Difference between pages "SSL forensics" and "Afentis forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(External Link)
 
Line 1: Line 1:
'''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity.
 
  
== Overview ==
+
== Afentis Forensics ==
  
TLS (''Transport Layer Security'') provides authentication and [[encryption]] for many network protocols, such as: ''POP'', ''IMAP'', ''SMTP'', ''HTTP''. However, it is possible to tunnel almost every TCP-based protocol through TLS using such tools as [http://stunnel.mirt.net/ stunnel].
+
Scientific support and investigation practice with expert witnesses providing DNA analysis, fingerprint evaluations, firearm evidence, mobile telephone examinations and Cell Site Analysis (CSA) - from crime scene to court.
  
Generally, many TLS realizations require only server to be authenticated using signed certificate.
+
Produce a number of eDiscovery and digital evidence software tools, including:
  
== Data decryption ==
+
[http://www.facebookforensics.com/ Facebook Forensic Toolkit]
  
Data exchanged through SSL (TLS) connections can be decrypted by performing ''man-in-the-middle'' attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).
+
[http://www.linkedinforensics.com/ LinkedIn Forensic Toolkit]
  
Some commercial [[network forensics]] systems can perform such an attack:
+
[http://www.youtubeforensics.com/ YouTube Forensic Toolkit]
* Mera Systems [http://netbeholder.com/en/products/lawful_interception.html Sleek Buster] (supports signed by a trusted CA forged certificates)
+
* [http://www.edecision4u.com/edecision4u/Products.html E-Detective HTTPS/SSL Network Packet Forensics Device]
+
  
As well as some open-source tools:
+
[http://www.tumblrforensics.com/ Tumblr Forensic Toolkit]
* [http://ettercap.sourceforge.net/ ettercap] (unsupported, last version - 2005/05/29)
+
* [http://monkey.org/~dugsong/dsniff/ dsniff] (obsolete, last stable version - 2000/12/17)
+
  
== Other information ==
 
  
The TLS protocol also leaks some significant information:
+
== External Link ==
* Current date and time on a TLS client and server (old versions of [[Firefox]] and [[Thunderbird]] leak system's uptime);
+
* Hostname being accessed ("server_name" extension);
+
* Original data size.
+
  
== [[The Onion Router]] ==
+
[http://www.afentis.com/ Official Website]
 
+
[[Tor]] tunnels application data through TLS connections and it is not possible to decrypt such connections by performing traditional ''man-in-the-middle'' attack. [[Tor]] also sends application data in chunks to make it harder to guess exactly how many bytes users are communicating.
+
 
+
== Links ==
+
 
+
* [http://rfc.net/rfc2246.html RFC 2246 (TLS 1.0)]
+
* [http://rfc.net/rfc4346.html RFC 4346 (TLS 1.1)]
+

Revision as of 13:36, 26 May 2014

Afentis Forensics

Scientific support and investigation practice with expert witnesses providing DNA analysis, fingerprint evaluations, firearm evidence, mobile telephone examinations and Cell Site Analysis (CSA) - from crime scene to court.

Produce a number of eDiscovery and digital evidence software tools, including:

Facebook Forensic Toolkit

LinkedIn Forensic Toolkit

YouTube Forensic Toolkit

Tumblr Forensic Toolkit


External Link

Official Website