Difference between pages "SSL forensics" and "Aimage"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(New page: '''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity. == Overview ==...)
 
m
 
Line 1: Line 1:
'''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity.
+
{{Infobox_Software |
 +
  name = aimage |
 +
  maintainer = [[Simson Garfinkel]], [[Basis Technology]] |
 +
  os = {{Linux}} |
 +
  genre = {{Disk imaging}} |
 +
  license = {{Original BSD license}} |
 +
}}
  
== Overview ==
+
'''aimage''' (the '''advanced imager''') was an [[imaging]] tool that was part of [[AFF]].
  
TLS (''Transport Layer Security'') provides authentication and [[encryption]] for many network protocols, such as: ''POP'', ''IMAP'', ''SMTP'', ''HTTP''. However, it is possible to tunnel almost every TCP-based protocol through TLS using such tools as [http://stunnel.mirt.net/ stunnel].
+
'''aimage''' can create files in raw, AFF, AFD, or AFM formats. AFF and AFD formats can be compressed or uncompressed. [[aimage]]  can optionally compress and calculate [[MD5]] or [[SHA-1]] hash residues while the data is being copied. It had intelligent error recovery, similar to what is in [[ddrescue]].
  
Generally, many TLS realizations require only server to be authenticated using signed certificate.
 
  
== Data decryption ==
+
'''aimage'' was withdrawn from support (December 25, 2010)
  
Data exchanged through SSL (TLS) connections can be decrypted by performing ''man-in-the-middle'' attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).
+
Linux distributions that packaged '''image''' are encouraged to drop it and package guymager instead.
  
Many commercial [[network forensics]] systems can perform such an attack:
+
===See Also===
* Mera Systems [http://netbeholder.com/en/products/lawful_interception.html Sleek Buster] (supports signed forged certificates)
+
* [[How_to_image_an_IDE_disk_with_aimage_and_FreeBSD]]
* [http://www.edecision4u.com/edecision4u/Products.html E-Detective HTTPS/SSL Network Packet Forensics Device]
+
 
+
As well as some open-source tools:
+
* [http://ettercap.sourceforge.net/ ettercap] (unsupported, last version - 2005/05/29)
+
* [http://monkey.org/~dugsong/dsniff/ dsniff] (obsolete, last stable version - 2000/12/17)
+
 
+
== Other information ==
+
 
+
The TLS protocol also leaks some significant information:
+
* Current date and time on a TLS client and server (old versions of [[Firefox]] and [[Thunderbird]] leak system's uptime);
+
* Original data size.
+
 
+
== Links ==
+
 
+
* [http://rfc.net/rfc2246.html RFC 2246 (TLS 1.0)]
+
* [http://rfc.net/rfc4346.html RFC 4346 (TLS 1.1)]
+

Latest revision as of 20:26, 21 October 2013

aimage
Maintainer: Simson Garfinkel, Basis Technology
OS: Linux
Genre: Disk imaging
License: Original BSD license
Website: {{{website}}}

aimage (the advanced imager) was an imaging tool that was part of AFF.

aimage can create files in raw, AFF, AFD, or AFM formats. AFF and AFD formats can be compressed or uncompressed. aimage can optionally compress and calculate MD5 or SHA-1 hash residues while the data is being copied. It had intelligent error recovery, similar to what is in ddrescue.


'aimage was withdrawn from support (December 25, 2010)

Linux distributions that packaged image are encouraged to drop it and package guymager instead.

See Also