Skip to main content

Advanced Techniques for Reconstruction of Incomplete Network Data

  • Conference paper
  • First Online:
Digital Forensics and Cyber Crime (ICDF2C 2015)

Abstract

Network forensics is a method of obtaining and analyzing digital evidences from network sources. Network forensics includes data acquisition, selection, processing, analysis and presentation to investigators. Due to high volumes of transmitted data the acquired information can be incomplete, corrupted, or disordered which makes further reconstruction difficult. In this paper, we address the issue of advanced parsing and reconstruction of incomplete, corrupted, or disordered data packets. We introduce a technique that recovers TCP or UDP conversations so they could be further analyzed by application parsers. Presented technique is implemented in a new network forensic tool called Netfox Detective. We also discuss current challenges in parsing web mail communication, SSL decryption and Bitcoins detection.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 72.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    MaxLost was experimentally set to 4 kB, which is more than two times greater than maximal Ethernet PDU size, i.e., 1500 Bytes. MaxTime is six times greater than recommended TCP connection failure timeout as defined in RFC 1122. These values say that packet loss longer than 600 secs or missing 4 kB cannot be successfully recovered.

  2. 2.

    See https://bitcoint.org/en/developer-documenation, June, 2015.

References

  1. Cohen, M.I.: PyFlag - an advanced network forensic framework. Digit. Investig. 5, 112–120 (2008)

    Article  Google Scholar 

  2. Pilli, E.S., Joshi, R.C., Niyogi, R.: Network forensic frameworks: survey and research challenges. Digit. Investig. 7, 14–27 (2010)

    Article  Google Scholar 

  3. Hunt, R., Zeadally, S.: Network forensics: an analysis of techniques, tools, and trends. Computer 45, 36–43 (2012)

    Article  Google Scholar 

  4. Dharmapurikar, S., Paxson, V.: Robust TCP stream reassembly in the presence of adversaries. In: USENIX Security Symposium. (2005)

    Google Scholar 

  5. Postel, J.: Internet Protocol. RFC 791 (1981)

    Google Scholar 

  6. Postel, J.: Transmission Control Protocol. RFC 793 (1981)

    Google Scholar 

  7. Stevens, W., Fenner, B., Rudoff, A.M.: UNIX Network Programming: The Sockets Networking API, 3rd edn. Addison-Wesley, Reading (2004)

    Google Scholar 

  8. Matousek, P., Rysavy, O., Kmet, M.: Fast RTP detection and codecs classification in internet traffic. J. Digit. Forensics Secur. Law 2014, 99–110 (2014)

    Google Scholar 

  9. Hjelmvik, E., John, W.: Statistical protocol identification with SPID: preliminary results. In: Swedish National Computer Networking Workshop (2009)

    Google Scholar 

  10. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Barners-Lee, T.: Hypertext Transfer Protocol - HTTP/1.1. IETF RFC 2616 (1999)

    Google Scholar 

  11. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. IETF RFC 5246 (2008)

    Google Scholar 

  12. McGrew, D.: An Interface and Algorithms for Authenticated Encryption. IETF RFC 5116 (2008)

    Google Scholar 

  13. Davidoff, S., Ham, J.: Network Forensics: Tracking Hackers through Cyberspace, 1st edn. Prentice Hall, Upper Saddle River (2012)

    Google Scholar 

Download references

Acknowledgment

Research in this paper was supported by project “Modern Tools for Detection and Mitigation of Cyber Criminality on the New Generation Internet”, no. VG20102015022 granted by Ministry of the Interior of the Czech Republic and an internal University project “Research and application of advanced methods in ICT”, no. FIT-S-14-2299 granted by Brno University of Technology.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Petr Matoušek .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Institute for Computer Sciences, Social informatics and Telecommunication Engineering

About this paper

Cite this paper

Matoušek, P. et al. (2015). Advanced Techniques for Reconstruction of Incomplete Network Data. In: James, J., Breitinger, F. (eds) Digital Forensics and Cyber Crime. ICDF2C 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 157. Springer, Cham. https://doi.org/10.1007/978-3-319-25512-5_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25512-5_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25511-8

  • Online ISBN: 978-3-319-25512-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics