or i know what you downloaded last night! by: gtklondike
TRANSCRIPT
![Page 1: OR I know what you downloaded last night! By: GTKlondike](https://reader031.vdocuments.mx/reader031/viewer/2022020106/56649d215503460f949f64a0/html5/thumbnails/1.jpg)
Network Based File Carving
ORI know what you downloaded last night!
By: GTKlondike
![Page 2: OR I know what you downloaded last night! By: GTKlondike](https://reader031.vdocuments.mx/reader031/viewer/2022020106/56649d215503460f949f64a0/html5/thumbnails/2.jpg)
Who Am I?Oh hey, that guy…
![Page 3: OR I know what you downloaded last night! By: GTKlondike](https://reader031.vdocuments.mx/reader031/viewer/2022020106/56649d215503460f949f64a0/html5/thumbnails/3.jpg)
I Am…Hacker/independent security researcher/subspace
half-ninjaSeveral years of experience in network infrastructure
and security consulting as well as systems administration (Routing, Switching, Firewalls, Servers)
Passionate about networkingI’m friendly, just come up and say hi
Contact Info:Email: [email protected]: gtknetrunner.blogspot.com
![Page 4: OR I know what you downloaded last night! By: GTKlondike](https://reader031.vdocuments.mx/reader031/viewer/2022020106/56649d215503460f949f64a0/html5/thumbnails/4.jpg)
What should you know already?Assumed basic knowledge of:
Protocol analyzers (Wireshark/TCPdump)OSI and TCP/IP modelMajor protocols (I.e. DNS, HTTP(s), TCP, UDP,
DHCP, ARP, IP, etc.)
![Page 5: OR I know what you downloaded last night! By: GTKlondike](https://reader031.vdocuments.mx/reader031/viewer/2022020106/56649d215503460f949f64a0/html5/thumbnails/5.jpg)
Tools I Will Be UsingWireshark Network MinerHex editorScalpelFile Signature Database
http://www.garykessler.net/library/file_sigs.html
![Page 6: OR I know what you downloaded last night! By: GTKlondike](https://reader031.vdocuments.mx/reader031/viewer/2022020106/56649d215503460f949f64a0/html5/thumbnails/6.jpg)
What Is File Carving?It’s a word search on steroids!
![Page 7: OR I know what you downloaded last night! By: GTKlondike](https://reader031.vdocuments.mx/reader031/viewer/2022020106/56649d215503460f949f64a0/html5/thumbnails/7.jpg)
Pcap Analysis Methodology1. Pattern Matching – Identify and filter
packets of interest by matching specific values or protocol meta-data
2. List Conversations – List all conversation streams within the filtered packet capture
3. Export - Isolate and export specific conversation streams of interest
4. Draw Conclusions – Extract files or data from streams and compile data
![Page 8: OR I know what you downloaded last night! By: GTKlondike](https://reader031.vdocuments.mx/reader031/viewer/2022020106/56649d215503460f949f64a0/html5/thumbnails/8.jpg)
Demo Time!Yeah….
Security Onion: /opt/samples/fake_av.pcap
![Page 9: OR I know what you downloaded last night! By: GTKlondike](https://reader031.vdocuments.mx/reader031/viewer/2022020106/56649d215503460f949f64a0/html5/thumbnails/9.jpg)
Security Onion: /opt/samples/fake_av.pcap
![Page 10: OR I know what you downloaded last night! By: GTKlondike](https://reader031.vdocuments.mx/reader031/viewer/2022020106/56649d215503460f949f64a0/html5/thumbnails/10.jpg)
Security Onion: /opt/samples/fake_av.pcap
![Page 11: OR I know what you downloaded last night! By: GTKlondike](https://reader031.vdocuments.mx/reader031/viewer/2022020106/56649d215503460f949f64a0/html5/thumbnails/11.jpg)
Additional Information (Pcap Files)http://www.netresec.com/?page=PcapFileshttp://forensicscontest.com/puzzleshttp://www.honeynet.org/node/504https://www.evilfingers.com/repository/
pcaps.phphttp://code.google.com/p/security-onion/
wiki/Pcaps
![Page 12: OR I know what you downloaded last night! By: GTKlondike](https://reader031.vdocuments.mx/reader031/viewer/2022020106/56649d215503460f949f64a0/html5/thumbnails/12.jpg)
Further ReadingNetwork-Based File Carving
http://blogs.cisco.com/security/network-based-file-carving/Practical Packet Analysis: Using Wireshark to Solve Real-
World Network ProblemsBy: Chris Sanders
Network Forensics: Tracking Hackers Through CyberspaceBy: Sherri Davidoff, Jonathan Ham
Guide to Integrating Forensic Techniques into Incident Responsehttp://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
File Signatureshttp://www.garykessler.net/library/file_sigs.html