Difference between pages "OS fingerprinting" and "JTAG Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
m (Procedures)
 
Line 1: Line 1:
'''OS fingerprinting''' is the process of determining the [[operating system]] used by a host on a network.
+
== Definition ==
 +
=== From Wikipedia ([http://en.wikipedia.org/wiki/Joint_Test_Action_Group http://en.wikipedia.org/wiki/Joint_Test_Action_Group ]): ===
  
== Active fingerprinting ==
+
Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.
Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.
+
  
== Passive fingerprinting ==
+
=== Forensic Application ===
Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a [[sniffer]] and doesn't put any traffic on a network.
+
  
== Fingerprinting techniques ==
+
JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.
  
Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.
+
== Tools and Equipment ==
  
Common techniques are based on analysing:
+
* [[JTAG and Chip-Off Tools and Equipment]]
  
* IP TTL values;
+
== Procedures ==
* IP ID values;
+
* TCP Window size;
+
* TCP Options (generally, in TCP SYN and SYN+ACK packets);
+
* DHCP requests;
+
* ICMP requests;
+
* HTTP packets (generally, User-Agent field).
+
  
Other techniques are based on analysing:
+
* [[JTAG HTC Wildfire S]]
 
+
* [[JTAG Huawei TracFone M865C]]
* Running services;
+
* [[JTAG Huawei TracFone H866C]]
* Open port patterns.
+
* [[JTAG Huawei U8655]]
 
+
* [[JTAG Huawei Y301-A1 Valiant]]
== Limitations ==
+
* [[JTAG LG L45C TracFone]]
Many passive fingerprinters are getting confused when analysing packets from a NAT device.
+
* [[JTAG LG P930 (Nitro HD)]]
 
+
* [[JTAG LG E960 (Nexus 4)]]
== Tools ==
+
* [[JTAG Samsung Galaxy Centura (SCH-S738C)]]
Active fingerprinters:
+
* [[JTAG Samsung Galaxy S4 (SGH-I337)]]
* [[Nmap]]
+
 
+
Passive fingerprinters:
+
* [[NetworkMiner]]
+
* [[p0f]]
+
 
+
== Links ==
+
* [http://nmap.org/book/osdetect.html Remote OS detection paper]
+
 
+
[[Category:Network Forensics]]
+

Revision as of 18:35, 23 December 2013

Definition

From Wikipedia (http://en.wikipedia.org/wiki/Joint_Test_Action_Group ):

Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.

Forensic Application

JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.

Tools and Equipment

Procedures