Forensic Carving of Network Packets and Associated Data Structures

Forensic Carving of Network Packets and Associated Data Structures

Robert Beverly, Simson Garfinkel, and Greg Cardwell
Proceedings of the 11th Digital Forensics Conference (DFRWS 2011),
pp. 78-89 New Orleans, LA, August 2011

Using validated carving techniques, we show that popular operating systems (\eg Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from long-terminated network traffic. Such information is useful for many forensic purposes including establishment of prior connection activity and services used; identification of other systems present on the system's LAN or WLAN; geolocation of the host computer system; and cross-drive analysis. We show that network structure recovered from memory that is persisted onto a mass storage medium during the course of system swapping or hibernation. We present our network carving techniques, algorithms and tools, and validate these against both purpose-built memory images and a readily available forensic corpora. These techniques are valuable to both forensics tasks, particularly in analyzing mobile devices, and to cyber-security objectives such as malware analysis.

[PDF] [BibTeX]
[Presentation Slides]

[ Return to publications ]