Difference between pages "Disk image" and "OS fingerprinting"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (wikified)
 
(Tools)
 
Line 1: Line 1:
A disk image is a full disk copy of the data making up the partition table, file allocation tables and data partitions without regard for operating system.
+
'''OS fingerprinting''' is the process of determining the [[operating system]] used by a host on a network.
  
A disk image should be made prior to performing any forensic analysis of the disk.  Creating a disk image is important in forensics for several reasons:
+
== Active fingerprinting ==
 +
Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.
  
1. Ensure that disk information is not inadvertantly changed during analysis.
+
== Passive fingerprinting ==
 +
Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a [[sniffer]] and doesn't put any traffic on a network.
  
2. By performing an original disk image and storing the original disk, it is possible to reproduce forensic test results with an exact reproduction of analysis methods on the original evidence.
+
== Fingerprinting techniques ==
  
3. Disk imaging will capture information invisible to the operating system in use (e.g. hidden partitions, ext3 partitions on a Windows machine, etc.)
+
Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.
  
== Software ==
+
Common techniques are based on analysing:
  
Popular software used to create disk images includes [[Norton Ghost]].  A raw image (bit-by-bit) copy of the original media should be done using the software, which may not be the default settings on the software.
+
* IP TTL values;
 +
* IP ID values;
 +
* TCP Window size;
 +
* TCP Options (generally, in TCP SYN and SYN+ACK packets);
 +
* DHCP requests;
 +
* ICMP requests;
 +
* HTTP packets (generally, User-Agent field).
  
Other possible software, programs include [[dd]], [[dcfldd]], [[EnCase]], and [[FTK]]
+
Other techniques are based on analysing:
 +
 
 +
* Running services;
 +
* Open port patterns.
 +
 
 +
== Limitations ==
 +
Many passive fingerprinters are getting confused when analysing packets from a NAT device.
 +
 
 +
== Tools ==
 +
Active fingerprinters:
 +
* [[Nmap]]
 +
 
 +
Passive fingerprinters:
 +
* [[NetworkMiner]]
 +
* [[p0f]]
 +
* [[Satori]]
 +
 
 +
== See Also ==
 +
 
 +
* [[NAT detection]]
 +
 
 +
== Links ==
 +
* [http://nmap.org/book/osdetect.html Remote OS detection paper]
 +
 
 +
[[Category:Network Forensics]]

Revision as of 22:55, 27 November 2008

OS fingerprinting is the process of determining the operating system used by a host on a network.

Active fingerprinting

Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.

Passive fingerprinting

Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network.

Fingerprinting techniques

Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.

Common techniques are based on analysing:

  • IP TTL values;
  • IP ID values;
  • TCP Window size;
  • TCP Options (generally, in TCP SYN and SYN+ACK packets);
  • DHCP requests;
  • ICMP requests;
  • HTTP packets (generally, User-Agent field).

Other techniques are based on analysing:

  • Running services;
  • Open port patterns.

Limitations

Many passive fingerprinters are getting confused when analysing packets from a NAT device.

Tools

Active fingerprinters:

Passive fingerprinters:

See Also

Links