Copyright

Reassembling Transferred Files in Network Forensic Analysis

Instructor: Amy Clayborn

Amy has a Master's degree in CIS specializing in Information Security and is currently working on her PhD in Technology and Innovation Management in CIS

Reassembling transferred files is an important skill for a network forensic investigator. In this lesson, you will learn the basics of files recovery and reconstruction, and how it can be used in an investigation.

Introduction

There are various methods of reassembling transferred files through various protocols. Extracting files from a network capture, as opposed to doing a forensic investigation on a computer, can also save the forensic investigator time.

Reassembling Transferred Files Automatically

Network Forensics Analysis Tools are used to capture, store, and analyze network traffic. Network Miner is a powerful NFAT that runs on Windows, MacOS, and Linux, and can reassemble files, emails, and certificates transferred over a network via HTTP, FTP, TFTP, SMB, SMB2, SMTP, POP3, and IMAP by reading a PCAP file. PCAP is an API, or application programming interface, for capturing network traffic.

NetworkMiner can also sniff network traffic directly from the network.

Reassembling Files Manually

There are times when files cannot automatically be reassembled with software. If a file has been compressed before transmitting, the only way to reconstruct these file is to read the protocol specification, extract the data, and reassemble the content by hand. Yes, it is as fun as it sounds!

File Carving

File carving is the process of rebuilding files by scanning the raw data in the capture and reassembling them. File carving can recover files with no file information and can recover files that forensic tools are unable to recover for whatever reason. It involves reassembly of the file based on content and structure rather than system meta-data. It can also be used to recover files in unallocated disk space, such as when a disk is re-formatted and only the file system information about the data is erased, and not the data itself.

File carving manually is a complex process, so we will only touch the surface here with a simple example. The tool you need for manual file carving is a Hex editor, such as WinHex or Bless.

Example:

You open a file with the hex editor and look for the header information and footer (or trailer) information. Each type of file has a header and a trailer. For example, JPEG files start with 0xFFD8 and end with 0xFFd9. To recover a JPEG, you would open the file in your hex editor and locate the header and footer, and then you carve out everything between those points. This method will only work if the files are not fragmented. This is a very simple and basic example of manual file carving.

Investigative Scenario #1

An employee is suspected of sharing confidential company information with a competitor. The employee's workstation has been wiped completely clean, and you are unable to find any information on it, which is suspicious. You decide to use NetworkMiner to extract and parse PCAP files from the time period that the incident was suspected to have happened. You find several confidential documents that the suspect transferred via FTP to the competitor.

To unlock this lesson you must be a Study.com Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use Study.com

Become a Study.com member and start learning now.
Become a Member  Back
What teachers are saying about Study.com
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account
Support