Digital Forensics and Cyber Crime. 7th International Conference, ICDF2C 2015, Seoul, South Korea, October 6–8, 2015, Revised Selected Papers

Research Article

Advanced Techniques for Reconstruction of Incomplete Network Data

Download
351 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-25512-5_6,
        author={Petr Matoušek and Jan Pluskal and Ondřej Ryšav\"{y} and Vladim\^{\i}r Vesel\"{y} and Martin Kmeť and Filip Karp\^{\i}šek and Martin Vyml\^{a}til},
        title={Advanced Techniques for Reconstruction of Incomplete Network Data},
        proceedings={Digital Forensics and Cyber Crime. 7th International Conference, ICDF2C 2015, Seoul, South Korea, October 6--8, 2015, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2015},
        month={10},
        keywords={Network forensic tools TCP reassembling Traffic reconstruction Web mail Bitcoin SSL encryption},
        doi={10.1007/978-3-319-25512-5_6}
    }
    
  • Petr Matoušek
    Jan Pluskal
    Ondřej Ryšavý
    Vladimír Veselý
    Martin Kmeť
    Filip Karpíšek
    Martin Vymlátil
    Year: 2015
    Advanced Techniques for Reconstruction of Incomplete Network Data
    ICDF2C
    Springer
    DOI: 10.1007/978-3-319-25512-5_6
Petr Matoušek1,*, Jan Pluskal1,*, Ondřej Ryšavý1,*, Vladimír Veselý1,*, Martin Kmeť1,*, Filip Karpíšek1,*, Martin Vymlátil1,*
  • 1: Brno University of Technology
*Contact email: matousp@fit.vutbr.cz, ipluskal@fit.vutbr.cz, rysavy@fit.vutbr.cz, ivesely@fit.vutbr.cz, ikmet@fit.vutbr.cz, ikarpisek@fit.vutbr.cz, xvymla01@stud.fit.vutbr.cz

Abstract

Network forensics is a method of obtaining and analyzing digital evidences from network sources. Network forensics includes data acquisition, selection, processing, analysis and presentation to investigators. Due to high volumes of transmitted data the acquired information can be incomplete, corrupted, or disordered which makes further reconstruction difficult. In this paper, we address the issue of advanced parsing and reconstruction of incomplete, corrupted, or disordered data packets. We introduce a technique that recovers TCP or UDP conversations so they could be further analyzed by application parsers. Presented technique is implemented in a new network forensic tool called Netfox Detective. We also discuss current challenges in parsing web mail communication, SSL decryption and Bitcoins detection.