Difference between pages "Disk image" and "SSL forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m (added Category:Network Forensics)
 
Line 1: Line 1:
A disk image is a full disk copy of the data making up the partition table, file allocation tables and data partitions without regard for operating system.
+
'''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity.
  
A disk image should be made prior to performing any forensic analysis of the disk.  Creating a disk image is important in forensics for several reasons:
+
== Overview ==
  
1. Ensure that disk information is not inadvertantly changed during analysis.
+
TLS (''Transport Layer Security'') provides authentication and [[encryption]] for many network protocols, such as: ''POP'', ''IMAP'', ''SMTP'', ''HTTP''. However, it is possible to tunnel almost every TCP-based protocol through TLS using such tools as [http://stunnel.mirt.net/ stunnel].
  
2. By performing an original disk image and storing the original disk, it is possible to reproduce forensic test results with an exact reproduction of analysis methods on the original evidence.
+
Generally, many TLS realizations require only server to be authenticated using signed certificate.
  
3. Disk imaging will capture information invisible to the operating system in use *E.g. hidden partitions, ext3 partitions on a Windows machine, etc.
+
== Data decryption ==
  
Software
+
Data exchanged through SSL (TLS) connections can be decrypted by performing ''man-in-the-middle'' attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).
Popular software used to create disk images includes Norton Ghost
+
 
 +
Some commercial [[network forensics]] systems can perform such an attack:
 +
* Mera Systems [http://netbeholder.com/en/products/lawful_interception.html Sleek Buster] (supports signed by a trusted CA forged certificates)
 +
* [http://www.edecision4u.com/edecision4u/Products.html E-Detective HTTPS/SSL Network Packet Forensics Device]
 +
 
 +
As well as some open-source tools:
 +
* [http://ettercap.sourceforge.net/ ettercap] (unsupported, last version - 2005/05/29)
 +
* [http://monkey.org/~dugsong/dsniff/ dsniff] (obsolete, last stable version - 2000/12/17)
 +
 
 +
== Other information ==
 +
 
 +
The TLS protocol also leaks some significant information:
 +
* Current date and time on a TLS client and server (old versions of [[Firefox]] and [[Thunderbird]] leak system's uptime);
 +
* Hostname being accessed ("server_name" extension);
 +
* Original data size.
 +
 
 +
== [[The Onion Router]] ==
 +
 
 +
[[Tor]] tunnels application data through TLS connections and it is not possible to decrypt such connections by performing traditional ''man-in-the-middle'' attack. [[Tor]] also sends application data in chunks to make it harder to guess exactly how many bytes users are communicating.
 +
 
 +
== Links ==
 +
 
 +
* [http://rfc.net/rfc2246.html RFC 2246 (TLS 1.0)]
 +
* [http://rfc.net/rfc4346.html RFC 4346 (TLS 1.1)]
 +
 
 +
[[Category:Network Forensics]]

Revision as of 13:54, 20 July 2008

SSL (TLS) forensics is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity.

Overview

TLS (Transport Layer Security) provides authentication and encryption for many network protocols, such as: POP, IMAP, SMTP, HTTP. However, it is possible to tunnel almost every TCP-based protocol through TLS using such tools as stunnel.

Generally, many TLS realizations require only server to be authenticated using signed certificate.

Data decryption

Data exchanged through SSL (TLS) connections can be decrypted by performing man-in-the-middle attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).

Some commercial network forensics systems can perform such an attack:

As well as some open-source tools:

  • ettercap (unsupported, last version - 2005/05/29)
  • dsniff (obsolete, last stable version - 2000/12/17)

Other information

The TLS protocol also leaks some significant information:

  • Current date and time on a TLS client and server (old versions of Firefox and Thunderbird leak system's uptime);
  • Hostname being accessed ("server_name" extension);
  • Original data size.

The Onion Router

Tor tunnels application data through TLS connections and it is not possible to decrypt such connections by performing traditional man-in-the-middle attack. Tor also sends application data in chunks to make it harder to guess exactly how many bytes users are communicating.

Links