Network Packet Forensic using Wireshark

Today we are going to discuss “Network Packet Forensic”  by covering some important track such as how Data is transferring between two nodes, what is “OSI 7 layer model” and how Wireshark stores which layers information when capturing the traffic between two networks.

As we know for transferring the data from one system to other we need a network connection which can be wired or wireless connection. But in the actual transmission of data does not only depend upon network connection apart from that it involves several phases for transmitting data from one system to another which was explained by the OSI model.

 OSI stands for Open Systems Interconnection model which is a conceptual model that defines and standardizes the process of communication between the sender’s and receiver’s system. The data is transfer through 7 layers of architecture where each layer has a specific function in transmitting data over the next layer.  

Now have a look over given below image where we had explained the functionality of each layer in the OSI model. So when data is transmitted by sender’s network then it will go in downward direction and data move from application layer to physical layer whereas when the receiver will receive the transmitted data it will come in an upward direction from physical layer to application layer.

Flow of Data from Sender’s network: Application > Presentation > Session > Transport > Network > Data Link > Physical

Flow of Data from Receiver’s network: Physical > Data Link > Network > Transport > Session > Presentation > Application

Examine Layers captured by Wireshark

Basically when a user opens an application for sending or receiving Data then he directly interacts with the application layer for both operations either sending or receiving of data. For example, we act as a client when use Http protocol for uploading or Downloading a Game; FTP for downloading a File; SSH for accessing the shell of the remote system.

While connecting with any application for sharing data between server and client we make use of Wireshark for capturing the flow of network traffic stream to examine the OSI model theory through captured traffic.

From given below image you can observe that Wireshark has captured the traffic of four layers in direction of the source (sender) to destination (receiver) network.

Here it has successfully captured Layer 2 > Layer 3 > Layer 4 and then Layer 7 information.

Ethernet Header (Data Link)

 Data link layer holds 6 bytes of Mac address of sender’s system and receiver’s system with 2 bytes of Ether type is used to indicate which protocol is encapsulated i.e. IPv4/IPv6 or ARP.

In Wireshark Ethernet II layer represent the information transmitted over the data link layer. From given below image you can observe that highlighted lower part of Wireshark is showing information in Hexadecimal format where the first row holds information of Ethernet headers details.

So here you can get the source and destination Mac address which also available in Ethernet Header.

The row is divided into three columns as described below: 

As we know the MAC address of the system is always represented in Hexadecimal format but both types are generally categorized in the ways given below :

Once again if you notice the given below image then you can observe the highlighted text in Pink colour is showing hex value 08 00 which indicates that here IPv4 is used.

IP Header (Network Layer)

IP header in Wireshark has described the network layer information which is also known as the backbone of the OSI model as it holds Internet Protocol version 4’s complete details. Network layer divides data frame into packets and defines its routing path through some hardware devices such as routers, bridges, and switches. These packets are identified through their logical address i.e. source or destination network IP address.

In the image of Wireshark, I have highlighted six most important values which contain vital information of a data packet and this information always flows in the same way as they are encapsulated in the same pattern for each IP header.

Now here, 45 represent IP header length where “4” indicates IP version 4 and “5” is header length of 5 bits. while 40 is time to live (TTL) of packet and 06 is hex value for TCP protocol which means these values changes if anything changes i.e. TTL, Ipv4 and Protocol.

Therefore, you can take help of given below table for examining TTL value for the different operating system. 

Similarly, you can take help of given below table for examining other Protocol value.

From given below image you can observe Hexadecimal information of the IP header field and using a given table you can study these value to obtain their original value.

 

The IP header length is always given in form of the bit and here it is 5 bytes which are also minimum IP header length and to make it 20 bytes, multiply 4 with 5 i.e. 20 bytes.

TCP Header (Transport Layer)

Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) are the major protocols as it gives host-to-host connectivity at the Transport Layer of the OSI model. It is also known as Heart of OSI model as it plays a major role in transmitting errors free data.

By examining  Network Layer information through Wireshark we found that here TCP is used for establishing a connection with destination network.

We knew that a computer communicates with another device like a modem, printer, or network server; it needs to handshake with it to establish a connection.

TCP follows Three-Way-Handshakes as describe below:

  • A client sends a TCP packet to the server with the SYN flag
  • A server responds to the client request with the SYN and ACK flags set.
  • Client completes the connection by sending a packet with the ACK flag set

Structure of TCP segment

Transmission Control Protocol accepts data from a data stream, splits it into chunks, and adds a TCP header creating a TCP segment. A TCP segment only carries the sequence number of the first byte in the segment.

A TCP segment consists of a segment header and a data section. The TCP header contains mandatory fields and an optional extension field.

Source Port The 16-bit source port number, Identifies the sending port.
Destination Port The 16-bit destination port number. Identifies the receiving port
Sequence Number The sequence number of the first data byte in this segment. If the SYN control bit is set, the sequence number is the initial sequence number (n) and the first data byte is n+1.
Acknowledgment Number If the ACK control bit is set, this field contains the value of the next sequence number that the receiver is expecting to receive.
Data Offset The number of 32-bit words in the TCP header. It indicates where the data begins.
Reserved Six bits reserved for future use; must be zero.
Flags CWR, ECE, URG, ACK, PSH, RST, SYN, FIN
Window Used in ACK segments. It specifies the number of data bytes, beginning with the one indicated in the acknowledgment number field that the receiver (the sender of this segment) is willing to accept.
Checksum The 16-bit one’s complement of the one’s complement sum of all 16-bit words in a pseudo-header, the TCP header, and the TCP data. While computing the checksum, the checksum field itself is considered zero.
Urgent Pointer Points to the first data octet following the urgent data.

Only significant when the URG control bit is set.

Options Just as in the case of IP datagram options, options can be

either:

– A single byte containing the option number

– A variable length option in the following format

Padding The TCP header padding is used to ensure that the TCP header ends and data begins on a 32-bit boundary.  The padding is composed of zeros.

 

 

Different Types of TCP flags

TCP flags are used within TCP header as these are control bits that specify particular connection states or information about how a packet should be set. TCP flag field in a TCP segment will help us to understand the function and purpose of any packet in the connection. 

 

From given below image you can observe Hexadecimal information of TCP header field and using the given table you can study these value to obtain their original value.

Sequence and acknowledgment numbers are is a major part of TCP, and they act as a way to guarantee that all data is transmitted consistently since all data transferred through a TCP connection must be acknowledged by the receiver in a suitable way. When an acknowledgment is not received, then the sender will again send all data that is unacknowledged.

Using given below table you can read Hex value of other Port Number and their Protocol services. Although these services operate after getting acknowledgment from the destination network and explore at application layer OSI model.

In this way, you can examine every layer of Wireshark for Network Packet Forensic.


AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Forensics Tools in Kali

Kali Linux is often thought of in many instances, it’s one of the most popular tools available to security professionals. It contains a robust package of programs that can be used for conducting a host of security-based operations. One of the many parts in its division of tools is the forensics tab, this tab holds a collection of tools that are made with the explicit purpose of performing digital forensics.

Forensics is becoming increasingly important in today’s digital age where many crimes are committed using digital technology, having an understanding of forensics can greatly increase the chance of making certain that criminals don’t get away with a crime.

This article is aimed at giving you an overview of the forensic capabilities possessed by Kali Linux.

So, let’s start with the programs as they appear in the forensics menu:

Autopsy

A tool used by the military, law enforcement and other entities when it comes time to perform forensic operations. This package is probably one of the most robust ones available through open source, it combines the functionalities of many other smaller packages that are more focused in their approach into one neat application with a web browser based UI.

It is used to investigate disk images. When you click on Autopsy, it starts the service and its user interphase can be accessed on the web browser at //9999:Localhost/autopsy.  It gives the user a full range of options required to create a new case file: Case Name, Description, Investigators Name, Hostname, Host time zone, etc.

Its functionalities include – Timeline analysis, keyword search, web artifacts, hash filtering, data carving, multimedia and indicators of compromise. It accepts disk images in RAW or E01 formats and generates reports in HTML, XLS and body file depending on what is required for a particular case.

Its robustness is what makes it such a great tool, be it case management, analysis or reporting, this tool has you covered.

Binwalk  

This tool is used while dealing with binary images, it has the capability of finding the embedded file and executable code by exploring the image file. It is a very powerful tool for those who know what they are doing, if used right, it can be used to find sensitive information hidden in firmware images that can be lead to uncovering a hack or used to find a loophole to exploit. 

This tool is written in python and uses the libmagic library, making it perfect for usage with magic signatures created for Unix file utility. To make things easier for investigators, it contains a magic signature file which holds the most commonly found signatures in firmware’s, making it easier to spot anomalies.

Bulk Extractor  

This is a very interesting tool when an investigator is looking to extract certain kind of data from the digital evidence file, this tool can carve out email addresses, URL’s, payment card numbers, etc. This is tool works on directories, files, and disk images. The data can be partially corrupted or it can be compressed, this tool will find its way into it.

The tool comes with features which help create a pattern in the data that is found repeatedly, such as URL’s, email ids and more and presents them in a histogram format. It has a feature by which it creates a word list from the data found, this can assist in cracking the passwords of encrypted files.

Chkrootkit

This program is mostly used in a live boot setting. It is used to locally check the host for any installed rootkits. It comes in handy trying to harden an endpoint or making sure that a hacker has not compromised a system.

It has the capability to detect system binaries for rootkit modification, last log deletions, quick and dirty string replacements, and temp deletions. This is just a taste of what it can do, the package seems simple at first glance but to a forensic investigator, its capabilities are invaluable.

Foremost  

Deleted files which might help solve a digital incident? No problem, Foremost is an easy to use open source package that can carve data out of formatted disks. The filename itself might not be recovered but the data it holds can be carved out.

Foremost was written by US Air Force special agents. It can carve files by referencing a list of headers and footers even if the directory information is lost, this makes for fast and reliable recovery.

Galleta  

When following a trail of cookies, this tool will parse them into a format that can be exported into a spreadsheet program.

Understanding cookies can be a tough nut to crack, especially if the cookies might be evidence in a cyber-crime that was committed, this program can lend a hand by giving investigators the capability to structure the data in a better form and letting them run it through an analysis software, most of which usually require the data to be in some form of a spreadsheet.

Hashdeep

This program is a must when dealing with hashes. Its defaults are focused on MD5 and SHA-256. It can be existing files that have moved in a set or new files placed in a set, missing files or matched files, Hashdeep can work with all these conditions and give reports that can be scrutinized, it is very helpful for performing audits.

One of its biggest strengths is performing recursive hash computations with multiple algorithms, which is integral when the time is of the essence.

Volafox

This is a memory analysis tool that has been written in Python, it is focused towards memory forensics for MAC OS X. It works on the Intel x86 and IA-32e framework. If you’re trying to find malware or any other malicious program that was or is residing on the system memory, this is the way to go.

Volatility  

Probably one of the most popular frameworks when it comes to memory forensics. This is a python based tool that lets investigators extract digital data from volatile memory (RAM) samples. It is compatible to be used with the majority of the 64 and 32-bit variants of windows, selective flavors of Linux distros including android. It accepts memory dumps in various forms, be it raw format, crash dumps, hibernation files or VM snapshots, it can give a keen insight into the run-time state of the machine, this can be done independently of the host’s investigation.

Here’s something to consider, decrypted files and passwords are stored in the RAM, and if they are available, investigating files that might be encrypted in the hard disk can be a lot easier to get into and the overall time of the investigation can be considerably reduced.

We will be following up this particular article with an in-depth review of the tools we have mentioned, with test cases.

Have fun and stay ethical.             

Author: Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

Mobile Forensics Investigation using Cellebrite UFED

The manifold increase in the mobile penetration amongst the world population has interested people from all works of life namely mobile manufactures, service providers, application developers and more to this industry. Thequantum jump inthe user base and its usage of mobile has even caught the eye of Forensic Experts.

In this article we will conduct a mobile investigation of ONE Plus mobile model by applying Cellebrite UFED software.

As a preliminary process, adjustments need to be undertaken on the mobile model under surveillance. The investigator attaches the mobile to his/her laptop through the phone cable.The investigator needs to open the ‘About Phone’ section under Setting and scroll down the various options till he reaches the ‘Build Option’, he needs to tap the ‘Build Option’ seven (7) times which opens a new section – the ‘Developer Option’. Before commencing Cellebrite software, the investigator must check whether the mobile commands ‘Stay Awake’ and Debugging (USB debugging) are ON.

After completing the following steps, the investigator inserts the licensed Cellebrite USB Key in the laptop which displays five choices namely- Mobile device, SIM Card, USB device or Memory Card, UFED Camera and Device Tool.

We choose ONE Plus mobile model to demonstrate the Cellebrite software. After configuration the software on the laptop, the software displayed seven ONE Plus models to select our model.

Since our mobile is ONE Plus 3 A3003 model, we put it for the forensic investigation. In order to gather information, the Cellebrite software provided us with five ‘Extraction’ choices ranging from Logical Extraction, File System Extraction, Physical Extraction (Root), Capture Images, Capture Screen Shots which are easy to understand and implement.

It is recommended that the investigator must click on Logical Extraction followed by Physical Extraction to gather information.

For our demonstration, we selected the Logical Extraction and selected three types of information from the Phone Memory likePhone (Phone Book), SIM (Phone Book) and Phone (Content) and press Next.

The Logical Extraction gave a further choice to select the type of information from the Phone Memory namely Contacts, SMS, MMS, Calendar, Apps Data, Pictures, Audio/Music, Videos, Ringtones and Call Logs. 

The software sends a ‘pop up’ message and in order to move further the investigator needs to click on YES. 

From the Contacts account we extracted contacts from Gmail, Face book messenger and Whatsapp as displayed below.

The Cellebrite software provides the investigator with source instructions to proceed further on the case by just clicking on the ‘How to?’

The Logical Phone Extraction was completed successfully. The details of the number of information gathered from Phonebook, SMS, and Call Logs from the mobile under forensic investigation is highlighted.

The software displays another pop up ‘PA Evidence Collection.ufdx’ along with the Logical 01 folder for the investigator

The UFED Physical Analyzer report of the mobile phone was captured by Cellebrite. The analyser  captured content of the mobile model information ranging from the model name, IMEI, ICCID, MSISDN, IMSI  to name a few.

Before making the final report, a case management form needs to be filled up by the investigator which provides –the case number, name, evidence number, examiner name, department, location, notes, name of the report, document details, project name as well as format. The report will be submitted in PDF or word or any other format. The final report is generated by pressing Next command.

Summary of the Cellebrite UFED report on mobile under forensic investigation.

Abhinav Tiwari is An Ethical HackerCyber F0rensics Expert, Penetration Tester, India.contact here

3 Ways to Mount a RAW Image in Windows

In Cyber Forensic, to investigate a hard drive or disks we always make a forensic image. In this article, we will learn to create various ways forensic images. 

Table of Content :

  • Introduction
  • Why mounting an image is necessary
  • AccessData FTK Imager
  • OSFMount
  • Mount Image PRO

Introduction

A Forensic Image is a forensically sound and complete copy of a hard drive or other digital media, generally intended for use as evidence. Copies include unallocated space, slack space, and boot record.  Many computer forensic programs, especially the all-in-one suites, use their own file formats to store information. These images are stored in a format of the RAW file or AFF or E01.

RAW Image Format: Forensic image format is a RAW bit-by-bit copy of the original. It is often accompanied by Metadata stored in separate formats. This Image Format is the most commonly used and is read by every Forensic tool in the industry.

Why mounting an image is necessary

Once the RAW image is created, it can’t be read unless it is mounted by a tool. Mount is the process that will take the raw logical image and mount it onto a specified directory of choice to be able to examine the contents of that image. The image has to include be a recognizable file system as a partition. This makes the invocation of the command interesting as the raw image is a physical disk image and not a specific partition of a file system.

Mount an image for a read-only view that leverages to see the content of the image exactly as the user saw it on the original drive.

There are various methods to mount a RAW file. But before we learn how to mount our RAW files, just have look on your my computer so that you can have an idea about how many drives you have before mounting a RAW file. For instance, the following is the image of my computer of my PC:

Now, Let us have a look at these methods :

AccessData FTK Imager

FTK Imager (version – 3.4.2) is a tool introduced by Access Data which is used to preview data. It is also an imaging tool that lets us acquire in a forensically sound way. FTK helps us to create forensic images, Mount an image for a read-only view, Create hashes of files, etc and right now we will focus on its Mount function. To mount a RAW image file via FTK, first of all, download FTK from –> //accessdata.com/product-download/digital-forensics/ftk-imager-version-3.4.2

Now that FTK is downloaded and installed, open it and click on Files on the menu bar. A drop-down menu will appear, from this menu click on Image Mounting.

A dialogue box will open now. Give the path of the RAW file in Image File option and click on Mount button.

Once you click on Mount button your image will be mounted and you can see the result in Mapped images:

OSFMount

OSFMount (version – 1.5.1015) is software by PassMark Software. It helps you mount your image files even your hard disk image file in windows with a drive letter. You can then analyze the disk image files further. For your original files not to be altered, the image files are mounted as read-only by default. Download this software from –> //www.osforensics.com/tools/mount-disk-images.html

Open OSFMount after the installation is completed open it:

Go to File menu and select the Mount new virtual disk option.

Dialogues will open; here give the path of your image file under the heading Image file and click on OK.

You can see in the following image that your RAW image will be mounted as a result:

Mount Image Pro

Get Data is a software development company that has launched Mount Image Pro (version – 6). It is a computer forensic tool which enables us to mount an image for a forensic purpose. You can download this software from //www.mountimage.com/

Open the software after its installation.

Go to File menu and click on Mount Image File.

A dialogue box will open and select your image file from it.

And then another dialogue box will open informing you with all the details. Click on OK.

It will further show you the progress in another dialogue box.

And as the outcome you can see that your image file will mount as shown in the following image:

Now, as I had asked you to check you’re my computer before mounting the image, similarly, you can again check my computer and you will an extra drive as shown below:

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here