Difference between pages "SSL forensics" and "Cisco IOS Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(New page: '''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity. == Overview ==...)
 
m (Created page with 'White paper on Cisco IOS forensics: * http://www.blackhat.com/presentations/bh-dc-08/FX/Whitepaper/bh-dc-08-fx-WP.pdf Slides: * http://www.slideshare.net/tsudohnimh/fxs-cisco-ios…')
 
Line 1: Line 1:
'''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity.
+
White paper on Cisco IOS forensics:
 
+
* http://www.blackhat.com/presentations/bh-dc-08/FX/Whitepaper/bh-dc-08-fx-WP.pdf
== Overview ==
+
Slides:
 
+
* http://www.slideshare.net/tsudohnimh/fxs-cisco-ios-forensics-pdf-presentation
TLS (''Transport Layer Security'') provides authentication and [[encryption]] for many network protocols, such as: ''POP'', ''IMAP'', ''SMTP'', ''HTTP''. However, it is possible to tunnel almost every TCP-based protocol through TLS using such tools as [http://stunnel.mirt.net/ stunnel].
+
 
+
Generally, many TLS realizations require only server to be authenticated using signed certificate.
+
 
+
== Data decryption ==
+
 
+
Data exchanged through SSL (TLS) connections can be decrypted by performing ''man-in-the-middle'' attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).
+
 
+
Many commercial [[network forensics]] systems can perform such an attack:
+
* Mera Systems [http://netbeholder.com/en/products/lawful_interception.html Sleek Buster] (supports signed forged certificates)
+
* [http://www.edecision4u.com/edecision4u/Products.html E-Detective HTTPS/SSL Network Packet Forensics Device]
+
 
+
As well as some open-source tools:
+
* [http://ettercap.sourceforge.net/ ettercap] (unsupported, last version - 2005/05/29)
+
* [http://monkey.org/~dugsong/dsniff/ dsniff] (obsolete, last stable version - 2000/12/17)
+
 
+
== Other information ==
+
 
+
The TLS protocol also leaks some significant information:
+
* Current date and time on a TLS client and server (old versions of [[Firefox]] and [[Thunderbird]] leak system's uptime);
+
* Original data size.
+
 
+
== Links ==
+
 
+
* [http://rfc.net/rfc2246.html RFC 2246 (TLS 1.0)]
+
* [http://rfc.net/rfc4346.html RFC 4346 (TLS 1.1)]
+

Latest revision as of 17:05, 4 September 2009

White paper on Cisco IOS forensics:

Slides: