107 posts categorized "Forensics & Deep Packet Capture" Feed

Using NetworkMiner with a Windows netsh trace File (by Paul Offord)

Before analyzing a network packet trace file, I try to make sure that I've collected information about IP addresses and TCP/UDP port numbers.  Even so, I still find that I don't have all the information I need.  There are techniques you can use to get the missing information - check NBNS host announcements, explore the names resolved by DNS - but it's all just more hassle.


Recently I noticed a bit of a buzz around NetworkMiner, so I thought I'd check it out.  What I found was a simple tool that does just what I need; extract useful host and service information from Wireshark traces.  We now analyze a fair number of traces captured with Windows netsh trace, so I thought I'd look at how we can use NetworkMiner with these Windows-native trace files.

In this video ...

Continue reading "Using NetworkMiner with a Windows netsh trace File (by Paul Offord)" »

A Wi-Fi Router as a Witness Device! (by Daniel Arrugueta)

A Wi-Fi Router as a Witness Device

Note: attached is the full document in .pdf format and is awesome reading for forensic investigators!

Download A WiFi Router as a Witness Device Full Document!

Witnesses often are crucial elements in solving and prosecuting criminal or civil violations.  We now regularly use data that various technologies record. Digital witness devices provide a source of largely unbiased and dependable information to the investigator and prosecutor. However, many often ignore or do not even recognize commonly available electronics as potential witness devices.  One such device is the wireless router found in most homes and businesses.

As with any witness, some sort of vetting and consideration is wise. Reliability, bias, memory, physical abilities, etc., all can be factors that play roles in the use of digital witness devices and the use of their data. Whether you consider data from digital cameras, microphones, cell phones, computers, or Wi-Fi (wireless) routers, you should approach each with an open eye and determine clearly what each actually offers to your investigation. Data typically is reliable; how you interpret and present that data is key to its ultimate usefulness. Criminal radiation

Continue reading "A Wi-Fi Router as a Witness Device! (by Daniel Arrugueta)" »

Harvesting Metadata From Network Traffic (by Darragh Delaney)

Harvesting Metadata From Network Traffic

Every day I work on all sorts of modern and cutting edge technologies and I love learning about new stuff. I think I can trace this back to growing up on a farm, there was always something to fix or take apart. In spite of the perception that some people have of the agricultural sector, today's farms rely on huge amounts of technology and data analytics. Here in Ireland the harvest season has come to an end and we are all getting ready for the cooler temperatures of autumn.


Harvest machinery has been serviced and parked up for another year including one of my favorites, the combine harvester. I spend hours on YouTube learning about the latest models and what goes on behind the scenes. For centuries they have been a vital cog in the global food chain. The theory behind them is simple, gather raw material up front and pass it through different filters and separators which allows us to extract the valuable grain which we can then use. The basics have remained the same over the years but the size of the machines has increased as we demand more efficiency and larger harvests.

But how, you may ask how is this combine machine connected to metadata and network traffic?

Continue reading "Harvesting Metadata From Network Traffic (by Darragh Delaney)" »

DNS Traffic is always worth watching very closely (by John Brosnan )

DNS Traffic is always worth watching very closely

But it is not a good excuse to forget your anniversary!

While visiting a large ISP type customer here in the Bay area, we started to discuss the value he could get from network traffic analysis. The volumes of traffic on his network are at a scale that he even struggles with summary information like Netflow; he has so much of it, it is almost impossible to get a handle on it and see anything useful – a real big data problem. 

Network Globe_WEB

During our conversation, I mentioned that we have a number of dissectors (or application decoders as we call them) for protocols like SMB, NFS, SQL, web, DNS – ’STOP, what can you tell me about my DNS traffic, as my logs are limited’.  To be honest, I would have thought LANGuardian provided too much detail for his organization, but I guess DNS is a bit different.

Anyhow, I led on to explain that LANGuardian can:

  • Monitor DNS traffic, decode DNS replies
  • Inventory of responding DNS servers
  • Alert on rogue DNS servers
  • Review what resolutions clients receiving
  • Monitor client requests, validate DNS traffic (piggybacking)

To quote a good friend, Tim of #lovemytool ‘John, show me, don’t tell me’

Continue reading "DNS Traffic is always worth watching very closely (by John Brosnan )" »

LMTV Visibility | Every Bit, Byte and Packet (with Chris Bihary of Garland)

Garland170x200Please join +Chris Bihary, +Garland Technology CEO/Co-Founder and Jim Curtin, CEO/Co-Founder and Jin Qian, CTO/Co-Founder of CapStar Forensics to learn more about their joint solution that will be on display at this year's Sharkfest - the Wireshark Developer and User Conference.

With Garland Technology's recent product launch of its 1G Modular Packet Broker System the forensics community now has an affordable 1G packet broker that can filter, aggregate, regenerate and load balance to one or multiple monitoring tools.

In today's session we are going to discuss how this works with CapStar Forenic's platform to provide users faster MTTR and lower cost per investigation. Capstar Forensic's 'blazing fast' software tool features a fast load time and quick scans of PCAPs - allowing you to analyze complex networking and security scenarios.

To help us build our community, please share this live event with your fellow professionals on LinkedIn. For more episodes of LMTV, please visit LoveMyTool.TV.

Apple, Apple, Apple! Apple versus the United States FBI! (by The Oldcommguy®)

Apple, Apple, Apple!

The silly battle of Apple versus the United States Courts and the FBI!

In my humble opinion this has turned out to be one of Apple’s greatest marketing events in years, maybe forever.

Apple is trying to tell its users that Apple will protect their privacy from the big bad FBI and other Governmental access!

The reality is that all this should never have gotten into the news world. Apple is a U.S. company and should have been a good citizen and quietly told the FBI to send the phone and they would quietly get the information for them. This is NOT just any person’s phone – first it is the phone of a dead individual and secondly it is the phone of a terrorist and third it is the phone of a murderer that could be filled with intelligence that may help stop the next deadly attack!

This big media event is nothing but a big market show from Apple and it is getting a lot of silly attention, what for? I wonder how many people will now decide to buy Apple products, I am sure the terrorists will, but is that a good market? Apple enjoys the freedom to make billions as a U.S. company but when it came time to be a good citizen they decided to be a bunch of hypocrites and actors in a fictitious marketing event!

Bad worm w pointerApple do not be a bad worm with a Great Technology!


Continue reading "Apple, Apple, Apple! Apple versus the United States FBI! (by The Oldcommguy®)" »