packet and protocol analysis - técnico lisboa ... · . well-known port numbers 32 msidc ......

Post on 04-May-2018






Click to see full reader


Packet and Protocol Analysis

Section II. Basic Forensic Techniques and


CSF: Forensics Cyber-Security MSIDC, Spring 2017

Nuno Santos


MSIDC - CSF - Nuno Santos

!  Packet and protocol analysis

2016/17 2

Recall from last class

2016/17 MSIDC - CSF - Nuno Santos 3

!  How to interpret a network trace? !  A network trace is a linearized bit-copy of collected

data exchanged over the network

!  Need to understand some basic networking concepts

Computer network


Network trace file

Started with a practical example

2016/17 MSIDC - CSF - Nuno Santos 4

!  Accessed URL:

!  Collected network trace on a local file


Basic concepts involved

2016/17 MSIDC - CSF - Nuno Santos 5

Sender Receiver

IP Address IP Address

Network Infrastructure


HTTP GET index.htm

Protocols HTTP TPC/IP


Connected across multiple networks

2016/17 MSIDC - CSF - Nuno Santos 6

!  Computers are not wired directly but linked through interconnected networks (IP = Internet Protocol) router switch

Network 1 Network 2

Network 3

Within a network, computers use MAC addresses

2016/17 MSIDC - CSF - Nuno Santos 7

!  Media Access Control address (MAC address) !  Unique identifier assigned to network interfaces for

communications at the data link layer of a network segment !  Used as network addresses for Ethernet and WiFi

!  Can be used to track traffic source within a network !  Packets sent to the Internet do not

contain MAC addresses

!  Can be used to classify the type of machine !  Due to its internal structure !

Our focus today

2016/17 MSIDC - CSF - Nuno Santos 8

Sender Receiver

IP Address IP Address

Network Infrastructure


HTTP GET index.htm

Protocols HTTP TPC/IP


Packet and Protocol Analysis

2016/17 MSIDC - CSF - Nuno Santos 9

Coming back to our network trace

2016/17 MSIDC - CSF - Nuno Santos 10

Packet sniffing and packet sniffers

2016/17 MSIDC - CSF - Nuno Santos 11

!  Packet sniffing is the act of looking at packets as computers pass them over networks

!  Packet sniffing is performed using packet sniffers !  These programs are designed to capture raw data as it crosses the

network and translate it into a human readable format for analysis !  Can be used to capture only relevant packets

!  Packet sniffers range from simple, command-line programs, like tcpdump, to complex programs with GUI

Packet sniffers: Tcpdump

2016/17 MSIDC - CSF - Nuno Santos 12

!  tcpdump is the granddaddy of all open source packet sniffers

!  Uses libpcap, which contains a set of system-independent functions for packet capture and network analysis !  Also used by Wireshark

tcpdump libpcap

Network device driver

Network device

Packet example

2016/17 MSIDC - CSF - Nuno Santos 13

Packet network layers

2016/17 MSIDC - CSF - Nuno Santos 14

!  Packets are encoded according to network layers !  Each layer plays a role in abstracting out details of lower levels

Increasing network layer

Layers are packaged “inside” each other

2016/17 MSIDC - CSF - Nuno Santos 15

Increasing network layer

Wireshark lets us navigate across each layer

2016/17 MSIDC - CSF - Nuno Santos 16

Increasing network layer

The IP protocol layer

2016/17 MSIDC - CSF - Nuno Santos 17

!  IP protocol: provides for sending / receiving IP packets between any two nodes featuring valid IP addresses

IP packet

Routing an IP packet

2016/17 MSIDC - CSF - Nuno Santos 18

!  IP packet: header + payload !  Header contains several fields: Source IP, Destination IP router switch

IP packet

Format of an IP header

2016/17 MSIDC - CSF - Nuno Santos 19

IP protocol

2016/17 MSIDC - CSF - Nuno Santos 20

But, the sender IP was not expected…

2016/17 MSIDC - CSF - Nuno Santos 21

!  What we observed: !

!  What we expected: !

Any ideas why?

Is there a proxy serving web requests?

2016/17 MSIDC - CSF - Nuno Santos 22

!  Request served by web proxy: a local cache of web pages router switch

IP packet

Web Proxy

Let’s validate this hypothesis

2016/17 MSIDC - CSF - Nuno Santos 23

!  Check the client config !  Check the proxy IP

Yes! It’s a proxy!

Next step: Investigate the IP packet payload

2016/17 MSIDC - CSF - Nuno Santos 24

IP packet

IP packet payload

How to parse the IP packet payload?

2016/17 MSIDC - CSF - Nuno Santos 25

Need to know what’s the transport protocol of the payload

The role of the TCP protocol

2016/17 MSIDC - CSF - Nuno Santos 26 router switch

Web Proxy

!  IP is best effort: packets can be dropped by routers along the way !  TCP provides abstraction of stream / flow on top of IP packets

!  Ensures packets delivered (1) reliably, (2) in order, (3) without duplicates

IP packet

TCP flow

Each endpoint maintains sequence number

2016/17 MSIDC - CSF - Nuno Santos 27

1.  Client sends a SYN to the server. Client sets the segment's sequence number to rand value m

2.  Server replies with a SYN-ACK. The ack number is set to m+1, and the sequence number that the server chooses for the packet is another random number n

3.  Client sends an ACK back to the server

TCP session establishment

We can see the entire TCP message exchange

2016/17 MSIDC - CSF - Nuno Santos 28

TCP header layout

2016/17 MSIDC - CSF - Nuno Santos 29

TCP protocol

2016/17 MSIDC - CSF - Nuno Santos 30

Port Numbers

2016/17 MSIDC - CSF - Nuno Santos 31

!  If a computer is identified by an IP, port numbers differentiate applications within the same computer !

Well-known port numbers

2016/17 MSIDC - CSF - Nuno Santos 32

!  A few examples:

Next step: Investigate the IP packet payload

2016/17 MSIDC - CSF - Nuno Santos 33

IP packet

IP packet payload

TCP packet payload

Contains an HTTP request

2016/17 MSIDC - CSF - Nuno Santos 34

Wireshark lets us follow the TCP stream

2016/17 MSIDC - CSF - Nuno Santos 35

Client => proxy

Proxy => client

Last missing step: Ethernet frame

2016/17 MSIDC - CSF - Nuno Santos 36

IP packet

Link layer frame

Link layer: carrier of IP packets within networks

2016/17 MSIDC - CSF - Nuno Santos 37

!  Ethernet protocol used for client to send IP packet to router router switch

Web Proxy

IP packet Ethernet frame

Format of Ethernet frame

2016/17 MSIDC - CSF - Nuno Santos 38

!  MAC addresses are used for message delivery

!  The IP packet is enclosed inside the data payload

Let’s inspect the Ethernet frame of our IP packet

2016/17 MSIDC - CSF - Nuno Santos 39

A case study

2016/17 MSIDC - CSF - Nuno Santos 40

!  You are the manager of a company and receive a tip that an employee is using his computer to view images that violate the company’s computer use policy

!  You then hire a forensics investigator to assist in the matter and, together, decide to monitor the suspected employee’s activity on the network for the next week

!  Goal: see if there is any evidence to support or refute the claims against the employee viewing images.

Case study: Search through the packets

2016/17 MSIDC - CSF - Nuno Santos 41

!  After capturing the packets, search through the packets to identify images that violate the policy

Case study: Perform file carving

2016/17 MSIDC - CSF - Nuno Santos 42

!  Export the portion of the payload that contains the bytes of the image

Case study: Caught in procrastination!

2016/17 MSIDC - CSF - Nuno Santos 43

!  Exported image created from exported bytes


2016/17 MSIDC - CSF - Nuno Santos 44

!  Packet and protocol analysis play a fundamental role in network forensics

!  Typical communications are centered around TCP/IP protocols, which tend to be structured in network layers

!  Packet analysis tools like Wireshark allow us to interpret the content of individual packets and flows


2016/17 MSIDC - CSF - Nuno Santos

!  Primary bibliography !  [Casey11], Chapter 21, 23.2.2


Next class

MSIDC - CSF - Nuno Santos

!  Web and E-Mail forensics

2016/17 46

top related