Skip to main content

Advanced Techniques for Reconstruction of Incomplete Network Data

Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST,volume 157)

Abstract

Network forensics is a method of obtaining and analyzing digital evidences from network sources. Network forensics includes data acquisition, selection, processing, analysis and presentation to investigators. Due to high volumes of transmitted data the acquired information can be incomplete, corrupted, or disordered which makes further reconstruction difficult. In this paper, we address the issue of advanced parsing and reconstruction of incomplete, corrupted, or disordered data packets. We introduce a technique that recovers TCP or UDP conversations so they could be further analyzed by application parsers. Presented technique is implemented in a new network forensic tool called Netfox Detective. We also discuss current challenges in parsing web mail communication, SSL decryption and Bitcoins detection.

Keywords

  • Network forensic tools
  • TCP reassembling
  • Traffic reconstruction
  • Web mail
  • Bitcoin
  • SSL encryption

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-25512-5_6
  • Chapter length: 16 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-25512-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   72.00
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.

Notes

  1. 1.

    MaxLost was experimentally set to 4 kB, which is more than two times greater than maximal Ethernet PDU size, i.e., 1500 Bytes. MaxTime is six times greater than recommended TCP connection failure timeout as defined in RFC 1122. These values say that packet loss longer than 600 secs or missing 4 kB cannot be successfully recovered.

  2. 2.

    See https://bitcoint.org/en/developer-documenation, June, 2015.

References

  1. Cohen, M.I.: PyFlag - an advanced network forensic framework. Digit. Investig. 5, 112–120 (2008)

    CrossRef  Google Scholar 

  2. Pilli, E.S., Joshi, R.C., Niyogi, R.: Network forensic frameworks: survey and research challenges. Digit. Investig. 7, 14–27 (2010)

    CrossRef  Google Scholar 

  3. Hunt, R., Zeadally, S.: Network forensics: an analysis of techniques, tools, and trends. Computer 45, 36–43 (2012)

    CrossRef  Google Scholar 

  4. Dharmapurikar, S., Paxson, V.: Robust TCP stream reassembly in the presence of adversaries. In: USENIX Security Symposium. (2005)

    Google Scholar 

  5. Postel, J.: Internet Protocol. RFC 791 (1981)

    Google Scholar 

  6. Postel, J.: Transmission Control Protocol. RFC 793 (1981)

    Google Scholar 

  7. Stevens, W., Fenner, B., Rudoff, A.M.: UNIX Network Programming: The Sockets Networking API, 3rd edn. Addison-Wesley, Reading (2004)

    Google Scholar 

  8. Matousek, P., Rysavy, O., Kmet, M.: Fast RTP detection and codecs classification in internet traffic. J. Digit. Forensics Secur. Law 2014, 99–110 (2014)

    Google Scholar 

  9. Hjelmvik, E., John, W.: Statistical protocol identification with SPID: preliminary results. In: Swedish National Computer Networking Workshop (2009)

    Google Scholar 

  10. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Barners-Lee, T.: Hypertext Transfer Protocol - HTTP/1.1. IETF RFC 2616 (1999)

    Google Scholar 

  11. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. IETF RFC 5246 (2008)

    Google Scholar 

  12. McGrew, D.: An Interface and Algorithms for Authenticated Encryption. IETF RFC 5116 (2008)

    Google Scholar 

  13. Davidoff, S., Ham, J.: Network Forensics: Tracking Hackers through Cyberspace, 1st edn. Prentice Hall, Upper Saddle River (2012)

    Google Scholar 

Download references

Acknowledgment

Research in this paper was supported by project “Modern Tools for Detection and Mitigation of Cyber Criminality on the New Generation Internet”, no. VG20102015022 granted by Ministry of the Interior of the Czech Republic and an internal University project “Research and application of advanced methods in ICT”, no. FIT-S-14-2299 granted by Brno University of Technology.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Petr Matoušek .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Institute for Computer Sciences, Social informatics and Telecommunication Engineering

About this paper

Cite this paper

Matoušek, P. et al. (2015). Advanced Techniques for Reconstruction of Incomplete Network Data. In: James, J., Breitinger, F. (eds) Digital Forensics and Cyber Crime. ICDF2C 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 157. Springer, Cham. https://doi.org/10.1007/978-3-319-25512-5_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25512-5_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25511-8

  • Online ISBN: 978-3-319-25512-5

  • eBook Packages: Computer ScienceComputer Science (R0)