Using Dshell during an investigation
Dshell is a Python-based network forensic analysis toolkit that is developed by the U.S. Army Research Laboratory and released as open source at the end of 2014. It can help in making the forensic investigations on the network layer a little easier. The toolkit comes with a large number of decoders that can be used out of the box and are very helpful. Some of these decoders are as follows:
- dns: Extracts and summarizes DNS queries/responses
- reservedips: Identifies the DNS resolutions that fall in the reserved IP space
- large-flows: Displays the netflows that have at least transferred 1MB
- rip-http: Extracts the files from the HTTP traffic
- protocols: Identifies non-standard protocols
- synrst: Detects failed attempts to connect (SYN followed by a RST/ACK)
Dshell can be installed in our lab environment by cloning the sources from GitHub at, https://github.com/USArmyResearchLab/Dshell and running install-ubuntu.py. This script will automatically download the missing...
