Difference between pages "SSL forensics" and "VMWare Virtual Disk Format (VMDK)"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
(Extent file types)
 
Line 1: Line 1:
'''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity.
+
{{expand}}
  
== Overview ==
+
== Image types ==
 +
There are multiple types of VMWare Virtual Disk Format (VMDK) data files:
 +
* 2GbMaxExtentFlat (twoGbMaxExtentFlat); descriptor file (name.vmdk) with RAW data extent files (name-f###.vmdk). This image type is basically a [[Raw Image Format|split RAW image]].
 +
* 2GbMaxExtentSparse (twoGbMaxExtentSparse); descriptor file (name.vmdk) with VMDK sparse data extent files (name-s###.vmdk)
  
TLS (''Transport Layer Security'') provides authentication and [[encryption]] for many network protocols, such as: ''POP'', ''IMAP'', ''SMTP'', ''HTTP''. However, it is possible to tunnel almost every TCP-based protocol through TLS using such tools as [http://stunnel.mirt.net/ stunnel].
+
== Descriptor file ==
 +
The descriptor file defines how and where the data of the VMDK image is stored. The data is stored in extent data files.
  
Generally, many TLS realizations require only server to be authenticated using signed certificate.
+
== Extent file types ==
 +
There are multiple types extent files:
 +
* RAW data file or device
 +
* VMDK sparse data file
 +
* COWD sparse data file
  
== Data decryption ==
+
== External Links ==
 +
* [http://www.vmware.com/support/developer/vddk/vmdk_50_technote.pdf?src=vmdk Virtual Disk Format 5.0], by [[VMWare]]
  
Data exchanged through SSL (TLS) connections can be decrypted by performing ''man-in-the-middle'' attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).
+
[[Category:File Formats]]
 
+
Some commercial [[network forensics]] systems can perform such an attack:
+
* Mera Systems [http://netbeholder.com/en/products/lawful_interception.html Sleek Buster] (supports signed by a trusted CA forged certificates)
+
* [http://www.edecision4u.com/edecision4u/Products.html E-Detective HTTPS/SSL Network Packet Forensics Device]
+
 
+
As well as some open-source tools:
+
* [http://ettercap.sourceforge.net/ ettercap] (unsupported, last version - 2005/05/29)
+
* [http://monkey.org/~dugsong/dsniff/ dsniff] (obsolete, last stable version - 2000/12/17)
+
 
+
== Other information ==
+
 
+
The TLS protocol also leaks some significant information:
+
* Current date and time on a TLS client and server (old versions of [[Firefox]] and [[Thunderbird]] leak system's uptime);
+
* Hostname being accessed ("server_name" extension);
+
* Original data size.
+
 
+
== [[The Onion Router]] ==
+
 
+
[[Tor]] tunnels application data through TLS connections and it is not possible to decrypt such connections by performing traditional ''man-in-the-middle'' attack. [[Tor]] also sends application data in chunks to make it harder to guess exactly how many bytes users are communicating.
+
 
+
== Links ==
+
 
+
* [http://rfc.net/rfc2246.html RFC 2246 (TLS 1.0)]
+
* [http://rfc.net/rfc4346.html RFC 4346 (TLS 1.1)]
+

Revision as of 09:50, 22 September 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Contents

Image types

There are multiple types of VMWare Virtual Disk Format (VMDK) data files:

  • 2GbMaxExtentFlat (twoGbMaxExtentFlat); descriptor file (name.vmdk) with RAW data extent files (name-f###.vmdk). This image type is basically a split RAW image.
  • 2GbMaxExtentSparse (twoGbMaxExtentSparse); descriptor file (name.vmdk) with VMDK sparse data extent files (name-s###.vmdk)

Descriptor file

The descriptor file defines how and where the data of the VMDK image is stored. The data is stored in extent data files.

Extent file types

There are multiple types extent files:

  • RAW data file or device
  • VMDK sparse data file
  • COWD sparse data file

External Links