Monday, April 15, 2013

Carving - PCAP in Memory (NAFT)

I searched a tool to carve pcap in memory.

This tool is NAFT(The Network Appliance Forensic Toolkit). Download link is below.

Link : http://blog.didierstevens.com/programs/network-appliance-forensic-toolkit/


I introduce the way to carve pcap in memory.

(1) PCAP Structure





(2) Global Header & Packet Header








[RED]
Type           Description Value
DWORD MagicNumber 0xD4C3B2A1                                                      
WORD Major Version Number 0x0200
WORD Minor Version Number 0x0400
DWORD GMT to Local Correction 0x00000000
DWORD Accuracy of Timestamps 0x00000000
DWORD Max Length of Captured Packets 0xFFFF0000
DWORD Data Link Type 0x01000000

[Blue]
Type        Description          Value
DWORD MagicNumber                     1355707892 == 50CE75F4 == 0xF475CE50
DWORD Major Version Number 616446 == 967FE == 0xFE670900
DWORD Minor Version Number capture Length 92 => 0x5C
DWORD GMT to Local Correction Frame Length 92 => 0x5C

Just a trick. Time is made from file offset.

Example : Offset 7398799
          7 is timestamp seconds.
          398799 is timestamp microseconds.


(3) Searching ARP

Searching magic like "0x08 0x06 0x00 0x01 0x08 0x00 0x06 0x04"
(The offset of magic) - 12 == The Start of APR
(The offset of magic) + 30 == The end of APR
The total length of ARP == 42(0x2A)

From : The start of ARP to end of the ARP
ARP Offset : (The offset of baseAddress) + (The offset of magic) - 2*6
ARP DATA Offset : (The offset of magic) - 2*6 ~ (The offset of magic) + 30


(4) Searching IP
Search for bytes between 0x45 and 0x4F(depending flag options)
And than check if they are the start of a IPv4 header by calculating.
The value after calculating is compared with the checksum.
      potentialIPHeader : 69 ~ 69 + 4 * (69-64) => 69 ~ 89

If checksum is verified, Calculate Packet length.










#################################################################################
baseAddress                   :   0
offset(==index)               :   77008910
potential IP Header         :   4500004e0a85000080119bc8c0a88901c0a889ff
potentialIPHeader[2]      :   00
potentialIPHeader[3]      :   4e

ord(potentialIPHeader[2]) * 0x100 + ord(potentialIPHeader[3])
     0 * 0x100 + 78
packetLength                  :   78

Second                            :   0x4d
Microecond                     :   0x22ce
Packet saved in file        :   0x5c
Actual length of packet  :   0x5c

DATA                           : 
(77008896, '\xff\xff\xff\xff\xff\xff\x00PV\xc0\x00\x08\x08\x00E\x00\x00N\n\x85\x00\x00\x80\x11\x9b\xc8\xc0\xa8\x89\x01\xc0\xa8\x89\xff\x00\x89\x00\x89\x00:5\x81\xed!\x01\x10\x00\x01\x00\x00\x00\x00\x00\x00 EJFDEBFEEBFACACACACACACACACACAAA\x00\x00 \x00\x01')

Formula                           :
oFrames.AddFrame(baseAddress + index - 2*6 - 2, data[index - 2*6 - 2:index + packetLength], duplicates)
##################################################################################


Writer: Time:
Label: , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)