Difference between pages "Tools:Network Forensics" and "Disk Imaging"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
=Network Forensics Packages and Appliances=
+
{{expand}}
; [[Burst]]
+
: http://www.burstmedia.com/release/advertisers/geo_faq.htm
+
: Expensive IP geo-location service.
+
  
; [[chkrootkit]]
+
Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.
: http://www.chkrootkit.org
+
  
; [[cryptcat]]
+
The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a [[:Category:Forensics_File_Formats|Forensics image format]].
: http://farm9.org/Cryptcat/
+
This can be a time consuming process especially for disks with a large capacity.
  
; [[Enterasys Dragon]]
+
== Compressed storage ==
: http://www.enterasys.com/products/advanced-security-apps/index.aspx
+
A common technique to reduce the size of an image file is to compress the data.
: Instrusion Detection System, includes session reconstruction.
+
On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process.
 +
Since the write speed of the target disk can be a bottleneck in imaging process parallel compression can reduce the total time of the imaging process.
 +
[[Guymager]] was one of the first imaging tools to implement the concept of multi-process compression.
  
; [[MaxMind]]
+
Other techniques like storing the data sparse or '''empty-block compression''' can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.
: http://www.maxmind.com
+
: [[IP geolocation]] services and data provider for offline geotagging. Free GeoLite country database. Programmable APIs.
+
  
; [[netcat]]
+
== Error tolerance and recovery ==
: http://netcat.sourceforge.net/
+
  
; [[netflow]]/[[flowtools]]
+
== Smart imaging ==
: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
+
Smart imaging is a combination of techniques to make the imaging process more intelligent.
: http://www.splintered.net/sw/flow-tools/
+
* Selective imaging
: http://silktools.sourceforge.net/
+
* Decryption while imaging
: http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (VMWare)
+
  
; NetIntercept
+
=== Selective imaging ===
: http://www.sandstorm.net/products/netintercept
+
Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an [[NTFS]] volume with the necessary contextual information.
: NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
+
  
; [[NetworkMiner]]
+
=== Decryption while imaging ===
: http://networkminer.wiki.sourceforge.net/NetworkMiner
+
Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.
: NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool or to parse PCAP files for off-line analysis.
+
  
; [[rkhunter]]
+
== Logical image ==
: http://rkhunter.sourceforge.net/
+
  
; [[ngrep]]
+
== Also see ==
: http://ngrep.sourceforge.net/
+
[[:Category:Forensics_File_Formats|Forensics File Formats]]
  
; [[nslookup]]
+
== External Links ==
: http://en.wikipedia.org/wiki/Nslookup
+
* [http://www.tableau.com/pdf/en/Tableau_Forensic_Disk_Perf.pdf Benchmarking Hard Disk Duplication Performance in Forensic Applications], by [[Robert Botchek]]
: Name Server Lookup command line tool used to find IP address from domain name.
+
  
; [[Sguil]]
+
=== Hash based imaging ===
: http://sguil.sourceforge.net/
+
* [http://www.dfrws.org/2010/proceedings/2010-314.pdf Hash based disk imaging using AFF4], by [[Michael Cohen]], [[Bradley Schatz]]
 
+
; [[Snort]]
+
: http://www.snort.org/
+
 
+
; [[ssldump]]
+
: http://ssldump.sourceforge.net/
+
 
+
; [[tcpdump]]
+
: http://www.tcpdump.org
+
 
+
; [[tcpextract]]
+
: http://tcpxtract.sourceforge.net/
+
 
+
; [[tcpflow]]
+
: http://www.circlemud.org/~jelson/software/tcpflow/
+
 
+
; [[truewitness]]
+
: http://www.nature-soft.com/forensic.html
+
: Linux/open-source. Based in India.
+
 
+
; [[etherpeek]]
+
: http://www.wildpackets.com/products/etherpeek/overview
+
 
+
; [[Whois]]
+
: http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
+
: http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
+
 
+
; [[IP Regional Registries]]
+
: http://www.arin.net/community/rirs.html
+
: http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
+
: http://www.afrinic.net/ African Network Information Center (AfriNIC)
+
: http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
+
: http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
+
: http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
+
 
+
; [[Wireshark/Ethereal]]
+
: http://www.wireshark.org/
+
: Open Source protocol analyzer previously known as ethereal.
+
 
+
; [[Xplico]]
+
: http://www.xplico.org/
+
: Open Source Network Forensic Analysis Tool (NFAT). Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...]
+
 
+
=Command-line tools=
+
 
+
[[arp]] - view the contents of your ARP cache
+
 
+
[[ifconfig]] - view your mac and IP address
+
 
+
[[ping]] - send packets to probe remote machines
+
 
+
[[tcpdump]] - capture packets
+
 
+
[[snoop]] - captures packets from the network and displays their contents ([[Solaris]])
+
 
+
[[nemesis]] - create arbitrary packets
+
 
+
[[tcpreplay]] - replay captured packets
+
 
+
[[traceroute]] - view a network path
+
 
+
[[gnetcast]] - GNU rewrite of netcat
+
 
+
[[packit]] - packet generator
+
 
+
[[nmap]] - utility for network exploration and security auditing
+
 
+
==ARP and Ethernet MAC Tools==
+
 
+
[[arping]] - transmit ARP traffic
+
 
+
[[arpdig]] - probe LAN for MAC addresses
+
 
+
[[arpwatch]] - watch ARP changes
+
 
+
[[arp-sk]] - perform denial of service attacks
+
 
+
[[macof]] - CAM table attacks
+
 
+
[[ettercap]] - performs various low-level Ethernet network attacks
+
 
+
==CISCO Discovery Protocol Tools==
+
[[cdpd]] - transmit and receive CDP announcements; provides forgery capabilities
+
 
+
==ICMP Layer Tests and Attacks==
+
[[icmp-reset]]
+
 
+
[[icmp-quench]]
+
 
+
[[icmp-mtu]]
+
 
+
[[ish]] - ICMP shell (like SSH, but uses ICMP)
+
 
+
[[isnprober]]
+
 
+
==IP Layer Tests==
+
[[iperf]] - IP multicast test
+
 
+
[[fragtest]] - IP fragment reassembly test
+
 
+
==UDP Layer Tests==
+
 
+
[[udpcast]] - includes UDP-receiver and UDP-sender
+
 
+
==TCP Layer==
+
 
+
[[lft]] http://pwhois.org/lft - TCP tracing
+
 
+
[[etrace]] http://www.bindshell.net/tools/etrace
+
 
+
[[firewalk]] http://www.packetfactory.net
+

Revision as of 07:11, 21 July 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.

The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a Forensics image format. This can be a time consuming process especially for disks with a large capacity.

Contents

Compressed storage

A common technique to reduce the size of an image file is to compress the data. On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process. Since the write speed of the target disk can be a bottleneck in imaging process parallel compression can reduce the total time of the imaging process. Guymager was one of the first imaging tools to implement the concept of multi-process compression.

Other techniques like storing the data sparse or empty-block compression can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.

Error tolerance and recovery

Smart imaging

Smart imaging is a combination of techniques to make the imaging process more intelligent.

  • Selective imaging
  • Decryption while imaging

Selective imaging

Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an NTFS volume with the necessary contextual information.

Decryption while imaging

Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.

Logical image

Also see

Forensics File Formats

External Links

Hash based imaging