About This Workshop
It is a well known fact that memory dumps often contain network packets, and that such packets can be carved from memory dumps. Yet, there is very little guidance available on how to perform forensic analysis of packets carved from memory. Normal network forensics procedures are often not appropriate for analyzing carved packets. One reason for this is that carved packets don’t have timestamps. It is also often difficult to tell in which order carved packets were transmitted. Another caveat with analyzing carved packets is that the packet payloads might have been partially or completely overwritten in memory, which can cause the application layer data in the packets to appear as corrupt.
This workshop provides hands-on training using real memory dumps (data in use) in combination with a PCAP file with network traffic (data in transit) from a realistic scenario. Participants will learn how to identify packets carved from the memory dump in the provided PCAP file, in order to study which properties that persist across both datasets versus what is being changed. The workshop also includes a lab where carved packets, which were transmitted inside a VPN tunnel, can be analyzed as if the data was sent in clear text.
Darknet traffic, such as Tor, is encrypted. Analysis of Tor network traffic acquired through lawful intercept therefore provides very little value. While such traffic can be used to identify if and when a suspect used Tor, it doesn’t provide any insights regarding what websites or services the suspect communicated with through the Tor connection. However, network traffic captured locally on the suspect’s device can actually reveal what was sent inside the encrypted Tor tunnels.
Workshop participants will be provided with a PCAP file containing localhost network traffic from a fictitious suspect’s computer. The participants will learn how and why Tor transmits data in unencrypted form locally on a device, after which they will be tasked to extract certain artefacts from within the provided PCAP file. The workshop includes labs where we analyse traffic passing out to the clearnet via Tor exit nodes, but the primary focus will be on Tor Onion Services (formerly, “hidden services”).
Learning Objectives
At the end of this workshop you will be able to:
- Understand different tools that can carve packets from memory dumps and how they differ
- Know how to identify interface types, such as physical and VPN interfaces, on which packets were transmitted
- Learn how otherwise encrypted VPN traffic can be analyzed in clear text format
- Understand which artefacts and fields are not available in carved packets and how such limitations can be handled
- Learn how to match packets carved from memory with captured packets from a network
- Understand how Tor Browser communicates on the local machine
- Know what type of encryption is used when communicating with Tor Onion Services
- Learn where and how Tor traffic can be captured before being encrypted
- Understand how to extract artefacts and evidence from unencrypted Tor traffic
Requirements
- Install Wireshark
- Install NetworkMiner (free open source version)
- Download a 3 GB memory dump (link provided before workshop)
- Download a 300 MB PCAP file (link provided at least two weeks before the workshop)