Research Article
Advanced Techniques for Reconstruction of Incomplete Network Data
@INPROCEEDINGS{10.1007/978-3-319-25512-5_6, author={Petr Matoušek and Jan Pluskal and Ondřej Ryšav\"{y} and Vladim\^{\i}r Vesel\"{y} and Martin Kmeť and Filip Karp\^{\i}šek and Martin Vyml\^{a}til}, title={Advanced Techniques for Reconstruction of Incomplete Network Data}, proceedings={Digital Forensics and Cyber Crime. 7th International Conference, ICDF2C 2015, Seoul, South Korea, October 6--8, 2015, Revised Selected Papers}, proceedings_a={ICDF2C}, year={2015}, month={10}, keywords={Network forensic tools TCP reassembling Traffic reconstruction Web mail Bitcoin SSL encryption}, doi={10.1007/978-3-319-25512-5_6} }
- Petr Matoušek
Jan Pluskal
Ondřej Ryšavý
Vladimír Veselý
Martin Kmeť
Filip Karpíšek
Martin Vymlátil
Year: 2015
Advanced Techniques for Reconstruction of Incomplete Network Data
ICDF2C
Springer
DOI: 10.1007/978-3-319-25512-5_6
Abstract
Network forensics is a method of obtaining and analyzing digital evidences from network sources. Network forensics includes data acquisition, selection, processing, analysis and presentation to investigators. Due to high volumes of transmitted data the acquired information can be incomplete, corrupted, or disordered which makes further reconstruction difficult. In this paper, we address the issue of advanced parsing and reconstruction of incomplete, corrupted, or disordered data packets. We introduce a technique that recovers TCP or UDP conversations so they could be further analyzed by application parsers. Presented technique is implemented in a new network forensic tool called Netfox Detective. We also discuss current challenges in parsing web mail communication, SSL decryption and Bitcoins detection.