Network Based File Carving

I know what you downloaded last night!
By: GTKlondike
Oh hey, that guy…
I Am…
 Hacker/independent security researcher/subspace half-
 Several years of experience in network infrastructure and
security consulting as well as systems administration
(Routing, Switching, Firewalls, Servers)
 Passionate about networking
 I’m friendly, just come up and say hi
Contact Info:
 Email: [email protected]
 Zombie-Blog:
What should you know already?
 Assumed basic knowledge of:
 Protocol analyzers (Wireshark/TCPdump)
 OSI and TCP/IP model
 Major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP,
ARP, IP, etc.)
Tools I Will Be Using
 Wireshark
 Network Miner
 Hex editor
 Scalpel
 File Signature Database
What Is File Carving?
 It’s a word search on steroids!
Pcap Analysis Methodology
1. Pattern Matching – Identify and filter packets of
interest by matching specific values or protocol
2. List Conversations – List all conversation streams
within the filtered packet capture
3. Export - Isolate and export specific conversation
streams of interest
4. Draw Conclusions – Extract files or data from
streams and compile data
Security Onion: /opt/samples/fake_av.pcap
Security Onion: /opt/samples/fake_av.pcap
Security Onion: /opt/samples/fake_av.pcap
Additional Information (Pcap Files)
Further Reading
 Network-Based File Carving
 Practical Packet Analysis: Using Wireshark to Solve Real-
World Network Problems
 By: Chris Sanders
 Network Forensics: Tracking Hackers Through Cyberspace
 By: Sherri Davidoff, Jonathan Ham
 Guide to Integrating Forensic Techniques into Incident
 File Signatures

similar documents