Difference between pages "Proxy server" and "Disk Imaging"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
'''Proxy server''' is a server which services the requests of its clients by forwarding requests to other servers.
+
Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.
  
== Overview ==
+
The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a [[:Category:Forensics_File_Formats|Forensics image format]].
 +
This can be a time consuming process especially for disks with a large capacity.
  
Proxy servers are widely used by organizations and individuals for different purposes:
+
== Compressed storage ==
 +
A common technique to reduce the size of an image file is to compress the data.
 +
On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process.
 +
Since the write speed of the target disk can be a bottleneck in imaging process parallel compression can reduce the total time of the imaging process.
 +
[[Guymager]] was one of the first imaging tools to implement the concept of multi-process compression.
  
* Internet sharing (like [[NAT]]);
+
Other techniques like storing the data sparse or '''empty-block compression''' can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.
* Traffic compression;
+
* Accelerating service requests by retrieving content from cache;
+
* and many others.
+
  
Proxy servers are commonly used by individuals who wish to violate network policies.
+
== Error tolerance and recovery ==
* In China, proxy servers are commonly used by individuals to get around national connectivity policies. (User A can't reach website Z, but A can reach proxy server P which can reach website Z).
+
* Criminals frequently use proxy servers to hide the origin of their connections (User A connects to website Z through proxy server P; the packets appear to come from P, and not A).
+
  
=== HTTP proxies ===
+
== Smart imaging ==
 +
Smart imaging is a combination of techniques to make the imaging process more intelligent.
 +
* Selective imaging
 +
* Decryption while imaging
  
''These proxy servers are using HTTP.''
+
=== Selective imaging ===
 +
Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an [[NTFS]] volume with the necessary contextual information.
  
Example request (direct; with relative URI):
+
=== Decryption while imaging ===
<pre>
+
Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.
GET / HTTP/1.1
+
Host: cryptome.org
+
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
+
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
Accept-Encoding: gzip,deflate
+
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+
Keep-Alive: 300
+
Connection: keep-alive
+
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
+
If-None-Match: "e01922-62e9-45937059ec2de"
+
Cache-Control: max-age=0
+
</pre>
+
Example request (using proxy; with absolute URI):
+
<pre>
+
GET http://cryptome.org/ HTTP/1.1
+
Host: cryptome.org
+
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
+
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
Accept-Encoding: gzip,deflate
+
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+
Keep-Alive: 300
+
Proxy-Connection: keep-alive
+
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
+
If-None-Match: "e01922-62e9-45937059ec2de"
+
Cache-Control: max-age=0
+
</pre>
+
''Note:'' this HTTP request was intercepted on the way to proxy server.
+
  
According to RFC 2068 (section 5.1.2):
+
== Logical image ==
<pre>
+
The absoluteURI form is required when the request is being made to a proxy.
+
</pre>
+
''Note:'' proxy server will convert absolute URI to relative URI.
+
  
=== HTTPS proxies ===
+
== Also see ==
 +
[[:Category:Forensics_File_Formats|Forensics File Formats]]
  
''The same as above, but using HTTPS (HTTP over SSL/TLS).''
+
== External Links ==
 +
* [http://www.tableau.com/pdf/en/Tableau_Forensic_Disk_Perf.pdf Benchmarking Hard Disk Duplication Performance in Forensic Applications], by [[Robert Botchek]]
  
Sometimes HTTP proxies that support CONNECT method are called ''"HTTPS proxies"''. These HTTP proxies can tunnel almost every TCP-based protocol.
+
=== Hash based imaging ===
 
+
* [http://www.dfrws.org/2010/proceedings/2010-314.pdf Hash based disk imaging using AFF4], by [[Michael Cohen]], [[Bradley Schatz]]
Example request:
+
<pre>
+
CONNECT home.netscape.com:443 HTTP/1.0
+
User-agent: Mozilla/1.1N
+
</pre>
+
 
+
=== SOCKS proxies ===
+
 
+
SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.
+
 
+
=== Web proxies (CGI proxies) ===
+
 
+
These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality.
+
 
+
Example GET request from [http://anonymouse.ws/ Anonymouse] (to a web server):
+
<pre>
+
GET / HTTP/1.0
+
Host: [scrubbed server host]:8080
+
User-Agent: http://Anonymouse.org/ (Unix)
+
Connection: keep-alive
+
</pre>
+
 
+
Example GET request from [http://www.hidemyass.com/ HideMyAss.com]:
+
<pre>
+
GET / HTTP/1.0
+
Host: [scrubbed server host]:8080
+
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
+
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
</pre>
+
 
+
== Proxy detection ==
+
 
+
=== Server-side ===
+
 
+
==== New HTTP headers ====
+
 
+
Some proxy servers add new HTTP headers to request, for example:
+
<pre>
+
GET / HTTP/1.1
+
Host: [scrubbed server host]:8080
+
Connection: keep-alive
+
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, */*
+
Accept-Language: ru
+
UA-CPU: x86
+
Accept-Encoding: gzip, deflate
+
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)
+
X-Forwarded-For: [scrubbed client real IP address]
+
Via: 1.1 proxy11 (NetCache NetApp/5.6.1D24)
+
</pre>
+
 
+
''Note:'' this HTTP request was received from a proxy server using [[netcat]].
+
 
+
New HTTP headers are ''X-Forwarded-For'' and ''Via''.
+
 
+
==== Mixed HTTP headers ====
+
 
+
Some proxy servers mix HTTP headers in the original request (see example above). [[Internet Explorer]] 7 puts ''Host'' and ''Connection'' headers at the end of request, not at the beginning.
+
 
+
==== Modified HTTP header values ====
+
 
+
Some proxy servers modify HTTP headers replacing the original values (see example above). [[Internet Explorer]] 7 sends header ''Connection: Keep-Alive'', not ''Connection: keep-alive''.
+
 
+
==== [[OS fingerprinting]] and User-Agent ====
+
 
+
The following ''User-Agent'' header was received by a web server (see example above):
+
<pre>
+
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)
+
</pre>
+
 
+
The request was generated by using [[Internet Explorer]] 7 (''MSIE 7.0'') on [[Windows]] Vista or [[Windows]] Server 2008 (''Windows NT 6.0'').
+
However, this connection was initiated with TCP SYN packet with following options:
+
<pre>
+
MSS
+
NOP
+
NOP
+
SACK permitted
+
NOP
+
Window scale
+
NOP
+
NOP
+
Timestamps
+
</pre>
+
 
+
While [[Windows]] Vista commonly uses these options:
+
<pre>
+
MSS
+
NOP
+
Window scale
+
NOP
+
NOP
+
SACK permitted
+
</pre>
+
 
+
This means that:
+
 
+
* User-Agent header was forged;
+
* The request was sent using a proxy server with different [[OS]].
+
 
+
==== Other methods ====
+
 
+
* Active detection: see [http://metasploit.com/research/projects/decloak/ Metasploit Decloaking Engine];
+
* Comparing source IP address with a list of known proxy servers.
+
 
+
=== On the way to proxy server ===
+
 
+
==== Absolute URI ====
+
 
+
HTTP clients (such as web browsers) will only generate them in requests to proxies.
+
 
+
==== Other methods ====
+
 
+
* Comparing destination IP address with a list of known proxy servers.
+
 
+
[[Category:Anti-Forensics]]
+
[[Category:Network Forensics]]
+

Revision as of 08:11, 21 July 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.

The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a Forensics image format. This can be a time consuming process especially for disks with a large capacity.

Compressed storage

A common technique to reduce the size of an image file is to compress the data. On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process. Since the write speed of the target disk can be a bottleneck in imaging process parallel compression can reduce the total time of the imaging process. Guymager was one of the first imaging tools to implement the concept of multi-process compression.

Other techniques like storing the data sparse or empty-block compression can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.

Error tolerance and recovery

Smart imaging

Smart imaging is a combination of techniques to make the imaging process more intelligent.

  • Selective imaging
  • Decryption while imaging

Selective imaging

Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an NTFS volume with the necessary contextual information.

Decryption while imaging

Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.

Logical image

Also see

Forensics File Formats

External Links

Hash based imaging