Difference between pages "Network forensics" and "BitPIM"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.
+
BitPim is a free, [http://www.opensource.org/docs/definition.php open source], cross-platform program for viewing and editing data on a [[CDMA]] [[cell phone]]. [mailto:rogerb@rogerbinns.com Roger Binns] was the founder, project manager, and lead developer of the project, first releasing it on March 1st, 2003. Since then leadership has been handed over to another party and over two million users have downloaded it. The program has been developed in [[python]] and originally only supported the LG VX4400 but it now supports a variety of phone manufactures including [[Audiovox]], [[Kyocera]], [[LG]], [[Motorola]], [[Nokia]], [[Palm]], [[Samsung]], [[Sanyo]], and [[Toshiba]].
  
There are both open source and proprietary network forensics systems available.  
+
In order to use the program, a data cable and it's drivers, usually available from the supplier/manufacturer, are required. BitPim will try and automatically detect a phone but its recommended that settings are manually configured.
  
== Open Source Network Forensics ==
+
__TOC__
  
* [[Wireshark]]
+
==Features==
* [[Kismet]]
+
[[Image:screen-phonebooktab.png|thumb|150px|Phonebook view in BitPim]]
* [[Snort]]
+
* Phonebook
* [[Argus]]
+
* Calendar
* [[OSSEC]]
+
* Media
* [[NetworkMiner]] is [http://sourceforge.net/projects/networkminer/ an open source Network Forensics Tool available at SourceForge]
+
** Sounds
* [[Xplico]] is an Internet/IP Traffic Decoder (NFAT). Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...]
+
** Ringers
* [[DataEcho]]
+
** Images
* [[ntop]]
+
* Memos
* [[Chaosreader]] is a session reconstruction tool (supports both live or captured network traffic)
+
* Todo
* [[Data copy king]] is an conprehensive tool which integrating data backup, disk wipe, HDD auto detection.
+
* [[SMS]] (Inbox, Sent, Saved)
== Commercial Network Forensics ==
+
* Call History (Incoming, Outgoing, Missed, Data)
 +
* Playlists
 +
* File System
  
===Deep-Analysis Systems===
+
Features are dependent on the phone model. For a full list of each phones supported features see [http://www.bitpim.org/help/phones-featuressupported.htm BitPim's supported phones list].  
* WildPackets [[OmniPeek]] [http://www.wildpackets.com/solutions/it_solutions/network_forensics] [http://www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer/forensics_search]
+
* E-Detective [http://www.edecision4u.com/] [http://www.digi-forensics.com/home.html]
+
* Code Green Networks [http://www.codegreennetworks.com Content Inspection Appliance] - Passive monitoring and mandatory proxy mode. Easy to use Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.
+
* NetWitness Corporation - Freeware/Commercial, Enterprise-Wide, Real-Time Network Forensics [http://www.netwitness.com/ NetWitness]
+
* Network Instruments [http://www.networkinstruments.com/]
+
* NIKSUN's [[NetDetector]]
+
* PacketMotion [http://www.packetmotion.com/]
+
* Sandstorm's [http://www.sandstorm.net/products/netintercept/ NetIntercept] - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
+
* Mera Systems [http://netbeholder.com/ NetBeholder]
+
* [http://www.infowatch.com InfoWatch Traffic Monitor]
+
* MFI Soft [http://sormovich.ru/ SORMovich] (in Russian)
+
* Solera Networks - Provider of full packet capture network forensics appliances [http://www.soleranetworks.com/ Solera Networks]
+
  
===Flow-Based Systems===
+
The data can be manipulated through the software and changes can be uploaded to the phone. Calendar, Phonebook, Memo, Todo, and Playlist data can all be imported from an external file. For backup purposes all of the data can be exported to external files.  
* Arbor Networks
+
* GraniteEdge Networks
+
* Lancope http://www.lancope.com/
+
* Mazu Networks http://www.mazunetworks.com/
+
  
===Hybrid Systems===
+
===Forensics===
These systems combine flow analysis, deep analysis, and security event monitoring and reporting.
+
If doing a forensic investigation the application should always be in read only mode, which claims to block all write commands to the phone. The program will not recover deleted data nor does it always recover all undeleted data. The file system view is a very important feature forensically as it allows a raw view of data from the phone, possibly uncovering data that BitPim missed or found unimportant. An advanced feature that could also be vital to a forensic investigation is [[BitFling]]. This feature allows another computer to remotely access a phones data over the internet. A phone could be confiscated in California, connected to BitPim with [[BitFling]] configured, and be forensically analyzed in New York. Lastly exporting the data is very important so that copies of the data can be made, ensuring no data is lost or manipulated.
* Q1 Labs  http://www.q1labs.com/
+
  
== Tips and Tricks ==
+
==Compatability==
 +
* [[Windows]] 98/ME/2000/XP
 +
* [[Linux]]
 +
* [[MacOS]] X 10.3+
  
* The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.
+
==Links==
 
+
[http://www.bitpim.org/ BitPim]
== See also ==
+
* [[Wireless forensics]]
+
* [[SSL forensics]]
+
 
+
* [[IP geolocation]]
+
* [[Tools:Network Forensics]]
+
* [[Tools:Logfile Analysis]]
+
 
+
[[Category:Network Forensics]]
+

Revision as of 19:28, 7 October 2006

BitPim is a free, open source, cross-platform program for viewing and editing data on a CDMA cell phone. Roger Binns was the founder, project manager, and lead developer of the project, first releasing it on March 1st, 2003. Since then leadership has been handed over to another party and over two million users have downloaded it. The program has been developed in python and originally only supported the LG VX4400 but it now supports a variety of phone manufactures including Audiovox, Kyocera, LG, Motorola, Nokia, Palm, Samsung, Sanyo, and Toshiba.

In order to use the program, a data cable and it's drivers, usually available from the supplier/manufacturer, are required. BitPim will try and automatically detect a phone but its recommended that settings are manually configured.

Contents


Features

Phonebook view in BitPim
  • Phonebook
  • Calendar
  • Media
    • Sounds
    • Ringers
    • Images
  • Memos
  • Todo
  • SMS (Inbox, Sent, Saved)
  • Call History (Incoming, Outgoing, Missed, Data)
  • Playlists
  • File System

Features are dependent on the phone model. For a full list of each phones supported features see BitPim's supported phones list.

The data can be manipulated through the software and changes can be uploaded to the phone. Calendar, Phonebook, Memo, Todo, and Playlist data can all be imported from an external file. For backup purposes all of the data can be exported to external files.

Forensics

If doing a forensic investigation the application should always be in read only mode, which claims to block all write commands to the phone. The program will not recover deleted data nor does it always recover all undeleted data. The file system view is a very important feature forensically as it allows a raw view of data from the phone, possibly uncovering data that BitPim missed or found unimportant. An advanced feature that could also be vital to a forensic investigation is BitFling. This feature allows another computer to remotely access a phones data over the internet. A phone could be confiscated in California, connected to BitPim with BitFling configured, and be forensically analyzed in New York. Lastly exporting the data is very important so that copies of the data can be made, ensuring no data is lost or manipulated.

Compatability

Links

BitPim