Difference between pages "SSL forensics" and "Executable"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (added Category:Network Forensics)
 
 
Line 1: Line 1:
'''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity.
+
{{expand}}
  
== Overview ==
+
An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.
  
TLS (''Transport Layer Security'') provides authentication and [[encryption]] for many network protocols, such as: ''POP'', ''IMAP'', ''SMTP'', ''HTTP''. However, it is possible to tunnel almost every TCP-based protocol through TLS using such tools as [http://stunnel.mirt.net/ stunnel].
+
There are multiple types of executables:
 +
* Scripts
 +
*
 +
* DOS, Windows
  
Generally, many TLS realizations require only server to be authenticated using signed certificate.
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Executable Wikipedia: Executable]
  
== Data decryption ==
+
=== MZ, PE/COFF ===
 +
* [http://en.wikipedia.org/wiki/Portable_Executable Wikipedia: Portable Executable]
 +
* [https://googledrive.com/host/0B3fBvzttpiiSd1dKQVU0WGVESlU/Executable%20(EXE)%20file%20format.pdf MZ, PE-COFF executable file format (EXE)]
 +
* [http://seclists.org/fulldisclosure/2013/Oct/157 The Internal of Reloc .text], Full Disclosure Mailing list, October 21, 2013
  
Data exchanged through SSL (TLS) connections can be decrypted by performing ''man-in-the-middle'' attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).
+
== Tools ==
  
Some commercial [[network forensics]] systems can perform such an attack:
+
=== MZ, PE/COFF ===
* Mera Systems [http://netbeholder.com/en/products/lawful_interception.html Sleek Buster] (supports signed by a trusted CA forged certificates)
+
* [https://code.google.com/p/pefile/ pefile], multi-platform Python module to read and work with Portable Executable (aka PE) files
* [http://www.edecision4u.com/edecision4u/Products.html E-Detective HTTPS/SSL Network Packet Forensics Device]
+
 
+
As well as some open-source tools:
+
* [http://ettercap.sourceforge.net/ ettercap] (unsupported, last version - 2005/05/29)
+
* [http://monkey.org/~dugsong/dsniff/ dsniff] (obsolete, last stable version - 2000/12/17)
+
 
+
== Other information ==
+
 
+
The TLS protocol also leaks some significant information:
+
* Current date and time on a TLS client and server (old versions of [[Firefox]] and [[Thunderbird]] leak system's uptime);
+
* Hostname being accessed ("server_name" extension);
+
* Original data size.
+
 
+
== [[The Onion Router]] ==
+
 
+
[[Tor]] tunnels application data through TLS connections and it is not possible to decrypt such connections by performing traditional ''man-in-the-middle'' attack. [[Tor]] also sends application data in chunks to make it harder to guess exactly how many bytes users are communicating.
+
 
+
== Links ==
+
 
+
* [http://rfc.net/rfc2246.html RFC 2246 (TLS 1.0)]
+
* [http://rfc.net/rfc4346.html RFC 4346 (TLS 1.1)]
+
 
+
[[Category:Network Forensics]]
+

Revision as of 17:31, 23 October 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.

There are multiple types of executables:

  • Scripts
  • DOS, Windows

External Links

MZ, PE/COFF

Tools

MZ, PE/COFF

  • pefile, multi-platform Python module to read and work with Portable Executable (aka PE) files