Difference between pages "Proxy server" and "Disk Imaging"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
'''Proxy server''' is a server which services the requests of its clients by forwarding requests to other servers.
+
Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.
  
== Overview ==
+
The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a [[:Category:Forensics_File_Formats|Forensics image format]].
 +
This can be a time consuming process especially for disks with a large capacity.
  
Proxy servers are widely used by organizations and individuals for different purposes:
+
== Compressed storage ==
 +
A common technique to reduce the size of an image file is to compress the data.
 +
On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process.
 +
Since the write speed of the target disk can be a bottleneck in imaging process parallel compression can reduce the total time of the imaging process.
 +
[[Guymager]] was one of the first imaging tools to implement the concept of multi-process compression.
  
* Internet sharing (like [[NAT]]);
+
Other techniques like storing the data sparse or '''empty-block compression''' can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.
* Traffic compression;
+
* Accelerating service requests by retrieving content from cache;
+
* and many others.
+
  
Proxy servers are commonly used by individuals who wish to violate network policies.
+
== Error tolerance and recovery ==
* In China, proxy servers are commonly used by individuals to get around national connectivity policies. (User A can't reach website Z, but A can reach proxy server P which can reach website Z).
+
* Criminals frequently use proxy servers to hide the origin of their connections (User A connects to website Z through proxy server P; the packets appear to come from P, and not A).
+
  
=== HTTP proxies ===
+
== Smart imaging ==
 +
Smart imaging is a combination of techniques to make the imaging process more intelligent.
 +
* Selective imaging
 +
* Decryption while imaging
  
''These proxy servers are using HTTP.''
+
=== Selective imaging ===
 +
Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an [[NTFS]] volume with the necessary contextual information.
  
Example request (direct; with relative URI):
+
=== Decryption while imaging ===
<pre>
+
Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.
GET / HTTP/1.1
+
Host: cryptome.org
+
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
+
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
Accept-Encoding: gzip,deflate
+
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+
Keep-Alive: 300
+
Connection: keep-alive
+
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
+
If-None-Match: "e01922-62e9-45937059ec2de"
+
Cache-Control: max-age=0
+
</pre>
+
Example request (using proxy; with absolute URI):
+
<pre>
+
GET http://cryptome.org/ HTTP/1.1
+
Host: cryptome.org
+
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
+
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
Accept-Encoding: gzip,deflate
+
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+
Keep-Alive: 300
+
Proxy-Connection: keep-alive
+
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
+
If-None-Match: "e01922-62e9-45937059ec2de"
+
Cache-Control: max-age=0
+
</pre>
+
''Note:'' this HTTP request was intercepted on the way to proxy server.
+
  
According to RFC 2068 (section 5.1.2):
+
== Logical image ==
<pre>
+
The absoluteURI form is required when the request is being made to a proxy.
+
</pre>
+
''Note:'' proxy server will convert absolute URI to relative URI.
+
  
=== HTTPS proxies ===
+
== Also see ==
 +
[[:Category:Forensics_File_Formats|Forensics File Formats]]
  
''The same as above, but using HTTPS (HTTP over SSL/TLS).''
+
== External Links ==
 +
* [http://www.tableau.com/pdf/en/Tableau_Forensic_Disk_Perf.pdf Benchmarking Hard Disk Duplication Performance in Forensic Applications], by [[Robert Botchek]]
  
Sometimes HTTP proxies that support CONNECT method are called ''"HTTPS proxies"''. These HTTP proxies can tunnel almost every TCP-based protocol.
+
=== Hash based imaging ===
 
+
* [http://www.dfrws.org/2010/proceedings/2010-314.pdf Hash based disk imaging using AFF4], by [[Michael Cohen]], [[Bradley Schatz]]
Example request:
+
<pre>
+
CONNECT home.netscape.com:443 HTTP/1.0
+
User-agent: Mozilla/1.1N
+
</pre>
+
 
+
=== SOCKS proxies ===
+
 
+
SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.
+
 
+
=== Web proxies (CGI proxies) ===
+
 
+
These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality.
+
 
+
Example GET request from [http://anonymouse.ws/ Anonymouse] (to HTTP server):
+
<pre>
+
GET / HTTP/1.0
+
Host: [scrubbed]:8080
+
User-Agent: http://Anonymouse.org/ (Unix)
+
Connection: keep-alive
+
</pre>
+
 
+
Example GET request from [http://www.hidemyass.com/ HideMyAss.com]:
+
<pre>
+
GET / HTTP/1.0
+
Host: [scrubbed]:8080
+
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
+
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
</pre>
+
 
+
== Proxy detection ==
+
 
+
=== Server-side ===
+
 
+
* Additional HTTP headers
+
* [[OS fingerprinting]] and User-Agent
+
 
+
[[Category:Anti-Forensics]]
+
[[Category:Network Forensics]]
+

Revision as of 07:11, 21 July 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.

The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a Forensics image format. This can be a time consuming process especially for disks with a large capacity.

Contents

Compressed storage

A common technique to reduce the size of an image file is to compress the data. On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process. Since the write speed of the target disk can be a bottleneck in imaging process parallel compression can reduce the total time of the imaging process. Guymager was one of the first imaging tools to implement the concept of multi-process compression.

Other techniques like storing the data sparse or empty-block compression can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.

Error tolerance and recovery

Smart imaging

Smart imaging is a combination of techniques to make the imaging process more intelligent.

  • Selective imaging
  • Decryption while imaging

Selective imaging

Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an NTFS volume with the necessary contextual information.

Decryption while imaging

Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.

Logical image

Also see

Forensics File Formats

External Links

Hash based imaging