EH-Net

So I have an AIM conversation in which a document was exchanged via AIM's file sharing function.

NetWitness recreated the conversation from my pcap file and shows the document name.

I am having trouble reconstructing the attachment document. I know it is a word doc but how can I actually reconstruct the document?

Thanks in advance

Hey, btw, are you doing the challenge that was posted in SANS?

Network Forensics Puzzle Contest (http://isc.sans.org/diary.html?storyid=6997)

Because I am and basically I have answered almost all of their questions. The only thing I need is to reconstruct the doc file from the dump file.

I found this tool (tcpxtract (http://tcpxtract.sourceforge.net/)) which is used for extracting files from network traffic based on file signatures including Word Documents. I haven't tried yet... I have to wait when I get home or over the weekend but try it and let me know if it works.

Hope this helps.

That's a great tool, blackazarro, thank you.   I just tested it on the problem you two are working on and I was able to get the file pretty quickly.  It didn't parse out the file a word doc because of the Office 2007 XML file format, but it definitely works and quite well. 

It worked for me as well, I was able to get the files, now I just need to properly assemble it to calculate the hash and so forth. Have you accomplish this?

I saw when this hit ISC.SANS.ORG yesterday. My first thought was, this is great, but I don't even know where to start. I know I can load a pcap file into wireshark, but can't get it to go via tcpdump sadly  :( .

I found in the file the person she was im'ing. I think. now I'm trying to figure out what I need to know so I can figure out howto extract the file.

Blackazarro, you're tool post up there was a stepping stone I needed. I'm actually trying this tonight, thinking I probably don't know enough to pull it off.

I'd like to see a walk through, with what tools were chosen and why at some point to learn from. I know go read the great books mentioned around here, starting with hacking for dummies. (though seriously I think my next read will be on how to improve my reading speed  :) ).

----
(added later):
Ok, so I got to the point where I have the xml files. Figured that one out while eating a bowl of cereal took all my will not to toss the bowl into the sink and run to the computer. Part I'm stuck at now, are reconstructing the file into the right format (from zip archive / xml) to get the last of the data.

What a way to spend a Saturday Night.

I think I have everything but the magic number of the docx file. Doing the md5sum now. However I don't know if I did it right.

PM Me, and I'll share if you're interested. Everyone will laugh if I did it right. (I don't run windows at home, only Gnu\Linux, and at work I don't have window 2007), so I can't test if what I did to make the docx file was the right way or not.

A couple of people (not me) have posted comments in the original thread on SANS. One even went as far as including a this is what I did post, with the answers.

I did it a different way, and my md5sum doesn't match his. Everything else does though... So now I'm curious.

(by the way, I got the magic number googling file signatures, probably not the way they expected but it worked for me).

There's nothing wrong searching the magic number via Google. This is exactly what I did.

I was able to reconstruct the docx using wireshark and a Hex editor. My md5 hash matches with the one posted in SANS commentaries. The tool tcpxtract help me a lot because I was able to extract the recipe contents and made me realize that the files extracted were zipped XML. This enticed me to research on the docx office 2007 format and such.

It was a cool challenge, to bad that someone posted his answers to SANs. Overall a good learning experience.

Oh yeah, in tcpxtract there's a config file where you can add new signatures. I don't know if docx is included, got to check that out. If not, I'm going to try to create a signature and add it to the config file to see if it works.

blackazarro

actually, I just took the zip file from the tcpxtract and changed it to a docx file. I figured that'd work since tcpxtract didn't have a docx finger print, but the finger print does match the zip archive listed finger prints in the magic number file, that file uses.

It opened fine in Open Office.

I guess however tcpxtract pulls it out, changes the md5sum for the file. I'll have to find out how to do the wireshark and hex way later.

I agree, it was a lot of fun, and I did learn some stuff along the way.