Hunting for fragments of network traffic requires knowledge of the network protocols for which you are searching. This page is not an in-depth tutorial but is meant to give some hints to help you along the way.
In your study of network protocols, you might also want to read "The Case for Teaching Network Protocols to Computer Forensics Examiners" (Kessler & Fasulo, 2007) and/or "On Teaching TCP/IP Protocol Analysis to Computer Forensics Examiners" (Kessler, 2008). If you are particularly interested in TCP/IP, you might want to look at my TCP/IP Tutorial and/or TCP/IP Pocket Reference Guide.
Data protocols exist as a stack where lower layer protocols transport higher layer protocols, applications, and services. Therefore, it is essential that you understand the protocol layering and relationships.
The most common stack is the TCP/IP protocol stack, which I will grossly simplify here to have these three layers:
TCP UDP ICMP IP Ethernet/IEEE 802.3
What this means is that a TCP segment, UDP datagram, or ICMP message is transported in an IP packet which is, in turn, carried in an Ethernet frame (at least on a local area network).
An Ethernet frame starts with a 14-byte header composed of:
- 6-byte (48-bit) Destination MAC (hardware) address
- 6-byte (48-bit) Source MAC (hardware) address
- 2-byte EtherType
Unless you know the MAC address of the sender or receiver, you can't search for the MAC addresses. But if you know what higher layer protocol i.e., the data transported in this frame is being used, they you can search the EtherType field. Alternatively, yo can search for, or otherwsie spot, hex digit sequences that indicate certain protocol types.
The EtherType is the last two bytes in the Ethernet/IEEE 802.3 header, meaning that the next byte in the stream will be the first byte in the header of the next higher protocol. If the EtherType = 0x0800, the higher-layer protocol is IPv4. The first byte of the IPv4 header (byte 0) contains two items of information:
- The first nibble is the version number; this value is 0x4 to indicate IPv4.
- The second nibble is the number of 32-bit (4-byte) words in the IP Header; the standard IPv4 Header is 20 bytes in length, so this value is usually 0x5.
If the EtherType is 0x86DD, the higher-layer protocol is IPv6. The first byte of the IPv6 header (byte 0) also contains two items of information:
- The first nibble is the version number; this value is 0x6 to indicate IPv6.
- The second nibble is the high-order nibble of the 8-bit Traffic Class field.
What we've learned, then, is that the string 0x08-00-45 could well be a fragment of an Ethernet frame containing an EtherType indicating IPv4, followed by the first byte of an IPv4 packet. There's certainly no guarantee that this is the case, but it is a reasonable guess so far, particularly if you find this information starting at byte offset 12. (It is also possible that the string 0x86-DD-6 is an IPv6 packet but this is as far as I will go with IPv6-guessing!)
One further indicator that helps narrow down the search is to look at byte 9 of the IPv4 Header (or byte 6 of an IPv6 header), which is the higher (Application) layer protocol identifier. Possible values in this field include 0x01 = ICMP, 0x06 = TCP, and 0x11 = UDP. So, finding the string 0x08-00-45 followed nine bytes later (or 0x86-DD-6? [where "?" means any value] followed six bytes later) by a 0x01, 0x06, or 0x11 could very well indicate ICMP, TCP, or UDP, respectively:
08 00 45 xx xx xx xx xx xx xx xx 01 - IPv4 + ICMP
08 00 45 xx xx xx xx xx xx xx xx 06 - IPv4 + TCP
08 00 45 xx xx xx xx xx xx xx xx 11 - IPv4 + UDP
86 DD 6x xx xx xx xx xx 01 - IPv6 + ICMP
86 DD 6x xx xx xx xx xx 06 - IPv6 + TCP
86 DD 6x xx xx xx xx xx 11 - IPv6 + UDP
If you're willing to guess that you have a network packet hit, there's a lot more information that can be parsed, e.g.:
- The 12 bytes before the 0x0800 or 0x86DD are the destination and source MAC addresses.
- The Source IP address appears in bytes 12-15 of an IPv4 packet or bytes 8-23 of an IPv6 packet.
- The Destination IP address appears in bytes 16-19 of an IPv4 packet or bytes 24-39 of an IPv6 packet.
Once you have a guess as to the Application layer, then you can start to piece things together to see if the data makes sense. The RFCs or the pcoket reference guide mentioned above can all help in network traffic data analysis.
As you can see, there are a number of ways to search for network traffic in RAM or unallocated space because of the fact that there are common values that can be found in known, fixed locations. But you do need to know what you're looking for!