HTTP, Wireshark, and

Digital Forensics
Part 1: HTTP traffic contains text information

Traffic files: https://github.com/frankwxu/digital-forensics-lab/tree/main/Illegal_Possession_Images/lab_files/traffic

Overview
• Observe HTTP traffic with curl
• Review Open Systems Interconnection Model (OSI)
• Is understanding HTTP enough for forensic investigations?
• Exam HTTP traffics with Wireshark
• Three-way handshake (TCP)
• Communication (HTTP request/response)
• Close connection (TCP)
Observe HTTP traffic
 agreement

What is HTTP?
• HTTP stands for hypertext transfer protocol and is used to transfer
data across the Web

HTTP Request

HTTP Response
Create a simple html page to be observed in
Wireshark
(optional) if you are logged in as a non-admin account, such as student, you
must change the html folder permission
• Create a simple webpage, named basic.html, and • Start web service
• Put it in the folder /var/www/html • Show the webpage

service apache2 stop

service apache2 restart
cURL (pronounced 'curl') -v: verbose, show headers
• A command-line tool
• Open source
• Transferring data
• Support many network
protocols

Method: Get, POST

Path: /basic.html
Review Open Systems
Interconnection Model (OSI)
Is understanding HTTP enough for forensic investigations?
Importance of understanding underneath of
HTTP
• Many layers (OSI Model) are defined to
form computer networks
• HTTP is one protocol at an application layer
• Forensic investigation focus on all layer
• Malware analysis
• Attack analysis
• File extraction
• The OSI Model (Open Systems
Interconnection Model)
• is a conceptual framework used to describe
the functions of a networking system.
HTTP Request

HTTP Response
 Building A A->B Building B

Mailroom
Mailroom

Rules:
from: Building A 102
pp.1-3 pp.4-6 pp.7-9 1. All pages must be put part 1
to: Building B 103 in envelopes
2. each envelop max 3
pages
part 2
3. All internal mail must part 3
be delivered to the
address address address mail room
4. Internal emails
delivered are done by
part 1 part 2 part 3 staff, not an employee
themselves part 1 part 2 part 3

-> mailroom111 -> mailroom 111 -> mailroom 111 -> 103 -> 103 -> 103
 pp.4-6
from: Building A 102
to: Building B 103

One of the
HTTP data

To mailroom 111
Data

Segment:

Packet

Frame

bit
Capture HTTP traffic using
Wireshark
Reconfigure wireshark
Reconfigure

Add student to
wireshark group

Logout and log

back in
 Clear browser cache
You don’t
need to have
root to
capture traffic

change interface -i
lo to eth0 if you
need to capture live
traffic
You can download the recaptured traffic

command to download the basic.log file:

wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/
Illegal_Possession_Images/lab_files/traffic/basic.log
wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Illegal_Possession_Images/lab_files/traffic/basic.log
Three-way handshake
No. 1, 2, and 3
The purposes of
handshake
• Two participants establish a communication link at
the start of the communication
• Two parties are named as “Alice and Bob”
• Before full communication begins
• Make sure both sides ready to communicate
• Each party picks and exchanges a random number
• as initial reference ID (byte) to keep track of
each byte sending and receiving 6 10
• e.g., Bob 6 and Alice 141
• receiver expects ID after three
141messages 145
6
6+1

Reply:
• I have received the ball labeled with # 6.
• If you send me a message (contains
multiple packets), I expect the first byte
should be labeled as 6+1

6+1 .. 10
141
141+1
 SYN message

Sequence #: random
ACKnowledge 6+1

ACKnowledge with seq#

• I’ve received your
request with seq # 6
• I expect to receive your
next seq# 6+ 1
SYN message
141
ACKnowledge

141+1
 • Sequence #:
m n • the byte number of the first byte
Port 57338 Port 80 of data in the TCP segment sent
• beginning at random # or 0
client state Server state (relative seq#)
• ACKnowledge #: the sequence
number of the next byte the receiver
CLOSED CLOSED expects to receive.
• Seq # + size of packet + 1
choose init 1 • The receiver ack'ing sequence
seq num, m SYN (seq =m) LISTEN
number x acknowledges receipt
SYN-SEND of all data bytes less than (but
SYN-RECEIVED not including) byte number x
SYN (seq =n) , ACK (m+1)
• +1 for SYN
2

received SYNACK
indicates server is live;
send ACK; ACK (n+1)
3
ESTABLISHED ESTABLISHED

m, n are in bytes
 Layers involved in handshaking

m Client:
• I am sending seq # m
• I will use the seq # m to indicate the byte
number of the first byte of data in the TCP
segment sent
2

n Server:
• I’ve received your seq # m
• I expect to receive your next seq# m+ 1
m+ 1 • I’m sending seq # n and I will use it to indicate
the byte number of the first byte of data in the
TCP packet I am sending
3

m+ 1 Client:
• OK. I am sending seq # m+ 1 as you requested
• I ack that I have received n and
n +1 • I expect to receive package starts with seq # n +1
HTTP request protocol
No. 4
 Port 57338 Port 80

1 SYN (seq =0)

SYN (seq =0) , ACK (0+1) 2 handshake

3 (seq =1) , ACK (0+1) TCP len=0

(seq =1) , ACK (0+1), TCP len=t1

http request/TCP 4

(seq =1) , ACK (1+t1), TCP len=0 5

Transfer
(seq =1) , ACK (1+t1), TCP len=t2 6 http response/TCP

7 (seq =1+t1) , ACK (1+t2), TCP len=0

 Port 57338 Port 80
TCP length t1=83
TCP length t2=352

1 SYN (seq =0)

SYN (seq =0) , ACK (0+1) 2 handshake

3 (seq =1) , ACK (0+1)

(seq =1) , ACK (0+1), TCP len=83

HTTP request 4
seq= 1

(seq =1) , ACK (1+83), TCP len=0 5

83 bytes
Transfer
(seq =1) , ACK (1+83), TCP len=352 6 http response/TCP

7 (seq =1+83) , ACK (1+352), TCP len=0

Show http request

Layers involved in http

request
 Show http request
4

Show TCP
segment 4

Show TCP
payload
 Show http request

Show IP
packet 4
 Show http request
4

Ethernet Frame 4

Show Ethernet 802.3 lo interface is not associated with a

hardware network interface (it's a virtual
ARP (0x0806) loopback interface), it does not have an
Ethernet hardware address (MAC address).
Server ACKnowledges the request

ACK 84 =1+ TCP length

HTTP response protocol
No. 5 and 6
 Server send HTTP response head

HTTP head
 Server send HTTP response data (simple.html)
6

simple.html
 Server send HTTP response data (simple.html)

TCP

PSH: data must be transmitted

promptly to the receiver
Client sends TCP acknowledgement

7
TCP Close connection
 Port 57338 Port 80

client state server state

ESTAB ESTAB
8
FIN_WAIT_1 can no longer FIN, ACK=353, seq=84
send but can
receive data CLOSE_WAIT
ACK=84+1 can still
FIN_WAIT_2 wait for server send data
close
9
LAST_ACK
FIN, ACK=84+1, seq=353
TIMED_WAIT can no longer
send data
10
ACK=353+1
timed wait
for 2*max CLOSED
segment lifetime

CLOSED

3-51
8
9
10
Summary
• Think of a header as an envelope
• Only the smallest envelope (TCP header) contains the data (HTTP data) we want to read
• An envelope describes what is inside the envelope
• Information shown on an envelope is the metadata of the payload
• Sequence # is the byte number of the first byte of HTTP data in the TCP
segment sent
• beginning at random # or 0 (relative seq#)
• Acknowledge # is the sequence number of the next byte the receiver expects
to receive
• Seq # + size of packet + 1
• Handshaking TCPs don’t have HTTP data (size=0)
Assignment
1. Create a simple website with your name on it
2. Capture the traffic
3. Capture screens with the following information
• the website with your name
• ports (sender and receiver)
• initial sequence numbers (sender and receiver)
• the timestamps of handshaking
• IP addresses (sender and receiver)
• Mac addresses (sender and receiver)
• the timestamps of HTTP request
4. Repeat tasks 2 and 3 using the following website
• http://shinyfreshmajesticsmile.neverssl.com/online/