Abstract
Network forensics is a method of obtaining and analyzing digital evidences from network sources. Network forensics includes data acquisition, selection, processing, analysis and presentation to investigators. Due to high volumes of transmitted data the acquired information can be incomplete, corrupted, or disordered which makes further reconstruction difficult. In this paper, we address the issue of advanced parsing and reconstruction of incomplete, corrupted, or disordered data packets. We introduce a technique that recovers TCP or UDP conversations so they could be further analyzed by application parsers. Presented technique is implemented in a new network forensic tool called Netfox Detective. We also discuss current challenges in parsing web mail communication, SSL decryption and Bitcoins detection.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
MaxLost was experimentally set to 4 kB, which is more than two times greater than maximal Ethernet PDU size, i.e., 1500 Bytes. MaxTime is six times greater than recommended TCP connection failure timeout as defined in RFC 1122. These values say that packet loss longer than 600 secs or missing 4 kB cannot be successfully recovered.
- 2.
See https://bitcoint.org/en/developer-documenation, June, 2015.
References
Cohen, M.I.: PyFlag - an advanced network forensic framework. Digit. Investig. 5, 112–120 (2008)
Pilli, E.S., Joshi, R.C., Niyogi, R.: Network forensic frameworks: survey and research challenges. Digit. Investig. 7, 14–27 (2010)
Hunt, R., Zeadally, S.: Network forensics: an analysis of techniques, tools, and trends. Computer 45, 36–43 (2012)
Dharmapurikar, S., Paxson, V.: Robust TCP stream reassembly in the presence of adversaries. In: USENIX Security Symposium. (2005)
Postel, J.: Internet Protocol. RFC 791 (1981)
Postel, J.: Transmission Control Protocol. RFC 793 (1981)
Stevens, W., Fenner, B., Rudoff, A.M.: UNIX Network Programming: The Sockets Networking API, 3rd edn. Addison-Wesley, Reading (2004)
Matousek, P., Rysavy, O., Kmet, M.: Fast RTP detection and codecs classification in internet traffic. J. Digit. Forensics Secur. Law 2014, 99–110 (2014)
Hjelmvik, E., John, W.: Statistical protocol identification with SPID: preliminary results. In: Swedish National Computer Networking Workshop (2009)
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Barners-Lee, T.: Hypertext Transfer Protocol - HTTP/1.1. IETF RFC 2616 (1999)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. IETF RFC 5246 (2008)
McGrew, D.: An Interface and Algorithms for Authenticated Encryption. IETF RFC 5116 (2008)
Davidoff, S., Ham, J.: Network Forensics: Tracking Hackers through Cyberspace, 1st edn. Prentice Hall, Upper Saddle River (2012)
Acknowledgment
Research in this paper was supported by project “Modern Tools for Detection and Mitigation of Cyber Criminality on the New Generation Internet”, no. VG20102015022 granted by Ministry of the Interior of the Czech Republic and an internal University project “Research and application of advanced methods in ICT”, no. FIT-S-14-2299 granted by Brno University of Technology.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Institute for Computer Sciences, Social informatics and Telecommunication Engineering
About this paper
Cite this paper
Matoušek, P. et al. (2015). Advanced Techniques for Reconstruction of Incomplete Network Data. In: James, J., Breitinger, F. (eds) Digital Forensics and Cyber Crime. ICDF2C 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 157. Springer, Cham. https://doi.org/10.1007/978-3-319-25512-5_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-25512-5_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25511-8
Online ISBN: 978-3-319-25512-5
eBook Packages: Computer ScienceComputer Science (R0)