# Basics

- ASCII-based, stateless protocol

- Generally, TCP/80
- Originally for text markup documents
- Today handles documents, raw data, streaming media, APIs, and much more

# Forensic Value

- User actions during web browsing

- Web content, downloaded files
- Programmatic system exchanges using APIs
- Malware C2
- Data theft
- Server compromise

In employee misuse or many criminal cases, you may need to review the subject's web
usage for evidence of unauthorized content or activity. Traditionally this was
accomplished through analysis of artifacts on the subject's hard drive. The
proliferation of full-disk encryption, portable applications, private browsing
modes, corporate BYOD policies, and mobile devices has shifted some of the focus
toward analysis of network based data instead. We can glean a significant amount of
critical information through this analysis as well. If packets are available, we
can re-create a subject's entire web session, or extract all downloaded executable
files for malware review.

Aside from reviewing a human's activities, we can also analyze machine-to-machine

interaction. If we know the API's a piece of software uses, we can often provide a
fairly complete picture of the actions that occurred on the systems, helping
complete a timeline of the event you're investigating.

A subset of API-like communications is the command and control channels malware

uses to communicate with its mother ship. By collaborating with malware analysts we
can learn the nature of an implant's orders over time. More importantly we can
identify and isolate the data an attacker extracted from the target network,
greatly aiding in the damage assessment and remediation phases of an incident
response activity.

# Request Dissection

## Request Components

Methods:

- Required: GET, POST

- Optional:
- OPTIONS - allows the client to query the server for requirements or
capabilities
- HEAD -identical to GET, but tells server to only return the resulting headers
for the request
- PUT - requests that the server create a resource at the specified location,
containing the data supplied in the request
- DELETE - requests that the server remove a resource at a specified location
- TRACE - used in troubleshooting a request across multiple proxy servers -
this is not common and is generally disabled on servers
- CONNECT - requests that a proxy switch to a tunnel, such as with SSL/TLS
encryption
- WebDAV: PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK
- Request string (aka URI)
 - can include parameters on GET request

Headers:

- Hostname (required for HTTP/1.1)

- User-Agent string
- Accepted content
- compression, MIME types, languages, Unicode charsets
- Cookies: session, persistent
- Authentication for server-side authorization
- Proxy details (X-Forwarded-For)
- Referrer URI
- Arbitrary custom fields
- **Data (for HTTP POST requests)**

## Response Components

- Protocol version (should match request)

- Codes are in families of 100s
- Code tells what happened
- Logs can characterize attackers intent and capabilities
- Response phrase contains arbitrary text
- not logged but can be creatively "misused"

> ![[Pasted image 20230228173229.png]]

> ![[Pasted image 20230228173256.png]]

> ![[Pasted image 20230228173306.png]]

### Headers

- Connection type
- Server string
- Content metadata
- size, MIME type, Unicode charset, encoding, compression
- Date and timestamp
- Proxy caching directives
- Redirection
- Arbitary custom fields: "X-\*"

DATA!

# Useful Fields

- Data often extracted from compromised systems via POST (pastebin, sendspace, etc)
- User-Agent string can build activity profiles
- Malware often uses UA to indicate version
- Basic authentication is easily reversed
- URIs show a subjects activity
- Date and timestamp build activity timeline
- Google Analytics cookies
- Track visitors' source, path, and history
- Include very useful timestamps and counters
- Long-living: 2yr, 30min, 6mo rolling retention periods
- HubSpot targeting cookies
- VERY unique identifier
- Long-living: 2yr, 10yr, 10yr rolling retention periods
> ![[Pasted image 20230228174104.png]]
> ![[Pasted image 20230228174208.png]]

# Transfer-Encoding: Chunked

> ![[Pasted image 20230228174251.png]]

# HTTP/2

- does not resemble HTTP 1.0 or 1.1

- Generally sent via TLS, though not required
- Compressed headers in tags
- Fully multiplexed
- Multiple requests per packet
- Parts of multiple responses per packet
- Servers can force "push" objects to browsers
- No browser indication that object was not requested

> - All headers are compressed with HPACK algorithm. This results in a protocol
that is nearly all binary, with very little useful ASCII content in the data
stream. In addition, the headers are tagged in values, complicating analysis until
tools are updated to better support parsing HTTP/2 traffic.
> - Multiplexing is used to increase throughput and decrease latency. Each request
can ask for multiple resources and each response message can contain portions of
multiple objects. HTTP/2 traffic does not follow the blocking request/response
sequence in previous versions. Each HTTP/2 data stream is assigned a priority,
allowing for QoS-style servicing for data considered more "important."
> - Servers can without being asked and without indication proactively "push"
objects into the browser's cache. This is also used to improve performance, though
without any client-side indication that the object was proactively pushed rather
than explicitly requested. Until browsers log this status, many client-side
forensic processes that rely on examining browsers caches may not adequately state
the nature of each disk artifact.

# Logs