Jessland - Jess Garcia's Website

www.jessland.net			Sponsored by: www.one-esecurity.com

JISK Knowledgebase >> About News Essentials Architecture FWs IDS/IPS Honeypots Malware Forensics

_{+ JSS Home Projects JSS Community Events News Docs About Contact}				.

JISK > Forensics > Areas > Network > Covert Channel > Host Level

Forensics Section Map

Covert Channel Identification at the Host Level

Content Leader: Jess Garcia - Last Updated: January 26, 2007

Windows

ICMP

Possibilities:
- The process is using the IcmpCreateFile API
  - Discovery Method: Use ListDLLs, list all processes that are not using Iphlpapi.dll and examine them further
  - Refs: http://www.securityfocus.com/archive/75/457701/30/0/threaded
- The process is using a Raw Socket

TCP/UDP

Discovery Tools:
- netstat
- TDImon
- TCPview

UNIX

system/kernel API akin to the socket/bind/connect/send/rcvmsg calls in the Unix-y networking API.

ICMP

Possibilities:
- The process is using the Unix Sockets Networking API
- The process is using the libdnet library (a set of wrappers for the UNIX Sockets Networking API).
- The process is using a Raw Socket

TCP/UDP

Discovery Tools:
- lsof

Copyright © 2000-2008 Jessland - Jess Garcia's Website - All rights reserved.