Authors: Robert Beverly, Ph.D. (Naval Postgraduate School), Simson Garfinkel, Ph.D. (Naval Postgraduate School), and Greg Cardwell



Using validated carving techniques, we show that popular operating systems (e.g. Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from long-terminated network traffic. Such information is useful for many forensic purposes including the establishment of prior connection activity and services used; identification of other systems present on the system’s LAN or WLAN; geolocation of the host computer system; and cross-drive analysis. We show that network structures can also be recovered from memory that is persisted onto a mass storage medium during the course of system swapping or hibernation. We present our network carving techniques, algorithms, and tools, and validate these against both purpose-built memory images and readily available forensic corpora. These techniques are valuable to both forensics tasks, particularly in analyzing mobile devices, and to cyber-security objectives such as malware analysis.