Difference between pages "Wireshark" and "File Carving Bibliography"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Undo revision 11624 by Xiaoqiu (talk) - Removed spam and restored article)
 
m (New page: * [http://citeseer.ist.psu.edu/shanmugasundaram03automatic.html Automatic Reassembly of Document Fragments via Context Based Statistical Models], Kulesh Shanmugasundaram and Nasir Memo...)
 
Line 1: Line 1:
{{Infobox_Software |
 
  name = Wireshark |
 
  maintainer = The Wireshark team |
 
  os = {{Linux}}, {{Windows}} |
 
  genre = Network forensics |
 
  license = {{GPL}} |
 
  website = [http://www.wireshark.org/ www.wireshark.org] |
 
}}
 
  
'''Wireshark''' is a popular [[Sniffer|network protocol analyzer]].
 
  
== Overview ==
 
  
Wireshark has a rich feature set which includes the following:
+
* [http://citeseer.ist.psu.edu/shanmugasundaram03automatic.html  Automatic Reassembly of Document Fragments via Context Based Statistical Models], Kulesh Shanmugasundaram and Nasir Memon.
  
* Deep inspection of hundreds of protocols;
+
<bibtex>
* Live capture and offline analysis;
+
@article{
* Standard three-pane packet browser;
+
  journal="Journal of Digital Forensic Practice",
* Multi-platform: runs on [[Windows]], [[Linux]], [[Mac OS X]], [[Solaris]], [[FreeBSD]], [[NetBSD]], and many others;
+
  publisher="Taylor & Francis",
* Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility;
+
  author="Yoginder Singh Dandass and Nathan Joseph Necaise and Sherry Reede Thomas",
* Powerful display filters;
+
  title="An Empirical Analysis of Disk Sector Hashes for Data Carving",
* Rich [[VoIP]] analysis;
+
  year=2008,
* Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, [[Microsoft Network Monitor]], Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others;
+
  volume=2,
* Capture files compressed with gzip can be decompressed on the fly;
+
  issue=2,
* Live data can be read from [[Ethernet]], [[Wireless forensics|IEEE 802.11]], PPP/HDLC, ATM, [[Bluetooth]], [[USB]], Token Ring, Frame Relay, FDDI, and others (depending on your platfrom);
+
  pages="95--106",
* Decryption support for many protocols, including [[IPsec]], ISAKMP, Kerberos, SNMPv3, [[SSL forensics|SSL/TLS]], [[Wireless forensics|WEP, and WPA/WPA2]];
+
  abstract="Discovering known illicit material on digital storage devices is an important component of a digital forensic investigation. Using existing data carving techniques and tools, it is typically difficult to recover remaining fragments of deleted illicit files whose file system metadata and file headers have been overwritten by newer files. In such cases, a sector-based scan can be used to locate those sectors whose content matches those of sectors from known illicit files. However, brute-force sector-by-sector comparison is prohibitive in terms of time required. Techniques that compute and compare hash-based signatures of sectors in order to filter out those sectors that do not produce the same signatures as sectors from known illicit files are required for accelerating the process.
* Coloring rules can be applied to the packet list for quick, intuitive analysis;
+
* Output can be exported to [[XML]], PostScript®, [[CSV]], or plain text.
+
  
== Network Forensics ==
+
This article reports the results of a case study in which the hashes for over 528 million sectors extracted from over 433,000 files of different types were analyzed. The hashes were computed using SHA1, MD5, CRC64, and CRC32 algorithms and hash collisions of sectors from JPEG and WAV files to other sectors were recorded. The analysis of the results shows that although MD5 and SHA1 produce no false-positive indications, the occurrence of false positives is relatively low for CRC32 and especially CRC64. Furthermore, the CRC-based algorithms produce considerably smaller hashes than SHA1 and MD5, thereby requiring smaller storage capacities. CRC64 provides a good compromise between number of collisions and storage capacity required for practical implementations of sector-scanning forensic tools.",
 +
  url="http://www.informaworld.com/10.1080/15567280802050436"
 +
}
 +
</bibtex>
  
Wireshark can be used in the [[network forensics]] process. There are some limitations:
+
[[Category::Bibliographies]]
 
+
* Wireshark is packet-centric (not data-centric);
+
* Wireshark doesn't work well with large network capture files (you can turn all packet coloring rules off to increase performance).
+
 
+
=== Wireless Forensics ===
+
 
+
Wireshark can decrypt IEEE 802.11 WLAN data with user specified encryption keys.
+
 
+
== External Links  ==
+
 
+
* [http://wiki.wireshark.org/ Wireshark Wiki]
+
 
+
== See Also ==
+
 
+
* [[tcpdump]]
+
 
+
[[Category:Network Forensics]]
+

Revision as of 21:02, 28 August 2008


Yoginder Singh Dandass, Nathan Joseph Necaise, Sherry Reede Thomas - An Empirical Analysis of Disk Sector Hashes for Data Carving
2:95--106,2008
http://www.informaworld.com/10.1080/15567280802050436
Bibtex
Author : Yoginder Singh Dandass, Nathan Joseph Necaise, Sherry Reede Thomas
Title : An Empirical Analysis of Disk Sector Hashes for Data Carving
In : -
Address :
Date : 2008

[[Category::Bibliographies]]