Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
a network forensic analysis framework

A Network Forensic Analysis Framework Professor Patrick McDaniel - PowerPoint PPT Presentation

Oct 12, 2023 •19 likes •383 views

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.

  1. A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015

  2. About • An extensible network forensic analysis framework. • Enables rapid development of plugins to support the dissection of network packet captures. • Key features: ‣ Robust stream reassembly ‣ IPv4 and IPv6 support ‣ Custom output handlers ‣ Chainable decoders • Billy Glodek Page

  3. Page

  4. Installation (Ubuntu) > sudo apt-get install git > git clone https://github.com/USArmyResearchLab/Dshell.git > sudo apt-get install python-crypto python-dpkt python-ipy python-pypcap python-pip > sudo pip install pygeoip Download GeoLite Country, GeoLite Country IPv6, GeoLite ASN, GeoLite ASN IPv6 http://dev.maxmind.com/geoip/legacy/geolite/ > gunzip * Move the MaxMind dat files to ~/Dshell/share/GeoIP/ > cd ~/Dshell > make > ./dshell If you get a Dshell> prompt, you're good to go! Page

  5. Malware Traffic Analysis • http://www.malware-traffic-analysis.net/ > wget http://www.malware-traffic- analysis.net/2014/11/16/2014-11-16- traffic-analysis-exercise.pcap Page

  6. General Usage • To run a decoder > decode – d <decoder> *.pcap • To list all decoders > decode – l • To get help > decode – h • To learn more about a specific decoder > decode – d <decoder> Page

  7. > decode – l Page

  8. Example Uses - followstream • Generates color-coded Screen/HTML output similar to Wireshark Follow Stream. • Default filter: tcp > decode – d followstream 2014-11-16- traffic-analysis-exercise.pcap Page

  9. Example Uses - followstream Page

  10. Example Uses - web • Tracks server responses • Default filter: tcp and (port 80 or port 8080 or port 8000) > decode – d web 2014-11-16-traffic- analysis-exercise.pcap Page

  11. Example Uses - web Page

  12. Example Uses - DNS • Extracts and summarizes DNS queries/responses (defaults: A,AAAA,CNAME,PTR records), • Default filter: (udp and port 53) > decode -d dns 2014-11-16-traffic- analysis-exercise.pcap Page

  13. Example Uses - DNS Page

  14. Example Uses - DHCP • Extracts client information from DHCP messages • Default filter: (udp and port 67) > decode -d dhcp 2014-11-16-traffic- analysis-exercise.pcap Page

  15. Example Uses - DHCP Page

  16. So, how does it work? Page

  17. dpkt • An ethernet packet decoding module • Python library - Dug Song & Jon Oberheide • leveraged by Dshell • https://github.com/kbandla/dpkt Page

  18. Dshell Types Page

  19. Dshell Types Page

  20. Dshell Classes ~/Dshell/lib/dshell.py Page

  21. Dshell Classes ~/Dshell/lib/dshell.py Page

  22. Dshell Classes ~/Dshell/lib/dshell.py Page

  23. Dshell Classes ~/Dshell/lib/dshell.py Page

  24. Dshell Classes ~/Dshell/lib/dshell.py Page

  25. Dshell Classes ~/Dshell/lib/dshell.py Page

  26. Dshell Classes ~/Dshell/lib/dshell.py Page

  27. Dshell Classes ~/Dshell/lib/dshell.py Page

  28. Dshell Classes ~/Dshell/lib/dshell.py Page

  29. Dshell Classes ~/Dshell/lib/dshell.py Page

  30. Dshell Classes ~/Dshell/lib/dshell.py Page

  31. User-Agent Author: Eric Kilmer Page

  32. User-Agent Author: Eric Kilmer Page

  33. Useful tools • Python libraries: ‣ util.hexPlusAscii • Function to print hex and Ascii side-by- side ‣ binascii.hexlify / binascii.unhexlify • tcpdump • Wireshark Page

  34. Additional Notes • Decoders can be chainable ‣ see the country decoder for an example • Read the protocol’s RFCs • Make your code more pythonic ‣ Raymond Hettinger’s Tips and Tricks https://gist.github.com/JeffPaine/6213790 ‣ Youtube videos of Raymond’s talks https://www.youtube.com/watch?v=wf-BqAjZb8M https://www.youtube.com/watch?v=OSGv2VnC0go ‣ PEP 8 Style Guide for Python Code https://www.python.org/dev/peps/pep-0008/ Page

  35. Our Contributions • Dan - DHCP, NBNS, Bitcoin • Eric – User-Agent, Flash-Detect, teredo • Mark – WebColors, ether • Nate – accept-filter, asn-filter, flow-range, uaabf, entropy Page

  36. Assignment • Repeat the process in these slides using the DNS, Followstream, and Web decoders for Dshell on 3 different pcap’s (malware-traffic-analysis.net) • What information can you discover using these decoders? • Write a new decoder that parses out the ‘Referrer’ field from a HTTP Header (HINT: This will be similair to the ‘User - Agent’ decoder discussed earlier) • What will this provide us with? What else could we add to the decoder to make it more useful as an analysis tool? Page

Recommend

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

561 views • 19 slides
Forensic Science Center Forensic Science Center -10 Budget 10 Budget FY 09- FY 09 Forensic

Forensic Science Center Forensic Science Center -10 Budget 10 Budget FY 09- FY 09 Forensic

Forensic Science Center Forensic Science Center -10 Budget 10 Budget FY 09- FY 09 Forensic Science Center Forensic Science Center Medical Examiner: Cause/Manner of Death Medical Examiner: Cause/Manner of Death Forensic Chemistry:

393 views • 28 slides
Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

1.29k views • 67 slides
Forensic Mental Health Care in the Texas State Hospital System Matthew Faubion, M.D. Forensic

Forensic Mental Health Care in the Texas State Hospital System Matthew Faubion, M.D. Forensic

Forensic Mental Health Care in the Texas State Hospital System Matthew Faubion, M.D. Forensic Psychiatrist Chief of Forensic Medicine Health and Specialty Care System HHSC Overview The Forensic Patient in Texas Pre-Admission Clinical

692 views • 37 slides
Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic Mental Health System Robert N. Baker, PhD Assistant Chief Office of Forensic Services, ODMH Objectives Provide an overview of the forensic

583 views • 40 slides
THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations Explore various clinical presentations seen in forensic settings Implement evidence-based and novel treatment strategies to the new forensic

949 views • 80 slides
qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University

qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University

qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University Specialist, Swedish National Laboratory of Forensic Science Forensic science Every contact leaves a trace Edmond Locard (1877 1966) Forensic

1.32k views • 78 slides
Drugs in Oral Fluid AS4760 Olaf H. Drummer December 9, 2013 DEPARTMENT OF FORENSIC MEDICINE

Drugs in Oral Fluid AS4760 Olaf H. Drummer December 9, 2013 DEPARTMENT OF FORENSIC MEDICINE

DEPARTMENT OF FORENSIC MEDICINE Victorian Institute of Forensic Medicine Standards Australia Forum Drugs in Oral Fluid AS4760 Olaf H. Drummer December 9, 2013 DEPARTMENT OF FORENSIC MEDICINE Victorian Institute of Forensic Medicine AS

397 views • 27 slides
CS CSI: I: DUND DUNDEE EE Th The e Fo Fore rensic nsic To Tool olkit kit Meet the

CS CSI: I: DUND DUNDEE EE Th The e Fo Fore rensic nsic To Tool olkit kit Meet the

CS CSI: I: DUND DUNDEE EE Th The e Fo Fore rensic nsic To Tool olkit kit Meet the Team Meet the Team What is Forensic Science? What is Forensic Science? Why Forensic Science? Why Forensic Science? Why Forensic Science? Why

716 views • 54 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

248 views • 13 slides
Forensic Ballistics In Court Interpretation And Presentation Of Firearms Evidence Forensic

Forensic Ballistics In Court Interpretation And Presentation Of Firearms Evidence Forensic

Forensic Ballistics In Court Interpretation And Presentation Of Firearms Evidence.pdf Forensic Ballistics In Court Interpretation And Presentation Of Firearms Evidence Forensic Ballistics In Court Interpretation And Presentation Of Firearms

487 views • 46 slides
Expectancy bias and Bias and forensic evidence Bias and speech research forensic speech

Expectancy bias and Bias and forensic evidence Bias and speech research forensic speech

Overview Bias effects Expectancy bias and Bias and forensic evidence Bias and speech research forensic speech research Blind forensic speech research Maartje Schreuder TMFI / Maastricht University I AFPA 2011 Bundeskrim

182 views • 7 slides
Current Forensic DNA Typing o Forensic cases -- matching suspect with evidence Involves generation

Current Forensic DNA Typing o Forensic cases -- matching suspect with evidence Involves generation

Epigenetic age signatures in the forensically relevant body fluid of semen Hwan Yong Lee Department of Forensic Medicine Yonsei University College of Medicine Seoul, Korea Current Forensic DNA Typing o Forensic cases -- matching suspect with

538 views • 14 slides
GOJ Audit Commission Conference 2016 PRESENTS : FORENSIC Forensic Audits-Help for Todays

GOJ Audit Commission Conference 2016 PRESENTS : FORENSIC Forensic Audits-Help for Todays

GOJ Audit Commission Conference 2016 PRESENTS : FORENSIC Forensic Audits-Help for Todays Entity Thursday, October 27, 2016 PRESENTER : COLLIN A. A. GREENLAND, Forensic Accountant, MBA, FJIM, CFE, CFSA, CFC. 1 To Sensitize /

1.12k views • 88 slides
Presentation of Forensic Science Evidence Dr. Ran B. Singh, Forensic Science Laboratory, Lucknow

Presentation of Forensic Science Evidence Dr. Ran B. Singh, Forensic Science Laboratory, Lucknow

Presentation of Forensic Science Evidence Dr. Ran B. Singh, Forensic Science Laboratory, Lucknow - 226 006, Forensic science evidence can be broadly classified into scientific evidence - when the results of scientific experiments/observations

424 views • 5 slides
10. Forensic Issues I A MERICAN P SYCHOLOGICAL A SSOCIATION Forensic Issues For people with SMI,

10. Forensic Issues I A MERICAN P SYCHOLOGICAL A SSOCIATION Forensic Issues For people with SMI,

10. Forensic Issues I A MERICAN P SYCHOLOGICAL A SSOCIATION Forensic Issues For people with SMI, the prevalence of containment in prison/forensic system is high: men 15%; women 31% For people exhibiting symptoms: 67 % greater likelihood of

367 views • 7 slides
Network Dissection: Quantifying Interpretability of Deep Visual Representations By David Bau,

Network Dissection: Quantifying Interpretability of Deep Visual Representations By David Bau,

Network Dissection: Quantifying Interpretability of Deep Visual Representations By David Bau, Bolei Zhou, Aditya Khosla, Aude Oliva, Antonio Torralba CS 381V Thomas Crosley and Wonjoon Goo Detectors Credit: slide from the original paper Unit

1.39k views • 39 slides
ULTIMATE A Multicenter, Prospective, Randomized Trial Comparing Intravascular Ultrasound-guided

ULTIMATE A Multicenter, Prospective, Randomized Trial Comparing Intravascular Ultrasound-guided

ULTIMATE ULTIMATE A Multicenter, Prospective, Randomized Trial Comparing Intravascular Ultrasound-guided versus Angiography-guided Implantation of Drug-Eluting Stent in All-comers Jun-Jie Zhang, MD, PhD Xiaofei Gao, Jing Kan, Zhen Ge, Leng

244 views • 9 slides
Closing the Smoothness and Uniformity Gap in Area Fill Synthesis Y. Chen , , A. B. Kahng, G.

Closing the Smoothness and Uniformity Gap in Area Fill Synthesis Y. Chen , , A. B. Kahng, G.

Supported by Cadence Design Systems, Inc., NSF, the Packard Foundation, and State of Georgias Yamacraw Initiative Closing the Smoothness and Uniformity Gap in Area Fill Synthesis Y. Chen , , A. B. Kahng, G. Robins, A. Zelikovsky A. B.

532 views • 27 slides
Dissecting media file formats with Kaitai Struct FOSDEM 2017 Mikhail Yakshin (GreyCat) Kaitai

Dissecting media file formats with Kaitai Struct FOSDEM 2017 Mikhail Yakshin (GreyCat) Kaitai

Dissecting media file formats with Kaitai Struct FOSDEM 2017 Mikhail Yakshin (GreyCat) Kaitai Project http://kaitai.io/ Twitter: @kaitai_io File formats: a problem? Media software developers have to deal with multitude of different

396 views • 25 slides
Tutorial on Interpreting and Explaining Deep Models in Computer Vision Wojciech Samek Grgoire

Tutorial on Interpreting and Explaining Deep Models in Computer Vision Wojciech Samek Grgoire

Tutorial on Interpreting and Explaining Deep Models in Computer Vision Wojciech Samek Grgoire Montavon Klaus-Robert Mller (Fraunhofer HHI) (TU Berlin) (TU Berlin) 08:30 - 09:15 Introduction KRM 09:15 - 10:00 Techniques for Interpretability

417 views • 23 slides
Combinatorics and topology of toric arrangements Emanuele Delucchi (SNSF / Universit e de

Combinatorics and topology of toric arrangements Emanuele Delucchi (SNSF / Universit e de

Combinatorics and topology of toric arrangements Emanuele Delucchi (SNSF / Universit e de Fribourg) Toblach/Dobbiaco February 21-24, 2017 The plan I. Combinatorics of (toric) arrangements. Enumeration and structure theory: posets,

532 views • 35 slides
Introduction to latin bitrades AAA 88, Warszawa, Poland, June 22, 2014 Ale s Dr apal

Introduction to latin bitrades AAA 88, Warszawa, Poland, June 22, 2014 Ale s Dr apal

Introduction to latin bitrades AAA 88, Warszawa, Poland, June 22, 2014 Ale s Dr apal drapal@karlin.mff.cuni.cz Karlova Universita, Praha (i.e., Charles University, Prague) Czech Republic Introduction to latin bitrades p. 1

1.33k views • 77 slides
Variations of Parotidectomy Variations of Parotidectomy Indications and Technique

Variations of Parotidectomy Variations of Parotidectomy Indications and Technique

Variations of Parotidectomy Variations of Parotidectomy Indications and Technique Indications and Technique Kerry D. Olsen, M.D. Kerry D. Olsen, M.D. Professor and Chair Professor and Chair Head and Neck Surgery Head and Neck

668 views • 33 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.