Loading...

2012-02-15 CERIAS - Forensic Carving of Network Packets with bulk_extractor and tcpflow

1,699 views

Loading...

Loading...

Transcript

The interactive transcript could not be loaded.

Loading...

Loading...

Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on May 10, 2012

Recorded: 02/15/2012
CERIAS Security Seminar at Purdue University

Forensic Carving of Network Packets with bulk_extractor and tcpflow

Simson Garfinkel, Naval Postgraduate School

Using validated carving techniques, we show that popular operating systems (\eg Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from long-terminated network traffic. Such information is useful for many forensic purposes including establishment of prior connection activity and services used; identification of other systems present on the system's LAN or WLAN; geolocation of the host computer system; and cross-drive analysis. We show that network structures can also be recovered from memory that is persisted onto a mass storage medium during the course of system swapping or hibernation.We present our network carving techniques, algorithms and tools, and validate these against both purpose-built memory images and a readily available forensic corpora. These techniques are valuable to both forensics tasks, particularly in analyzing mobile devices, and to cyber-security objectives such as malware analysis.

(Visit: www.cerias.purude.edu)

  • Category

  • License

    • Standard YouTube License
Comments are disabled for this video.

to add this to Watch Later

Add to

Loading playlists...