.

AIM attachments, NetWitness question

<<

305mia

Newbie
Newbie

Posts: 2

Joined: Fri Aug 21, 2009 8:53 am

Post Fri Aug 21, 2009 8:58 am

AIM attachments, NetWitness question

So I have an AIM conversation in which a document was exchanged via AIM's file sharing function.

NetWitness recreated the conversation from my pcap file and shows the document name.

I am having trouble reconstructing the attachment document. I know it is a word doc but how can I actually reconstruct the document?

Thanks in advance
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Fri Aug 21, 2009 4:49 pm

Re: AIM attachments, NetWitness question

Hey, btw, are you doing the challenge that was posted in SANS?

Network Forensics Puzzle Contest

Because I am and basically I have answered almost all of their questions. The only thing I need is to reconstruct the doc file from the dump file.

I found this tool (tcpxtract) which is used for extracting files from network traffic based on file signatures including Word Documents. I haven't tried yet... I have to wait when I get home or over the weekend but try it and let me know if it works.

Hope this helps.
Security+, OSCP, CEH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Aug 22, 2009 1:52 am

Re: AIM attachments, NetWitness question

That's a great tool, blackazarro, thank you.  I just tested it on the problem you two are working on and I was able to get the file pretty quickly.  It didn't parse out the file a word doc because of the Office 2007 XML file format, but it definitely works and quite well. 
~~~~~~~~~~~~~~
Ketchup
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Sat Aug 22, 2009 7:12 pm

Re: AIM attachments, NetWitness question

It worked for me as well, I was able to get the files, now I just need to properly assemble it to calculate the hash and so forth. Have you accomplish this?
Security+, OSCP, CEH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat Aug 22, 2009 9:21 pm

Re: AIM attachments, NetWitness question

I saw when this hit ISC.SANS.ORG yesterday. My first thought was, this is great, but I don't even know where to start. I know I can load a pcap file into wireshark, but can't get it to go via tcpdump sadly  :( .

I found in the file the person she was im'ing. I think. now I'm trying to figure out what I need to know so I can figure out howto extract the file.

Blackazarro, you're tool post up there was a stepping stone I needed. I'm actually trying this tonight, thinking I probably don't know enough to pull it off.

I'd like to see a walk through, with what tools were chosen and why at some point to learn from. I know go read the great books mentioned around here, starting with hacking for dummies. (though seriously I think my next read will be on how to improve my reading speed  :) ).

----
(added later):
Ok, so I got to the point where I have the xml files. Figured that one out while eating a bowl of cereal took all my will not to toss the bowl into the sink and run to the computer. Part I'm stuck at now, are reconstructing the file into the right format (from zip archive / xml) to get the last of the data.

What a way to spend a Saturday Night.
Last edited by rattis on Sat Aug 22, 2009 11:24 pm, edited 1 time in total.
OSWP, Sec+
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat Aug 22, 2009 11:34 pm

Re: AIM attachments, NetWitness question

I think I have everything but the magic number of the docx file. Doing the md5sum now. However I don't know if I did it right.

PM Me, and I'll share if you're interested. Everyone will laugh if I did it right. (I don't run windows at home, only Gnu\Linux, and at work I don't have window 2007), so I can't test if what I did to make the docx file was the right way or not.
OSWP, Sec+
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sun Aug 23, 2009 12:50 pm

Re: AIM attachments, NetWitness question

A couple of people (not me) have posted comments in the original thread on SANS. One even went as far as including a this is what I did post, with the answers.

I did it a different way, and my md5sum doesn't match his. Everything else does though... So now I'm curious.

(by the way, I got the magic number googling file signatures, probably not the way they expected but it worked for me).
OSWP, Sec+
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Sun Aug 23, 2009 6:42 pm

Re: AIM attachments, NetWitness question

There's nothing wrong searching the magic number via Google. This is exactly what I did.

I was able to reconstruct the docx using wireshark and a Hex editor. My md5 hash matches with the one posted in SANS commentaries. The tool tcpxtract help me a lot because I was able to extract the recipe contents and made me realize that the files extracted were zipped XML. This enticed me to research on the docx office 2007 format and such.

It was a cool challenge, to bad that someone posted his answers to SANs. Overall a good learning experience.

Oh yeah, in tcpxtract there's a config file where you can add new signatures. I don't know if docx is included, got to check that out. If not, I'm going to try to create a signature and add it to the config file to see if it works.
Last edited by blackazarro on Mon Aug 24, 2009 10:20 am, edited 1 time in total.
Security+, OSCP, CEH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sun Aug 23, 2009 10:26 pm

Re: AIM attachments, NetWitness question

blackazarro

actually, I just took the zip file from the tcpxtract and changed it to a docx file. I figured that'd work since tcpxtract didn't have a docx finger print, but the finger print does match the zip archive listed finger prints in the magic number file, that file uses.

It opened fine in Open Office.

I guess however tcpxtract pulls it out, changes the md5sum for the file. I'll have to find out how to do the wireshark and hex way later.

I agree, it was a lot of fun, and I did learn some stuff along the way.
OSWP, Sec+

Return to Forensics

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software