Difference between pages "VPN" and "Carver 2.0 Planning Page"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (VPNs and anonymity)
 
 
Line 1: Line 1:
{{expand}}
+
This page is for planning Carver 2.0.
  
'''VPN''' (Virtual Private Network) is a class of technology that allows remote machines to interconnect by creating a virtual network layer, on top of the physical network connection, that in practice is used to maintain the privacy of data shared over this virtual network connection (essentially all VPN toolsets use some form of packet-level [[encryption]]). There are many different modern implementations of the VPN concept itself, to the point where categorizing them together becomes somewhat questionable.
+
= License =
  
== Overview ==
+
BSD
  
Virtual Private Networks are deployed by organizations and individuals for different purposes:
+
= OS =
  
* Protecting confidential information in organizations (for example, when connecting geographically distant office networks);
+
Linux/FreeBSD/MacOS
* Providing "work from home" or traveling employees with secure remote access to office network resources;
+
* Securing general Internet traffic in particularly insecure network usage settings (e.g. open wireless networks);
+
* Encrypting all internet traffic to and from a home connection, to prevent ISP packet shaping and/or surveillance (i.e. [http://www.torrentfreedom.net Torrentfreedom Privacy]).
+
  
When used for Internet connectivity, VPN service also acts as a form of proxy and protects the user's real IP address from public display. As a result, they are an increasingly popular form of anonymity protection for ordinary internet users and criminals.
+
= Requirements =
 +
* AFF and EWF file images supported from scratch.
 +
* File system aware layer.
 +
** By default, files are not carved.
 +
* Plug-in architecture for identification/validation.
 +
** Can we exercise libmagic or at least the patterns they identify?
 +
* Ship with validators for:
 +
** JPEG
 +
** PNG
 +
** GIF
 +
** MSOLE
 +
** ZIP
 +
** TAR (gz/bz2)
 +
* Simple fragment recovery carving using gap carving.
 +
* Recovering of individual ZIP sections and JPEG icons that are not sector aligned.
 +
* Autonomous operation (what is it? [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)).
 +
* Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image.
 +
** Perhaps allocate a percentage budget per-validator (i.e. each validator adds N% to the carving time)
 +
* Parallelizable.
 +
* Configuration:
 +
** Can handle config files,like Revit07, to enter different file formats used by the carver.
 +
** Disengage internal configuration structure from configuration files, create parsers that present the expected structure
 +
**  Either extend Scalpel/Foremost syntaxes for extended features or create a tertiary syntax, at which point a converter would likely be useful.
 +
* Can output audit.txt file.
 +
* Easy integration into ascription software.
  
== VPNs and anonymity ==
+
= Ideas =
 +
* Use as much TSK if possible. Don't carry your own FS implementation there way photorec does.
 +
* Extracting/carving data from [[Thumbs.db]]? I've used [[foremost]] for it with some success. [[Vinetto]] has some critical bugs :( [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
 +
* Carving data structures. For example, extract all TCP headers from image by defining TCP header structure and some fields (e.g. source port > 1024, dest port = 80). This will extract all data matching the pattern and write a file with other fields. Another example is carving INFO2 structures and URL activity records from index.dat
  
* Log files: VPN services may maintain usage logs which could then be used to track the activities of the user of those services, after the fact. However some commercial consumer-oriented VPN services specifically configure their servers not to retain any logfile information of this type. Example are [[Cryptocloud VPN]] or [[iVPN]].
+
The main idea is to allow users to define structures, for example (in pascal-like form):
  
* Protocol stack: [[TCP timestamps]] and IP ID values may be used in correlating incoming (encrypted) and outgoing (unencrypted) network streams. This type of "traffic analysis" can, in theory, be used to gather information about a fully-encrypted VPN connection - in practice, there are no known public examples of traffic analysis being used against commercial VPN service providers.
+
Field1: Byte = 123;
 +
SomeTextLength: DWORD;
 +
SomeText: string[SomeTextLength];
 +
Field4: Char = 'r';
 +
...
  
== See Also ==
+
This will produce something like this:
  
* [[iVPN]]
+
Field1 = 123
* [[Cryptocloud VPN]]
+
SomeTextLength = 5
* [[Tor]]
+
SomeText = 'abcd1'
* [[Proxy server]]
+
Field4 = 'r'
  
[[Category:Anti-Forensics]]
+
(In text or raw forms.)
[[Category:Network Forensics]]
+
 
[[Category:Encryption]]
+
Opinions?
 +
 
 +
[[User:.FUF|.FUF]] 20:51, 28 October 2008 (UTC)
 +
 
 +
= Supported File Systems =
 +
 
 +
Build a large list of supported filesystems. File carving programs ignore the filesystem, but this doesn't mean that they support all of them. Do we support Reiser4 with tail packing? Or exFAT? Or NTFS with compression? Document this. [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)

Revision as of 16:51, 28 October 2008

This page is for planning Carver 2.0.

License

BSD

OS

Linux/FreeBSD/MacOS

Requirements

  • AFF and EWF file images supported from scratch.
  • File system aware layer.
    • By default, files are not carved.
  • Plug-in architecture for identification/validation.
    • Can we exercise libmagic or at least the patterns they identify?
  • Ship with validators for:
    • JPEG
    • PNG
    • GIF
    • MSOLE
    • ZIP
    • TAR (gz/bz2)
  • Simple fragment recovery carving using gap carving.
  • Recovering of individual ZIP sections and JPEG icons that are not sector aligned.
  • Autonomous operation (what is it? .FUF 19:18, 28 October 2008 (UTC)).
  • Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image.
    • Perhaps allocate a percentage budget per-validator (i.e. each validator adds N% to the carving time)
  • Parallelizable.
  • Configuration:
    • Can handle config files,like Revit07, to enter different file formats used by the carver.
    • Disengage internal configuration structure from configuration files, create parsers that present the expected structure
    • Either extend Scalpel/Foremost syntaxes for extended features or create a tertiary syntax, at which point a converter would likely be useful.
  • Can output audit.txt file.
  • Easy integration into ascription software.

Ideas

  • Use as much TSK if possible. Don't carry your own FS implementation there way photorec does.
  • Extracting/carving data from Thumbs.db? I've used foremost for it with some success. Vinetto has some critical bugs :( .FUF 19:18, 28 October 2008 (UTC)
  • Carving data structures. For example, extract all TCP headers from image by defining TCP header structure and some fields (e.g. source port > 1024, dest port = 80). This will extract all data matching the pattern and write a file with other fields. Another example is carving INFO2 structures and URL activity records from index.dat

The main idea is to allow users to define structures, for example (in pascal-like form):

Field1: Byte = 123; SomeTextLength: DWORD; SomeText: string[SomeTextLength]; Field4: Char = 'r'; ...

This will produce something like this:

Field1 = 123 SomeTextLength = 5 SomeText = 'abcd1' Field4 = 'r'

(In text or raw forms.)

Opinions?

.FUF 20:51, 28 October 2008 (UTC)

Supported File Systems

Build a large list of supported filesystems. File carving programs ignore the filesystem, but this doesn't mean that they support all of them. Do we support Reiser4 with tail packing? Or exFAT? Or NTFS with compression? Document this. .FUF 19:18, 28 October 2008 (UTC)