Part of my work and interest involves investigation and analysis of network traffic for one reason or another. These tasks fall under the larger umbrella of network forensics. Given the growth of the Internet and the transition from stored to streaming media both video and audio, the ability to perform analysis on network traffic is becoming more important. There are new products that are coming out that do this. For example, the company I work for has a product that assists service providers in responding to law enforcement requests. These products have many features, but one common feature is the ability to capture raw network traffic or packets from a live network and write them to a file or set of files for later analysis. Capturing raw network traffic is not anything new. It has been around for years and is often used by network administrators, researchers, and many others. The advent of network analysis products for service providers and law enforcement bring the basic abilities of traffic capture and analysis to a much wider and in some cases less technical audience.
What methodology, tools, and procedure would one use to determine what is happening in a particular trace file where web browsing is present? Lets use a simple example for illustration purposes. Assume you are investigating an individual that is suspected of brokering the sale of known stolen items. This individual visits the websites of their partners in crime. Using a specific product or several open source software packages, you capture the targets traffic to and from their system. You now have files containing the packets of data that were received and transmitted from the target’s system. Besides extracting the URLs, passwords and other information, it would be nice to get a list of the graphics and pictures that are contained in this network file as it is suspected that pictures of the stolen items are typically sent and received by potential buyers.
A open source application called Driftnet, is designed to extract graphics and photographs from any internet device by ‘spying’ on the data that is transmitted or received via its network interface. In its default mode of operation, driftnet is designed to ‘listen’ actively on a network connection and display graphic images as they pass by the network. Driftnet can be, and I have seen and used this software to covertly ‘spy’ on targets attached to a network and reveal in near real time any graphics that are viewed on the target desktops. Here is how to use it on a network capture file to extract the graphics inside the file.
On my *nix system, I start up two terminal sessions. In the first session, I start Driftnet and configure it to listen on the loopback interface of my laptop. The loopback interface is an interface like any other interface, but it does not communicate on the network — it is only visible and communicates with any services running on the local device that are bound to it.
We start Driftnet and tell it to listen on the loopback interface, use adjunct mode and write the graphics out to a specified directory. Adjunct mode tells Driftnet not to open a window on the console to display the graphics but instead write them to a storage device. The directory option tells Driftnet where to write the graphics it finds.
Now we need to replay the network capture file on the loopback interface. By doing this, Driftnet will ‘see’ the flows and extract the graphics, writing them to the directory we specified.
Tcpreplay is an open source program designed to replay a captured network file out a specified interface. In a second terminal window we run tcpreplay, specify the packets should be replayed out the loopback interface, and specify the network capture file containing the packets to be replayed.
If tcpreplay completes successfully, you will see some status output similar to the screen capture information above. On the terminal window where Driftnet was started, it will start scrolling text lines containing the graphics it has found and filenames it is using to write to storage.
Once the capture file has completed being transmitted on the loopback interface, you can simply browse to the directory where you specified the graphics files to be saved. There you can browse through the graphics files that were part of the stream of the targets.
This technique is simple and can give you a general idea of what a individual or group of individuals is viewing from a graphical perspective. This can allow an assessment to be made if the investigation needs to go further. If further investigation is warranted, the procedure, generated graphics and capture files can be digitally fingerprinted, documented for use as evidence.
* network photograph courtesy of IssacMao
