Publication Details
Advanced Techniques for Reconstruction of Incomplete Network Data
Pluskal Jan, Ing., Ph.D. (DIFS FIT BUT)
Ryšavý Ondřej, doc. Ing., Ph.D. (DIFS FIT BUT)
Veselý Vladimír, Ing., Ph.D. (DIFS FIT BUT)
Kmeť Martin, Ing. (DIFS FIT BUT)
Karpíšek Filip, Ing. (DIFS FIT BUT)
Vymlátil Martin, Ing. (FIT BUT)
network forensics tools, TCP reassembling, traffic reconstruction, webmail, bitcoin, SSL encryption
Network forensics is a method of obtaining and analysing digital evidences from network sources. Network forensics includes data acquisition, selection, processing, analysis and presentation to investigators. Due to high volumes of transmitted data the acquired information can be incomplete, corrupted, or disordered which makes further reconstruction dicult. In this paper, we address the issue of advanced parsing and reconstruction of incomplete, corrupted, or disordered data packets. We introduce a technique that recovers TCP or UDP conversations so they could be further analysed by application parsers. Presented technique is implemented in a new network forensics tool called NetFox.Detective. We also discuss current challenges in parsing webmail communication, SSL decryption and Bitcoins detection.
@ARTICLE{FITPUB10864,
author = "Petr Matou\v{s}ek and Jan Pluskal and Ond\v{r}ej Ry\v{s}av\'{y} and Vladim\'{i}r Vesel\'{y} and Martin Kme\v{t} and Filip Karp\'{i}\v{s}ek and Martin Vyml\'{a}til",
title = "Advanced Techniques for Reconstruction of Incomplete Network Data",
pages = "69--84",
journal = "Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering",
volume = 2015,
number = 157,
year = 2015,
ISSN = "1867-8211",
doi = "10.1007/978-3-319-25512-5\_6",
language = "english",
url = "https://www.fit.vut.cz/research/publication/10864"
}