SlideShare a Scribd company logo

Using network traffic to verify mobile device forensic artifacts

Download as PPTX, PDF
S
SongchaiDuangpan

Using network traffic to verify mobile device forensic artifacts

Education
1 of 22
Using network traffic to verify mobile device forensic artifacts Songchai Duangpan 6136896 EGCO656 : MOBILE DEVICE FORENSICS 1
Using network traffic to verify mobile device forensic artifacts This research will present methods for checking device types through network behavior checking. By using data transmission over the entire network Both when using and not using Our approach, based on repetitive experiments, shows that the three major mobile operating system vendors (such as Android, iOS, and Microsoft) reduce the network response of certain network traffic. Sent to them (such as ICMP pings) (such as TCP / IP streaming) in different ways tends to save battery power Therefore, it will affect the device network behavior and the way they handle certain events. 2
Proceeding with the following steps to prove the concept: Proceeding with the following steps to prove the concept: Proceeding with the following steps to prove the concept: (1) ICMP packets are actively sent to (such as ping) (2) Received passively by (Such as video streaming) Android, iOS, and Microsoft mobile devices (3) Network traffic that has been analyzed (4) Machine learning methods are trained to be seen in three operating systems. Demonstrating that this method works well using network traffic This method is more flexible than the method that uses only MAC addresses or other historical analysis methods 3
Introduction 4 Knowledge of the devices attached to networks is of ever increasing importance. In the event of an incident, it is necessary to identify the devices involved and the role they may have played in the incident. It has now become common for an attacker to target and make use of multiple networked systems. Thus, mobile devices can either become the target, the originator, or the pivot point for a network-based attack.
Introduction digital forensics techniques involving networks often depend upon the extraction of data from one or more target devices. Evidence of communications traffic can be gathered in the form of host names and IP addresses stored in various log files, as well as DNS and ARP cache records. If memory forensics are employed using analysis tools such as Volatility [10], then structures that may not be available on disk can be gathered to reveal information such as the set of processes currently listening to or writing to network sockets. This extraction normally requires access to the device in question. 5
Introduction We propose a method of device-type identification that does not require physical access to the mobile device. Our detection technique does not rely on the data supplied by the device. Device behavior when subjected to remote stimulation (i.e., ICMP pings) is examined. This approach allows us to differentiate among Android, Windows, and iOS devices for verification purposes. Our contributions are twofold: (1)identification of unique network response behavior from iOS,Android, and Windows devices and (2) demonstration that these unique responses can be captured actively or passively. 6
Motivation Use of ICMP replies from Android mobile devices to detect the type of application being executed due to the operating system throttling the CPU to save power. They conducted 200 experiments, consisting of pinging an Android device 100 times, calculated the average inter-packet spacing (IPS) for: (1) an unloaded (i.e., CPU) device. (2) a loaded device. Then they plotted the results and illustrated that a threshold could be used to separate the experiments that contains loaded devices and unloaded devices 7
RELATED WORK 8 Device identification is an important issue to network security and digital forensics. As such, several different methods for fingerprinting devices have been proposed that take advantage of different layers in the 802.11 protocol stack. In this section, we present an overview of several of these techniques. From investigating the identification problem by examining the physical layer properties of the 802.11 card, they examined the possibility of transmitting the signal from the wireless card. Profiles and differentiating network interface cards, even from the same vendor
Experimental Apparatus The experiments in this section were designed to demonstrate the capability of our approach in actively and passively discerning among three different types of mobile devices, iOS, Windows, and Android. 9
1. Experimental Setup The experimental setup is a wireless network connected to three mobile devices and a laptop with two network cards. Specifically, the experimental setup consists of: • A laptop running Ubuntu 14.04.3 LTS (Trusty Tahr) with two network interface cards (NICs) • NIC1 (internal LAN adapter) connects to Wi-Fi router through Ethernet interface • NIC2 (internal Wi-Fi adapter) is placed into monitor mode • iPhone 6S running iOS 9.1 • Samsung S6 Edge running Android 5.1 • Nokia Lumia 521 running Windows Phone 8.10 10
Experimental Setup Figure 2. Experimental Setup iPhone Windows Phone Android 11
Experimental Procedure Active Experiments Active research is done by connecting each mobile device and laptop to a Wi-Fi network. Then, laptops will ping mobile devices. Ten thousand times in an interval of 10 ms (ping –c 10000 -i 0.01 <IP Address>) and capture the ICMP response using Wireshark. ping –c 10000 -i 0.01 192.138.1.102 12
PDF of ICMP replies for IPS IOS Android Windows Phone 13
Experimental Procedure (Cont.) Passive Experiments Passive experiment, it will connect the mobile device to the wireless network and will open 10 videos of 10 - 15 minutes from YouTube and capture the ICMP response using Wireshark Promiscuous mode. 14
PDF of TCP/IP passive packet capture IOS Android Windows Phone 15
Assumptions and Limitations In all of our experiments, we assume the following: (1) the mobile device signal strength was excellent. (2) the mobile devices were stationary. (3) neither wireless network was congested. (4) recent Android devices will perform similarly to the Samsung S6 Edge mobile device. (5) Recent iOS devices will perform similarly to the iPhone 6s device. Our method has one main limitation: currently, it only discerns between iOS, Windows, and Android devices, but this is mitigated by the fact that in 2016, these mobile OS make up the overwhelming majority of the total global smartphone market. 16
Results and Analysis 1. Probability Distribution Characterization In the active experiments, the probability distribution function (PDF) was calculated using the inter-packet spacing (IPS) of the ICMP replies captured from pinging the mobile devices. The PDFs in Active Experiments illustrate that the ICMP replies captured from the three different devices all have different distributions. This implies that the devices exhibit different behavior; therefore, it is likely that this data may be a good candidate for use with machine learning. Similarly, in the passive experiments, the PDF was calculated using the IPS of TCP/IP packets captured from streaming youtube.com videos. Since TCP/IP network traffic has intelligent features, a method perfected was used to remove these contributions as described in Section V.B.2. In the Passive Experiments, it is evident that the same three devices continue to exhibit different behaviors when passive network traffic is captured. This strengthens the earlier assessment that this data may be a good candidate for use with machine learning. 17
Results and Analysis 2. Machine Learning Application 18 In the confusion matrix in Table 1, there was significant packet loss resulting in ICMP replies missing for each device. It was observed that for devices with an idle CPU and a 10 ms ping interval that the iOS device experienced the heaviest packet loss (>20%), followed by the Windows Phone device (15-20%), and the Android device (0-5%). This property has been demonstrated for older Android and iOS devices. It is believed this behavior is repeatable across iOS devices. Table 1 : Confusion Matrix for active ICMP experiments
Table 1 : Confusion Matrix for active ICMP experiments 19 Table 2 represents the confusion matrix for passive packet capture experiments. The total number of instances is higher in these experiments because packets were passively captured and there was no packet loss. Table 2 : Confusion Matrix for passive packet capture experiments
Algorithm 1: Predicting OS class 20
Summary and future work In this research, there are detailed explanations of how to remotely fingerprint and classify mobile devices as Android, Windows or iOS, as a technique that takes advantage of TCP / IP network traffic or ICMP packets to Handle equipment Travel to show that large networks can measure distances from a distance Android requires additional validation for iOS and Windows. We also show how collected data can be used to create yourself. In the future, we want to investigate more packet loss behavior of mobile devices and to remove some assumptions so that our algorithm can use With mobile devices that are in other 21
Thank You 22

Recommended

Electronics seminar topics
Electronics seminar topicsElectronics seminar topics
Electronics seminar topics
123seminarsonly
 
(Spring 2013) Analysis of Bar Codes with Different Scanning Devices
(Spring 2013) Analysis of Bar Codes with Different Scanning Devices(Spring 2013) Analysis of Bar Codes with Different Scanning Devices
(Spring 2013) Analysis of Bar Codes with Different Scanning Devices
International Center for Biometric Research
 
Secure Dual-mode Robotic Intrusion Detection System for Remote Surveillance
Secure Dual-mode Robotic Intrusion Detection System for Remote SurveillanceSecure Dual-mode Robotic Intrusion Detection System for Remote Surveillance
Secure Dual-mode Robotic Intrusion Detection System for Remote Surveillance
CSCJournals
 
Functional requirements of intelligent object framework
Functional requirements of intelligent object frameworkFunctional requirements of intelligent object framework
Functional requirements of intelligent object framework
ijscai
 
High precision location tracking technology in ir4.0
High precision location tracking technology in ir4.0High precision location tracking technology in ir4.0
High precision location tracking technology in ir4.0
Journal Papers
 
Implementation of embedded real time monitoring temperature and humidity system
Implementation of embedded real time monitoring temperature and humidity systemImplementation of embedded real time monitoring temperature and humidity system
Implementation of embedded real time monitoring temperature and humidity system
Journal Papers
 
20120140504023
2012014050402320120140504023
20120140504023
IAEME Publication
 
Power consumption analysis on an IoT network based on wemos: a case study
Power consumption analysis on an IoT network based on wemos: a case studyPower consumption analysis on an IoT network based on wemos: a case study
Power consumption analysis on an IoT network based on wemos: a case study
TELKOMNIKA JOURNAL
 

Recommended

Electronics seminar topics
Electronics seminar topicsElectronics seminar topics
Electronics seminar topics
123seminarsonly
 
(Spring 2013) Analysis of Bar Codes with Different Scanning Devices
(Spring 2013) Analysis of Bar Codes with Different Scanning Devices(Spring 2013) Analysis of Bar Codes with Different Scanning Devices
(Spring 2013) Analysis of Bar Codes with Different Scanning Devices
International Center for Biometric Research
 
Secure Dual-mode Robotic Intrusion Detection System for Remote Surveillance
Secure Dual-mode Robotic Intrusion Detection System for Remote SurveillanceSecure Dual-mode Robotic Intrusion Detection System for Remote Surveillance
Secure Dual-mode Robotic Intrusion Detection System for Remote Surveillance
CSCJournals
 
Functional requirements of intelligent object framework
Functional requirements of intelligent object frameworkFunctional requirements of intelligent object framework
Functional requirements of intelligent object framework
ijscai
 
High precision location tracking technology in ir4.0
High precision location tracking technology in ir4.0High precision location tracking technology in ir4.0
High precision location tracking technology in ir4.0
Journal Papers
 
Implementation of embedded real time monitoring temperature and humidity system
Implementation of embedded real time monitoring temperature and humidity systemImplementation of embedded real time monitoring temperature and humidity system
Implementation of embedded real time monitoring temperature and humidity system
Journal Papers
 
20120140504023
2012014050402320120140504023
20120140504023
IAEME Publication
 
Power consumption analysis on an IoT network based on wemos: a case study
Power consumption analysis on an IoT network based on wemos: a case studyPower consumption analysis on an IoT network based on wemos: a case study
Power consumption analysis on an IoT network based on wemos: a case study
TELKOMNIKA JOURNAL
 
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
IJECEIAES
 
CCNA project-report
CCNA project-reportCCNA project-report
CCNA project-report
Sagar Shashank
 
IJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
IJWMN -Malware Detection in IoT Systems using Machine Learning TechniquesIJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
IJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
ijwmn
 
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUESMALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
ijwmn
 
An extensive review: Internet of things is speeding up the necessity for 5G
An extensive review: Internet of things is speeding up the necessity for 5GAn extensive review: Internet of things is speeding up the necessity for 5G
An extensive review: Internet of things is speeding up the necessity for 5G
IJERA Editor
 
A new approach of scalable traffic capture model with Pi cluster
A new approach of scalable traffic capture model with Pi cluster A new approach of scalable traffic capture model with Pi cluster
A new approach of scalable traffic capture model with Pi cluster
IJECEIAES
 
FIOT_Uni4.pptx
FIOT_Uni4.pptxFIOT_Uni4.pptx
FIOT_Uni4.pptx
RishikeshPathak10
 
A Brief Review on Internet of Things
A Brief Review on Internet of ThingsA Brief Review on Internet of Things
A Brief Review on Internet of Things
IRJET Journal
 
Efficient Attack Detection in IoT Devices using Feature Engineering-Less Mach...
Efficient Attack Detection in IoT Devices using Feature Engineering-Less Mach...Efficient Attack Detection in IoT Devices using Feature Engineering-Less Mach...
Efficient Attack Detection in IoT Devices using Feature Engineering-Less Mach...
AIRCC Publishing Corporation
 
EFFICIENT ATTACK DETECTION IN IOT DEVICES USING FEATURE ENGINEERING-LESS MACH...
EFFICIENT ATTACK DETECTION IN IOT DEVICES USING FEATURE ENGINEERING-LESS MACH...EFFICIENT ATTACK DETECTION IN IOT DEVICES USING FEATURE ENGINEERING-LESS MACH...
EFFICIENT ATTACK DETECTION IN IOT DEVICES USING FEATURE ENGINEERING-LESS MACH...
ijcsit
 
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARKANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
IJNSA Journal
 
Presentation On Advance Monitoring of Cold chain truck
Presentation On Advance Monitoring of Cold chain truckPresentation On Advance Monitoring of Cold chain truck
Presentation On Advance Monitoring of Cold chain truck
PUSHP RAJ BHARTI
 
WSN_Data Link Layer _latest development_by_AbhinavAshish.pptx
WSN_Data Link Layer _latest development_by_AbhinavAshish.pptxWSN_Data Link Layer _latest development_by_AbhinavAshish.pptx
WSN_Data Link Layer _latest development_by_AbhinavAshish.pptx
AbhinavAshish21
 
Mobile image analysis android vs. i os
Mobile image analysis android vs. i osMobile image analysis android vs. i os
Mobile image analysis android vs. i os
Feri Irawan
 
IRJET- Autonomous Underwater Vehicle: Electronics and Software Implementation...
IRJET- Autonomous Underwater Vehicle: Electronics and Software Implementation...IRJET- Autonomous Underwater Vehicle: Electronics and Software Implementation...
IRJET- Autonomous Underwater Vehicle: Electronics and Software Implementation...
IRJET Journal
 
IoTwlcHITnewSlideshare.pptx
IoTwlcHITnewSlideshare.pptxIoTwlcHITnewSlideshare.pptx
IoTwlcHITnewSlideshare.pptx
National Institute of Technology (Regional Engineering College ) (REC) (NIT) - Durgapur
 
Data Link Layer _latest development_project.pptx
Data Link Layer _latest development_project.pptxData Link Layer _latest development_project.pptx
Data Link Layer _latest development_project.pptx
AbhinavAshish21
 
Introduction to IoT
Introduction to IoTIntroduction to IoT
Introduction to IoT
Selvaraj Seerangan
 
Cisco Certified Network Associate
Cisco Certified Network AssociateCisco Certified Network Associate
Cisco Certified Network Associate
Sumit K Das
 
3G Wireless Access, Abstract
3G Wireless Access, Abstract3G Wireless Access, Abstract
3G Wireless Access, Abstract
Victoria Burke
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
VishalSingh1417
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 

More Related Content

Similar to Using network traffic to verify mobile device forensic artifacts

IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
IJECEIAES
 
IJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
IJWMN -Malware Detection in IoT Systems using Machine Learning TechniquesIJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
IJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
ijwmn
 
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUESMALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
ijwmn
 
An extensive review: Internet of things is speeding up the necessity for 5G
An extensive review: Internet of things is speeding up the necessity for 5GAn extensive review: Internet of things is speeding up the necessity for 5G
An extensive review: Internet of things is speeding up the necessity for 5G
IJERA Editor
 
A new approach of scalable traffic capture model with Pi cluster
A new approach of scalable traffic capture model with Pi cluster A new approach of scalable traffic capture model with Pi cluster
A new approach of scalable traffic capture model with Pi cluster
IJECEIAES
 
Efficient Attack Detection in IoT Devices using Feature Engineering-Less Mach...
Efficient Attack Detection in IoT Devices using Feature Engineering-Less Mach...Efficient Attack Detection in IoT Devices using Feature Engineering-Less Mach...
Efficient Attack Detection in IoT Devices using Feature Engineering-Less Mach...
AIRCC Publishing Corporation
 
EFFICIENT ATTACK DETECTION IN IOT DEVICES USING FEATURE ENGINEERING-LESS MACH...
EFFICIENT ATTACK DETECTION IN IOT DEVICES USING FEATURE ENGINEERING-LESS MACH...EFFICIENT ATTACK DETECTION IN IOT DEVICES USING FEATURE ENGINEERING-LESS MACH...
EFFICIENT ATTACK DETECTION IN IOT DEVICES USING FEATURE ENGINEERING-LESS MACH...
ijcsit
 
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARKANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
IJNSA Journal
 

Similar to Using network traffic to verify mobile device forensic artifacts (20)

IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
 
CCNA project-report
CCNA project-reportCCNA project-report
CCNA project-report
 
IJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
IJWMN -Malware Detection in IoT Systems using Machine Learning TechniquesIJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
IJWMN -Malware Detection in IoT Systems using Machine Learning Techniques
 
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUESMALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUES
 
An extensive review: Internet of things is speeding up the necessity for 5G
An extensive review: Internet of things is speeding up the necessity for 5GAn extensive review: Internet of things is speeding up the necessity for 5G
An extensive review: Internet of things is speeding up the necessity for 5G
 
A new approach of scalable traffic capture model with Pi cluster
A new approach of scalable traffic capture model with Pi cluster A new approach of scalable traffic capture model with Pi cluster
A new approach of scalable traffic capture model with Pi cluster
 
FIOT_Uni4.pptx
FIOT_Uni4.pptxFIOT_Uni4.pptx
FIOT_Uni4.pptx
 
A Brief Review on Internet of Things
A Brief Review on Internet of ThingsA Brief Review on Internet of Things
A Brief Review on Internet of Things
 
Efficient Attack Detection in IoT Devices using Feature Engineering-Less Mach...
Efficient Attack Detection in IoT Devices using Feature Engineering-Less Mach...Efficient Attack Detection in IoT Devices using Feature Engineering-Less Mach...
Efficient Attack Detection in IoT Devices using Feature Engineering-Less Mach...
 
EFFICIENT ATTACK DETECTION IN IOT DEVICES USING FEATURE ENGINEERING-LESS MACH...
EFFICIENT ATTACK DETECTION IN IOT DEVICES USING FEATURE ENGINEERING-LESS MACH...EFFICIENT ATTACK DETECTION IN IOT DEVICES USING FEATURE ENGINEERING-LESS MACH...
EFFICIENT ATTACK DETECTION IN IOT DEVICES USING FEATURE ENGINEERING-LESS MACH...
 
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARKANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
 
Presentation On Advance Monitoring of Cold chain truck
Presentation On Advance Monitoring of Cold chain truckPresentation On Advance Monitoring of Cold chain truck
Presentation On Advance Monitoring of Cold chain truck
 
WSN_Data Link Layer _latest development_by_AbhinavAshish.pptx
WSN_Data Link Layer _latest development_by_AbhinavAshish.pptxWSN_Data Link Layer _latest development_by_AbhinavAshish.pptx
WSN_Data Link Layer _latest development_by_AbhinavAshish.pptx
 
Mobile image analysis android vs. i os
Mobile image analysis android vs. i osMobile image analysis android vs. i os
Mobile image analysis android vs. i os
 
IRJET- Autonomous Underwater Vehicle: Electronics and Software Implementation...
IRJET- Autonomous Underwater Vehicle: Electronics and Software Implementation...IRJET- Autonomous Underwater Vehicle: Electronics and Software Implementation...
IRJET- Autonomous Underwater Vehicle: Electronics and Software Implementation...
 
IoTwlcHITnewSlideshare.pptx
IoTwlcHITnewSlideshare.pptxIoTwlcHITnewSlideshare.pptx
IoTwlcHITnewSlideshare.pptx
 
Data Link Layer _latest development_project.pptx
Data Link Layer _latest development_project.pptxData Link Layer _latest development_project.pptx
Data Link Layer _latest development_project.pptx
 
Introduction to IoT
Introduction to IoTIntroduction to IoT
Introduction to IoT
 
Cisco Certified Network Associate
Cisco Certified Network AssociateCisco Certified Network Associate
Cisco Certified Network Associate
 
3G Wireless Access, Abstract
3G Wireless Access, Abstract3G Wireless Access, Abstract
3G Wireless Access, Abstract
 

Recently uploaded

1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Recently uploaded (20)

Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 

Using network traffic to verify mobile device forensic artifacts

  • 1. Using network traffic to verify mobile device forensic artifacts Songchai Duangpan 6136896 EGCO656 : MOBILE DEVICE FORENSICS 1
  • 2. Using network traffic to verify mobile device forensic artifacts This research will present methods for checking device types through network behavior checking. By using data transmission over the entire network Both when using and not using Our approach, based on repetitive experiments, shows that the three major mobile operating system vendors (such as Android, iOS, and Microsoft) reduce the network response of certain network traffic. Sent to them (such as ICMP pings) (such as TCP / IP streaming) in different ways tends to save battery power Therefore, it will affect the device network behavior and the way they handle certain events. 2
  • 3. Proceeding with the following steps to prove the concept: Proceeding with the following steps to prove the concept: Proceeding with the following steps to prove the concept: (1) ICMP packets are actively sent to (such as ping) (2) Received passively by (Such as video streaming) Android, iOS, and Microsoft mobile devices (3) Network traffic that has been analyzed (4) Machine learning methods are trained to be seen in three operating systems. Demonstrating that this method works well using network traffic This method is more flexible than the method that uses only MAC addresses or other historical analysis methods 3
  • 4. Introduction 4 Knowledge of the devices attached to networks is of ever increasing importance. In the event of an incident, it is necessary to identify the devices involved and the role they may have played in the incident. It has now become common for an attacker to target and make use of multiple networked systems. Thus, mobile devices can either become the target, the originator, or the pivot point for a network-based attack.
  • 5. Introduction digital forensics techniques involving networks often depend upon the extraction of data from one or more target devices. Evidence of communications traffic can be gathered in the form of host names and IP addresses stored in various log files, as well as DNS and ARP cache records. If memory forensics are employed using analysis tools such as Volatility [10], then structures that may not be available on disk can be gathered to reveal information such as the set of processes currently listening to or writing to network sockets. This extraction normally requires access to the device in question. 5
  • 6. Introduction We propose a method of device-type identification that does not require physical access to the mobile device. Our detection technique does not rely on the data supplied by the device. Device behavior when subjected to remote stimulation (i.e., ICMP pings) is examined. This approach allows us to differentiate among Android, Windows, and iOS devices for verification purposes. Our contributions are twofold: (1)identification of unique network response behavior from iOS,Android, and Windows devices and (2) demonstration that these unique responses can be captured actively or passively. 6
  • 7. Motivation Use of ICMP replies from Android mobile devices to detect the type of application being executed due to the operating system throttling the CPU to save power. They conducted 200 experiments, consisting of pinging an Android device 100 times, calculated the average inter-packet spacing (IPS) for: (1) an unloaded (i.e., CPU) device. (2) a loaded device. Then they plotted the results and illustrated that a threshold could be used to separate the experiments that contains loaded devices and unloaded devices 7
  • 8. RELATED WORK 8 Device identification is an important issue to network security and digital forensics. As such, several different methods for fingerprinting devices have been proposed that take advantage of different layers in the 802.11 protocol stack. In this section, we present an overview of several of these techniques. From investigating the identification problem by examining the physical layer properties of the 802.11 card, they examined the possibility of transmitting the signal from the wireless card. Profiles and differentiating network interface cards, even from the same vendor
  • 9. Experimental Apparatus The experiments in this section were designed to demonstrate the capability of our approach in actively and passively discerning among three different types of mobile devices, iOS, Windows, and Android. 9
  • 10. 1. Experimental Setup The experimental setup is a wireless network connected to three mobile devices and a laptop with two network cards. Specifically, the experimental setup consists of: • A laptop running Ubuntu 14.04.3 LTS (Trusty Tahr) with two network interface cards (NICs) • NIC1 (internal LAN adapter) connects to Wi-Fi router through Ethernet interface • NIC2 (internal Wi-Fi adapter) is placed into monitor mode • iPhone 6S running iOS 9.1 • Samsung S6 Edge running Android 5.1 • Nokia Lumia 521 running Windows Phone 8.10 10
  • 11. Experimental Setup Figure 2. Experimental Setup iPhone Windows Phone Android 11
  • 12. Experimental Procedure Active Experiments Active research is done by connecting each mobile device and laptop to a Wi-Fi network. Then, laptops will ping mobile devices. Ten thousand times in an interval of 10 ms (ping –c 10000 -i 0.01 <IP Address>) and capture the ICMP response using Wireshark. ping –c 10000 -i 0.01 192.138.1.102 12
  • 13. PDF of ICMP replies for IPS IOS Android Windows Phone 13
  • 14. Experimental Procedure (Cont.) Passive Experiments Passive experiment, it will connect the mobile device to the wireless network and will open 10 videos of 10 - 15 minutes from YouTube and capture the ICMP response using Wireshark Promiscuous mode. 14
  • 15. PDF of TCP/IP passive packet capture IOS Android Windows Phone 15
  • 16. Assumptions and Limitations In all of our experiments, we assume the following: (1) the mobile device signal strength was excellent. (2) the mobile devices were stationary. (3) neither wireless network was congested. (4) recent Android devices will perform similarly to the Samsung S6 Edge mobile device. (5) Recent iOS devices will perform similarly to the iPhone 6s device. Our method has one main limitation: currently, it only discerns between iOS, Windows, and Android devices, but this is mitigated by the fact that in 2016, these mobile OS make up the overwhelming majority of the total global smartphone market. 16
  • 17. Results and Analysis 1. Probability Distribution Characterization In the active experiments, the probability distribution function (PDF) was calculated using the inter-packet spacing (IPS) of the ICMP replies captured from pinging the mobile devices. The PDFs in Active Experiments illustrate that the ICMP replies captured from the three different devices all have different distributions. This implies that the devices exhibit different behavior; therefore, it is likely that this data may be a good candidate for use with machine learning. Similarly, in the passive experiments, the PDF was calculated using the IPS of TCP/IP packets captured from streaming youtube.com videos. Since TCP/IP network traffic has intelligent features, a method perfected was used to remove these contributions as described in Section V.B.2. In the Passive Experiments, it is evident that the same three devices continue to exhibit different behaviors when passive network traffic is captured. This strengthens the earlier assessment that this data may be a good candidate for use with machine learning. 17
  • 18. Results and Analysis 2. Machine Learning Application 18 In the confusion matrix in Table 1, there was significant packet loss resulting in ICMP replies missing for each device. It was observed that for devices with an idle CPU and a 10 ms ping interval that the iOS device experienced the heaviest packet loss (>20%), followed by the Windows Phone device (15-20%), and the Android device (0-5%). This property has been demonstrated for older Android and iOS devices. It is believed this behavior is repeatable across iOS devices. Table 1 : Confusion Matrix for active ICMP experiments
  • 19. Table 1 : Confusion Matrix for active ICMP experiments 19 Table 2 represents the confusion matrix for passive packet capture experiments. The total number of instances is higher in these experiments because packets were passively captured and there was no packet loss. Table 2 : Confusion Matrix for passive packet capture experiments
  • 20. Algorithm 1: Predicting OS class 20
  • 21. Summary and future work In this research, there are detailed explanations of how to remotely fingerprint and classify mobile devices as Android, Windows or iOS, as a technique that takes advantage of TCP / IP network traffic or ICMP packets to Handle equipment Travel to show that large networks can measure distances from a distance Android requires additional validation for iOS and Windows. We also show how collected data can be used to create yourself. In the future, we want to investigate more packet loss behavior of mobile devices and to remove some assumptions so that our algorithm can use With mobile devices that are in other 21