Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on May 10, 2012
Recorded: 02/15/2012 CERIAS Security Seminar at Purdue University
Forensic Carving of Network Packets with bulk_extractor and tcpflow
Simson Garfinkel, Naval Postgraduate School
Using validated carving techniques, we show that popular operating systems (\eg Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from long-terminated network traffic. Such information is useful for many forensic purposes including establishment of prior connection activity and services used; identification of other systems present on the system's LAN or WLAN; geolocation of the host computer system; and cross-drive analysis. We show that network structures can also be recovered from memory that is persisted onto a mass storage medium during the course of system swapping or hibernation.We present our network carving techniques, algorithms and tools, and validate these against both purpose-built memory images and a readily available forensic corpora. These techniques are valuable to both forensics tasks, particularly in analyzing mobile devices, and to cyber-security objectives such as malware analysis.