Recreating files from packet capture

[Vedder]

Hi

Can anyone help me recreate files from a packet capture.

I have found a good page on hex headers (http://www.garykessler.net/library/file_sigs.html), and I know that there are at least two bmp images and one zip file.

I have tried copying them all to notepad, then loading them up in a hex editor, and saving them as the required file type, but if I try opening them up in paint, or winzip, I just get a "file is corrupt" message.

Is there a step I am missing?

[don]

Try NetWitness Investigator.

Don

[Ketchup]

NetWitness is great, like Don indicated.   I've used it and it really makes viewing HTML, Email, and other types of documents amazingly easy as they travel across the wire.

Wireshark can also do this, depending on the protocol.  Files transmitted through HTTP can be exported using the File, Export, Objects menu.    For other protocols, you would have to isolate the packets that belong to your file, and then export the packets.   Wireshark will put the fragments of the transmission back together for you.  You can use the Follow TCP Stream feature for this.

[Vedder]

Thanks Don and Ketchup

It's SSL traffic, I've decrypted it in Wireshark using the key, and can see them in hex code in the outputted file. Wireshark just shows the encrypted data still.

I'll carry on with NetWitness, as it does look like a very nice tool.

*EDIT*

NetWitness has come up trumps, and given me the files.

Thanks again Don and Ketchup

[UNIX]

Thanks for the hint about NetWitness, haven't heard about it before. Definitely sounds interesting and useful.

[dalepearson]

Late to the party on this one.
As previously said, Netwitness is a cracking product, I used it when they charged for it in the Corporate environment.

Now they have the free one, I have it on my personal machine, and its good stuff.

Deffo worth a download.

[305mia]

So I have an AIM conversation in which a document was exchanged via AIM's file sharing function.

NetWitness recreated the conversation from my pcap file and shows the document name.

I am having trouble reconstructing the attachment document. I know it is a word doc but how can I actually reconstruct the document?

Thanks in advance

[nebu10uz]

Available tools on the Internet for the purpose of extracting files from packet dumps:

NetworkMiner

Xplico

TcpXtract

And to do it manually using WireShark and a Hex editor check out the following blog:

Pulling binaries from pcaps

Enjoy!

[g00d_4sh]

Nice.  I've not worked with the Netwitness Investigator program before.  My first interaction with Netwitness was out at an afterparty with some of the folks in Vegas this year.  And watching my girlfriend verbally emasculate one of their VPs as he drunkenly tried to impress/pick her up.  It was one of those times where I was reminded on why I want to marry her hehehe.

[UNIX]

[...]

And to do it manually using WireShark and a Hex editor check out the following blog:

Pulling binaries from pcaps

Enjoy!

Thanks for this one, especially for the blog itself. Read once an article there but couldn't find the address anymore.

[chrisj]

I used the site too (about pulling hex from pcap). It allowed me to finish the ISC.SANS.Org puzzle. Which I actually had a lot of fun doing. While TCPXtract was close at pulling the file out, and it worked on my nix box with Open Office, it didnt' work on my office window's box with office 2k3 (with 2k7 plugin).

[nebu10uz]

Hey chrisj, check this perl script out for extracting Office 2007 Metadata:

read_open_xml.pl

The script works, I tried against the docx file from the evidence pcap and it gave me some info such as the name of the file creator, creation and modify timestamp. Thats some cool info that you can include in your network forensic report.

You don't need the script to get this info but its quicker.