So I have an AIM conversation in which a document was exchanged via AIM's file sharing function.

NetWitness recreated the conversation from my pcap file and shows the document name.

I am having trouble reconstructing the attachment document. I know it is a word doc but how can I actually reconstruct the document?

Thanks in advance

That's a great tool, blackazarro, thank you.   I just tested it on the problem you two are working on and I was able to get the file pretty quickly.  It didn't parse out the file a word doc because of the Office 2007 XML file format, but it definitely works and quite well. 

I saw when this hit ISC.SANS.ORG yesterday. My first thought was, this is great, but I don't even know where to start. I know I can load a pcap file into wireshark, but can't get it to go via tcpdump sadly   .

I found in the file the person she was im'ing. I think. now I'm trying to figure out what I need to know so I can figure out howto extract the file.

Blackazarro, you're tool post up there was a stepping stone I needed. I'm actually trying this tonight, thinking I probably don't know enough to pull it off.

I'd like to see a walk through, with what tools were chosen and why at some point to learn from. I know go read the great books mentioned around here, starting with hacking for dummies. (though seriously I think my next read will be on how to improve my reading speed   ).

----
(added later):
Ok, so I got to the point where I have the xml files. Figured that one out while eating a bowl of cereal took all my will not to toss the bowl into the sink and run to the computer. Part I'm stuck at now, are reconstructing the file into the right format (from zip archive / xml) to get the last of the data.

What a way to spend a Saturday Night.

A couple of people (not me) have posted comments in the original thread on SANS. One even went as far as including a this is what I did post, with the answers.

I did it a different way, and my md5sum doesn't match his. Everything else does though... So now I'm curious.

(by the way, I got the magic number googling file signatures, probably not the way they expected but it worked for me).

blackazarro

actually, I just took the zip file from the tcpxtract and changed it to a docx file. I figured that'd work since tcpxtract didn't have a docx finger print, but the finger print does match the zip archive listed finger prints in the magic number file, that file uses.

It opened fine in Open Office.

I guess however tcpxtract pulls it out, changes the md5sum for the file. I'll have to find out how to do the wireshark and hex way later.

I agree, it was a lot of fun, and I did learn some stuff along the way.