This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all,

I'm working on my master thesis about computer forensic and cloud-computing. Actually I'm trying to identify cloud-related traffic in pcap-files, e.g. dropbox-sync or the usage of Google Drive. My first idea was to extract relevant information like Dest-IP, FQDN or ports out of the pcap-stream. Does anybody know other solutions? For forensic work the usage of encrypted traffic is not as good as it is for "normal" user...

Regards

Dan

asked 10 Oct '13, 01:15

dsp's gravatar image

dsp
11112
accept rate: 0%

I'm working on my master thesis about computer forensic and cloud-computing.

what is the goal of the thesis? Based on your question, it sounds like you are trying to detect the use of a cloud service in a capture file? However I'm not quite sure.

(10 Oct '13, 05:48) Kurt Knochner ♦

Hi Kurt,

you guess right, sorry for the dubiety. Sometimes you have not enough data fragments on your harddisk to guarantee the use of cloud services, which could be particularly important in digital evidence; e.g you can "hide" the presence of software like dropbox with tools like truecrypt. I try to figure out, if you can certainly detect some hints for the usage of these cloudsoftware in the capture file. I've found a link here to the blog of Jasper Bongertz, where he talked about the analysis of pcap-files with GeoIP. Seems to be worth a try.

(10 Oct '13, 06:43) dsp

which could be particularly important in digital evidence; e.g you can "hide" the presence of software like dropbox with tools like truecrypt.

O.K. so, you really just need information if a cloud service has been used, without information what has been transmitted.

Well, then your first approach is pretty straight forward. What you can extract from a capture file, given the fact that you captured enough data, is kind of limited to:

  • IP addresses of the cloud service. GeoIP is nice, but not really necessary to map the IP address to the owner (see RIPE, ARIN, etc.)
  • DNS names in queries and responses
  • Certificates in HTTPS connections, which will (most certainly) contain the name of the service.
  • If you're lucky and the cloud service client software (if there is one) tries to find updates via plain text HTTP, you can use that information as well (server/domain name from the HTTP request, etc.)

That's basically it, because the rest of the communication is (most certainly) encrypted. So, yes you will know if a piece of software on the PC had a connection to a cloud service, but you will never be able to prove that the user itself started the connection (the software could have a periodic connection check to its home base) and what the user transferred to/from the cloud, as the data is encrypted. So, this will only be a small piece of information in the whole forensic investigation.

Regards
Kurt

permanent link

answered 10 Oct '13, 07:28

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 10 Oct '13, 07:36

Hi Kurt,

thanks for your answer, I think, there are some good advices (especially the certificate-data looks interesting). I know that there is just a little chance to see all data, which is transferred between the client and server, but for me the first step is important. Perhaps the periodic updates and checks of client and server are a problem for me, but imho there could be a difference between a full communication for a data transfer and a "smaller", with less data, communication for an update or just checking. hypothetical I have to count the amount of transferred data between client and server, maybe this is the solution for some problems, e.g. does the client send the data to the cloud or is the client just downloading some data... And of course, digital investigation is more or less a combination of tools and tries, especially in the "new" world cloud-computing.

Regards Dan

(10 Oct '13, 10:53) dsp

but imho there could be a difference between a full communication for a data transfer and a "smaller", with less data, communication for an update or just checking.

Well, the amount of data and the 'connection pattern' might help to differentiate update checking and data up-/downloading.

e.g. does the client send the data to the cloud or is the client just downloading some data.

that's easy, as you can see the direction of data flow in Wireshark (src/dst IP).

(11 Oct '13, 01:33) Kurt Knochner ♦

Hi Kurt,

I tried that the last days and it works fine till now. Now I'm going to implement it with tshark and something like python or php. Just to get some code to automate the investigation. After that I have to identify some more cloud-providers.

Thanks for your time Dan

(14 Oct '13, 10:20) dsp

Good.

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(14 Oct '13, 11:12) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×5
×4

question asked: 10 Oct '13, 01:15

question was seen: 3,376 times

last updated: 14 Oct '13, 11:12

p​o​w​e​r​e​d by O​S​Q​A