Michael N. Dundas

Well written article by a former manager / advisor to me entitled “What I didn’t get for Christmas.”

Part of my work and interest involves investigation and analysis of network traffic for one reason or another. These tasks fall under the larger umbrella of network forensics. Given the growth of the Internet and the transition from stored to streaming media both video and audio, the ability to perform analysis on network traffic is becoming more important. There are new products that are coming out that do this. For example, the company I work for has a product that assists service providers in responding to law enforcement requests. These products have many features, but one common feature is the ability to capture raw network traffic or packets from a live network and write them to a file or set of files for later analysis. Capturing raw network traffic is not anything new. It has been around for years and is often used by network administrators, researchers, and many others. The advent of network analysis products for service providers and law enforcement bring the basic abilities of traffic capture and analysis to a much wider and in some cases less technical audience.

What methodology, tools, and procedure would one use to determine what is happening in a particular trace file where web browsing is present? Lets use a simple example for illustration purposes. Assume you are investigating an individual that is suspected of brokering the sale of known stolen items. This individual visits the websites of their partners in crime. Using a specific product or several open source software packages, you capture the targets traffic to and from their system. You now have files containing the packets of data that were received and transmitted from the target’s system. Besides extracting the URLs, passwords and other information, it would be nice to get a list of the graphics and pictures that are contained in this network file as it is suspected that pictures of the stolen items are typically sent and received by potential buyers.

A open source application called Driftnet, is designed to extract graphics and photographs from any internet device by ’spying’ on the data that is transmitted or received via its network interface. In its default mode of operation, driftnet is designed to ‘listen’ actively on a network connection and display graphic images as they pass by the network. Driftnet can be, and I have seen and used this software to covertly ’spy’ on targets attached to a network and reveal in near real time any graphics that are viewed on the target desktops. Here is how to use it on a network capture file to extract the graphics inside the file.

On my *nix system, I start up two terminal sessions. In the first session, I start Driftnet and configure it to listen on the loopback interface of my laptop. The loopback interface is an interface like any other interface, but it does not communicate on the network — it is only visible and communicates with any services running on the local device that are bound to it.
We start Driftnet and tell it to listen on the loopback interface, use adjunct mode and write the graphics out to a specified directory. Adjunct mode tells Driftnet not to open a window on the console to display the graphics but instead write them to a storage device. The directory option tells Driftnet where to write the graphics it finds.

Now we need to replay the network capture file on the loopback interface. By doing this, Driftnet will ’see’ the flows and extract the graphics, writing them to the directory we specified.

Tcpreplay is an open source program designed to replay a captured network file out a specified interface. In a second terminal window we run tcpreplay, specify the packets should be replayed out the loopback interface, and specify the network capture file containing the packets to be replayed.
If tcpreplay completes successfully, you will see some status output similar to the screen capture information above. On the terminal window where Driftnet was started, it will start scrolling text lines containing the graphics it has found and filenames it is using to write to storage.
Once the capture file has completed being transmitted on the loopback interface, you can simply browse to the directory where you specified the graphics files to be saved. There you can browse through the graphics files that were part of the stream of the targets.
This technique is simple and can give you a general idea of what a individual or group of individuals is viewing from a graphical perspective. This can allow an assessment to be made if the investigation needs to go further. If further investigation is warranted, the procedure, generated graphics and capture files can be digitally fingerprinted, documented for use as evidence.

* network photograph courtesy of IssacMao

I wrote an entry the other day on how I felt that music artists should start to force the record labels to do what they want and not the other way around. Recently, Youtube is in battles with Warner Music about the posting and revenue sharing of videos. After reading that article, it is all the more reason for artists to take control. With sites such as Youtube, Metacafe and others I am not sure why these big record and video companies are needed anymore especially if they resist changing their business models to service todays consumer demands.

The copyright fight around music has been going on now for sometime. I think it has been made very clear that consumers do not want DRM, consumers want to be able to post music mashups, consumers want fair access.

I personally adopted a new set of rules for myself 6 months ago when it comes to DRM music and videos. I refuse to purchase any music or media that has DRM on it. I have no problem paying, but I will pay once like I always have and then I will use it as I wish, period. If want to play it in my car I will. If want to play it on my Mac I will. If want to play it on my iPod I will. If I want to play it on the newly invented gadget that my colleage made I will. I will not ‘ask’ anyone for permission to do this. I will not buy it more than once. The industry needs to get their ‘thick heads’ around this. I think they may finally be starting grasp to it.

In my opinion the next step is up to the artists and they need to develop a similar hard stance attitude. The artists need to start standing up to these record companies as a group globally and explain to them how they are going to service the artists and their customers, not the other way around. There has been a coalition of music artists in Canada that has been formed in Canada. I really hope this expands globally. As a consumer of music, I for one find this very frustrating and just want it to end.

Lately, I just listen to last.fm. It’s easy, it’s free and when I find something I like I’ll purchase it (assuming that there is no DRM on the purchased item).

-mike.

Excellent written article by Bruce Schneier on the importance of audits and auditability especially today.