a network forensic analysis framework
play

A Network Forensic Analysis Framework Professor Patrick McDaniel - PowerPoint PPT Presentation

Oct 12, 2023 •19 likes •379 views

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.

  1. A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015

  2. About • An extensible network forensic analysis framework. • Enables rapid development of plugins to support the dissection of network packet captures. • Key features: ‣ Robust stream reassembly ‣ IPv4 and IPv6 support ‣ Custom output handlers ‣ Chainable decoders • Billy Glodek Page

  3. Page

  4. Installation (Ubuntu) > sudo apt-get install git > git clone https://github.com/USArmyResearchLab/Dshell.git > sudo apt-get install python-crypto python-dpkt python-ipy python-pypcap python-pip > sudo pip install pygeoip Download GeoLite Country, GeoLite Country IPv6, GeoLite ASN, GeoLite ASN IPv6 http://dev.maxmind.com/geoip/legacy/geolite/ > gunzip * Move the MaxMind dat files to ~/Dshell/share/GeoIP/ > cd ~/Dshell > make > ./dshell If you get a Dshell> prompt, you're good to go! Page

  5. Malware Traffic Analysis • http://www.malware-traffic-analysis.net/ > wget http://www.malware-traffic- analysis.net/2014/11/16/2014-11-16- traffic-analysis-exercise.pcap Page

  6. General Usage • To run a decoder > decode – d <decoder> *.pcap • To list all decoders > decode – l • To get help > decode – h • To learn more about a specific decoder > decode – d <decoder> Page

  7. > decode – l Page

  8. Example Uses - followstream • Generates color-coded Screen/HTML output similar to Wireshark Follow Stream. • Default filter: tcp > decode – d followstream 2014-11-16- traffic-analysis-exercise.pcap Page

  9. Example Uses - followstream Page

  10. Example Uses - web • Tracks server responses • Default filter: tcp and (port 80 or port 8080 or port 8000) > decode – d web 2014-11-16-traffic- analysis-exercise.pcap Page

  11. Example Uses - web Page

  12. Example Uses - DNS • Extracts and summarizes DNS queries/responses (defaults: A,AAAA,CNAME,PTR records), • Default filter: (udp and port 53) > decode -d dns 2014-11-16-traffic- analysis-exercise.pcap Page

  13. Example Uses - DNS Page

  14. Example Uses - DHCP • Extracts client information from DHCP messages • Default filter: (udp and port 67) > decode -d dhcp 2014-11-16-traffic- analysis-exercise.pcap Page

  15. Example Uses - DHCP Page

  16. So, how does it work? Page

  17. dpkt • An ethernet packet decoding module • Python library - Dug Song & Jon Oberheide • leveraged by Dshell • https://github.com/kbandla/dpkt Page

  18. Dshell Types Page

  19. Dshell Types Page

  20. Dshell Classes ~/Dshell/lib/dshell.py Page

  21. Dshell Classes ~/Dshell/lib/dshell.py Page

  22. Dshell Classes ~/Dshell/lib/dshell.py Page

  23. Dshell Classes ~/Dshell/lib/dshell.py Page

  24. Dshell Classes ~/Dshell/lib/dshell.py Page

  25. Dshell Classes ~/Dshell/lib/dshell.py Page

  26. Dshell Classes ~/Dshell/lib/dshell.py Page

  27. Dshell Classes ~/Dshell/lib/dshell.py Page

  28. Dshell Classes ~/Dshell/lib/dshell.py Page

  29. Dshell Classes ~/Dshell/lib/dshell.py Page

  30. Dshell Classes ~/Dshell/lib/dshell.py Page

  31. User-Agent Author: Eric Kilmer Page

  32. User-Agent Author: Eric Kilmer Page

  33. Useful tools • Python libraries: ‣ util.hexPlusAscii • Function to print hex and Ascii side-by- side ‣ binascii.hexlify / binascii.unhexlify • tcpdump • Wireshark Page

  34. Additional Notes • Decoders can be chainable ‣ see the country decoder for an example • Read the protocol’s RFCs • Make your code more pythonic ‣ Raymond Hettinger’s Tips and Tricks https://gist.github.com/JeffPaine/6213790 ‣ Youtube videos of Raymond’s talks https://www.youtube.com/watch?v=wf-BqAjZb8M https://www.youtube.com/watch?v=OSGv2VnC0go ‣ PEP 8 Style Guide for Python Code https://www.python.org/dev/peps/pep-0008/ Page

  35. Our Contributions • Dan - DHCP, NBNS, Bitcoin • Eric – User-Agent, Flash-Detect, teredo • Mark – WebColors, ether • Nate – accept-filter, asn-filter, flow-range, uaabf, entropy Page

  36. Assignment • Repeat the process in these slides using the DNS, Followstream, and Web decoders for Dshell on 3 different pcap’s (malware-traffic-analysis.net) • What information can you discover using these decoders? • Write a new decoder that parses out the ‘Referrer’ field from a HTTP Header (HINT: This will be similair to the ‘User - Agent’ decoder discussed earlier) • What will this provide us with? What else could we add to the decoder to make it more useful as an analysis tool? Page

Recommend

p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation

p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation

Measuring the validity and reliability of forensic analysis systems Geoffrey Stewart Morrison p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation of forensic evidence - ENFSI Guideline for

750 views • 54 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford Brookes University Oxford, United Kingdom CBlackwell@brookes.ac.uk Roadmap Three layer architectural security model Influenced by OSI

782 views • 37 slides
qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University

qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University

qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University Specialist, Swedish National Laboratory of Forensic Science Forensic science Every contact leaves a trace Edmond Locard (1877 1966) Forensic

1.32k views • 78 slides
Forensic analysis of a Linux web server 1 www.nbs-system.com Agenda Who are we ? Performing

Forensic analysis of a Linux web server 1 www.nbs-system.com Agenda Who are we ? Performing

Mathieu Deous Julien Reveret Forensic analysis of a Linux web server 1 www.nbs-system.com Agenda Who are we ? Performing forensic analysis on a compromised web server What to search, where, how ? Logs but also dynamic analysis What

603 views • 28 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
Forensic evaluation of nine miniSTR loci to aid analysis of degraded DNA in Koreans Ukhee Chung,

Forensic evaluation of nine miniSTR loci to aid analysis of degraded DNA in Koreans Ukhee Chung,

Forensic evaluation of nine miniSTR loci to aid analysis of degraded DNA in Koreans Ukhee Chung, Hwan Young Lee, Myung Jin Park, Sang-Ho Cho, Kyoung-Jin Shin and Woo Ick Yang Department of Forensic Medicine, Yonsei University College of

554 views • 13 slides
T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

11/5/2015 The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

389 views • 24 slides
Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

1.29k views • 67 slides
Outline of presentation MPS in forensic genetics Developed 3 in-house MPS panels

Outline of presentation MPS in forensic genetics Developed 3 in-house MPS panels

2017-09-05 Implementing Massively Parallel Sequencing for Forensic DNA Analysis Using In-house PCR Panels Kyoung-Jin Shin, Ph.D. Dept. of Forensic Medicine Yonsei University College of Medicine Seoul, Republic of Korea Outline of

710 views • 23 slides
p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation

p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation

Introduction to logical reasoning for the evaluation of forensic evidence Geoffrey Stewart Morrison p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation of forensic evidence - ENFSI Guideline for

936 views • 67 slides
THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations Explore various clinical presentations seen in forensic settings Implement evidence-based and novel treatment strategies to the new forensic

946 views • 80 slides
Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on

Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on

Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on Computation and Society Harvard University 1:15pm, Tuesday, August 15, 2006 1 Todays forensic tools are designed for one drive at a time.

552 views • 34 slides
Broverview Outline 2 Outline Philosophy and Architecture A framework for network traffic

Broverview Outline 2 Outline Philosophy and Architecture A framework for network traffic

The Bro Network Security Monitor Broverview Outline 2 Outline Philosophy and Architecture A framework for network traffic analysis. 2 Outline Philosophy and Architecture A framework for network traffic analysis. History From research to

1.22k views • 73 slides
Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric Evidence in Forensic Automatic Speaker Recognition Dr. Andrzej Drygajlo Speech Processing and Biometrics Group Swiss Federal Institute of Technology

546 views • 44 slides
Massive Sequence Analysis of Forensic STR Loci using Next Generation Sequencing and Its

Massive Sequence Analysis of Forensic STR Loci using Next Generation Sequencing and Its

2014-12-08 Massive Sequence Analysis of Forensic STR Loci using Next Generation Sequencing and Its Application to Mixture Analysis Eun Hye Kim, In Seok Yang, Sang-Eun Jung, Hwan Young Lee, Woo Ick Yang, and Kyoung-Jin Shin Department of

124 views • 9 slides
Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic Mental Health System Robert N. Baker, PhD Assistant Chief Office of Forensic Services, ODMH Objectives Provide an overview of the forensic

581 views • 40 slides
T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic Monitor.

834 views • 70 slides
Voice quality analysis in forensic voice comparison: developing the vocal profile analysis scheme

Voice quality analysis in forensic voice comparison: developing the vocal profile analysis scheme

Voice quality analysis in forensic voice comparison: developing the vocal profile analysis scheme Eugenia San Segundo, Paul Foulkes, Peter French Philip Harrison &amp; Vincent Hughes University of York &amp; J P French Associates IAFPA 2016

1.01k views • 21 slides
Learning Disability Community Forensic Services - A Workforce Skills Framework Lisa Proctor,

Learning Disability Community Forensic Services - A Workforce Skills Framework Lisa Proctor,

Learning Disability Community Forensic Services - A Workforce Skills Framework Lisa Proctor, Regional Workforce Specialist Midlands &amp; East Health Education England Background NHSE - Building the Right Support 2015 A National Plan

296 views • 12 slides
Current Forensic DNA Typing o Forensic cases -- matching suspect with evidence Involves generation

Current Forensic DNA Typing o Forensic cases -- matching suspect with evidence Involves generation

Epigenetic age signatures in the forensically relevant body fluid of semen Hwan Yong Lee Department of Forensic Medicine Yonsei University College of Medicine Seoul, Korea Current Forensic DNA Typing o Forensic cases -- matching suspect with

533 views • 14 slides
Comparison of DNA Stability Using Various Sample Collection Devices for forensic DNA analysis

Comparison of DNA Stability Using Various Sample Collection Devices for forensic DNA analysis

Comparison of DNA Stability Using Various Sample Collection Devices for forensic DNA analysis Criminal Investigation Laboratory, Oita Prefectural Police, Japan Seiki Nakao Todays Presentation 1. Introduction 2. Materials and Methods 3.

609 views • 27 slides

More recommend