pcapFS – Mounting Network Data for On-the-Fly Analysis

Jan-Niclas Hilgert
Fraunhofer FKIE

Main

Network traffic analysis is beyond any doubt an essential part during forensic investigations. In particular, the raw data transferred over the network is of great value to a forensic examiner. Nevertheless, all of this raw embedded data needs to be located inside of the huge amount of packets stored in the network capture, so that it can be extracted and further processed.

In our presentation, we would like to introduce pcapFS – a tool for mounting PCAPs to access its embedded data, transferred over the network. This enables an analyst to to scan for malicious signatures, calculate hashes over transferred files or take a quick look at downloaded pictures, all without the need of a preceding extraction saving a lot of resources when working with large network captures. For this purpose, an index file – usually less than 5% of the size of the original PCAP – is created and stored for each PCAP. This way, data in the PCAP can directly be accessed and is only extracted when needed.

The directory hierarchy used to mount files is a combination of different criteria like destination IP/Port, protocol, etc. and can freely be chosen by the user. Multiple PCAPs can be mounted at once simplifying the analysis of split captures. Provided with the corresponding keys, pcapFS is furthermore capable of decrypting and mounting captured SSL traffic. All in all, pcapFS is an easy-to-use tool, helping analysts to find their way through today’s increasing amount of network traffic.

Jan-Niclas Hilgert
After obtaining his university admission in 2010, Jan-Niclas Hilgert started his bachelor degree course of “electrical engineering, information technology and computer engineering” at the RWTH Aachen. During that time he worked as a tutor for multiple classes and practical courses in computer science. In 2013, he obtained his bachelor’s degree of science, following his bachelor thesis focused on the fusion of multiple point clouds created by Microsoft’s Ḱinect. His interest in computer science was reinforced during these three years, which is why he focused even more on computer engineering by starting a master degree course in computer science at the University of Bonn. Besides from working for the institute of robotics, he took his first steps into the world of digital forensics together with research assistants of Frauhofer FKIE. During that time he dedicated himself to file system and volume analysis including the creation of an analyzer for complex volume structures. This collaboration peaked in his master thesis “Evaluating the contemporary applicability of the standard model for file system analysis” in 2016 and a master’s degree of science. Afterwards, Jan-Niclas continued to work for Fraunhofer FKIE as a research assistant for digital forensics. Additionally, he is holding trainings about incident response, intrusion detection as well as network and storage forensics for public authorities and business partners.