HTTP Protocol
HTTP Protocol
# Forensic Value
In employee misuse or many criminal cases, you may need to review the subject's web
usage for evidence of unauthorized content or activity. Traditionally this was
accomplished through analysis of artifacts on the subject's hard drive. The
proliferation of full-disk encryption, portable applications, private browsing
modes, corporate BYOD policies, and mobile devices has shifted some of the focus
toward analysis of network based data instead. We can glean a significant amount of
critical information through this analysis as well. If packets are available, we
can re-create a subject's entire web session, or extract all downloaded executable
files for malware review.
# Request Dissection
## Request Components
Methods:
Headers:
## Response Components
### Headers
- Connection type
- Server string
- Content metadata
- size, MIME type, Unicode charset, encoding, compression
- Date and timestamp
- Proxy caching directives
- Redirection
- Arbitary custom fields: "X-\*"
DATA!
# Useful Fields
- Data often extracted from compromised systems via POST (pastebin, sendspace, etc)
- User-Agent string can build activity profiles
- Malware often uses UA to indicate version
- Basic authentication is easily reversed
- URIs show a subjects activity
- Date and timestamp build activity timeline
- Google Analytics cookies
- Track visitors' source, path, and history
- Include very useful timestamps and counters
- Long-living: 2yr, 30min, 6mo rolling retention periods
- HubSpot targeting cookies
- VERY unique identifier
- Long-living: 2yr, 10yr, 10yr rolling retention periods
> ![[Pasted image 20230228174104.png]]
> ![[Pasted image 20230228174208.png]]
# Transfer-Encoding: Chunked
# HTTP/2
> - All headers are compressed with HPACK algorithm. This results in a protocol
that is nearly all binary, with very little useful ASCII content in the data
stream. In addition, the headers are tagged in values, complicating analysis until
tools are updated to better support parsing HTTP/2 traffic.
> - Multiplexing is used to increase throughput and decrease latency. Each request
can ask for multiple resources and each response message can contain portions of
multiple objects. HTTP/2 traffic does not follow the blocking request/response
sequence in previous versions. Each HTTP/2 data stream is assigned a priority,
allowing for QoS-style servicing for data considered more "important."
> - Servers can without being asked and without indication proactively "push"
objects into the browser's cache. This is also used to improve performance, though
without any client-side indication that the object was proactively pushed rather
than explicitly requested. Until browsers log this status, many client-side
forensic processes that rely on examining browsers caches may not adequately state
the nature of each disk artifact.
# Logs