e03731a28ab6e6c8b46b4/html5/thumbnails/10.jpg)
Security Onion: /opt/samples/fake_av.pcap
![Page 11: Network based file carving](https://reader035.vdocument.in/reader035/viewer/2022081422/558e03731a28ab6e6c8b46b4/html5/thumbnails/11.jpg)
Additional Information (Pcap Files)http://www.netresec.com/?page=PcapFileshttp://forensicscontest.com/puzzleshttp://www.honeynet.org/node/504https://www.evilfingers.com/repository/
pcaps.phphttp://code.google.com/p/security-onion/
wiki/Pcaps
![Page 12: Network based file carving](https://reader035.vdocument.in/reader035/viewer/2022081422/558e03731a28ab6e6c8b46b4/html5/thumbnails/12.jpg)
Further ReadingNetwork-Based File Carving
http://blogs.cisco.com/security/network-based-file-carving/Practical Packet Analysis: Using Wireshark to Solve Real-
World Network ProblemsBy: Chris Sanders
Network Forensics: Tracking Hackers Through CyberspaceBy: Sherri Davidoff, Jonathan Ham
Guide to Integrating Forensic Techniques into Incident Responsehttp://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
File Signatureshttp://www.garykessler.net/library/file_sigs.html