Skip to main content

Tool Talk - Tools for carving data from PCAP files

So one of the cool things I learned in my SANS-508 class a couple years back was how to identify and carve files out of a network capture file. I had knew it was possible, and I have seen other folks do it before, but up until then I hadn't pulled out entire files from network captures. I think a good network security/forensic security professional should have that skill (to be able to look at a PCAP and locate the files and be able to extract them manually) but many times it is somewhat tedious to do this, and it may be prone to error.

Recently SANS published a list of tools for doing this (including Foremost which was also used in the SANS 508 training).

http://isc.sans.org/diary.html?storyid=6961

Here is the article:
Published: 2009-08-13,
Last Updated: 2009-08-16 00:42:14 UTC
by Jim Clausing (Version: 2)

Often in the course of investigating a compromised machine or when analyzing malware in a sandnet or honeynet, I will have a complete capture of all the network activity in a pcap file and I want to pull out any files that were downloaded by the infected machine. Unfortunately, I have not found any really good tools that allow me to full files from lots of different types of traffic. A couple of years ago, I put together a perl script that used tcptrace and the HTTP::Response perl module to pull downloaded files out of HTTP traffic, but what about other forms of traffic? FTP? SMTP? unknown TCP or UDP? whatever? My ideal tool would be able to reassemble the packets, discard headers, etc. Well, the other day I noticed a post on Darknet about Xplico that might be (at least the basis of) the magic tool I'm looking for. I'm just starting to play with it, but I figured this might be a good time to ask our readers what they use? You can send us e-mail, use the contact form, or leave a comment. Thanx in advance.

Update: 2009-08-16 00:15 GMT (jac) A huge thanx to all who wrote in, here are some of the tools you suggested.

* NetworkMiner ( thanx, Russ and Dentrasi. Just found this note on running it under wine on Linux)
* tcpxtract (suggested by John R, Chris and Doug)
* Bro (suggested by Nicholas)
* tcpflow (suggested by Ratufa and Chris)
* foremost (suggested by Chris and Doug)
* the dsniff suite (suggested by Chris and Jason)
* Chaosreader (suggested by Chris and Parveen)
* pyflag (suggested by Chris)
* tcptrace (suggested by John T)
* tcpick (suggested by Doug)
* xtract.py from npeid (suggested by anonymous)

---------------
Jim Clausing, jclausing --at-- isc dot sans dot org
Keywords: file extraction pcap tool
Labels:

Comments

Post a Comment

Popular posts from this blog

Requirements for Information Security

If you want to get into Information Security you HAVE to be a/have this skill... Why this is total BS. Almost daily I see someone posting on twitter, trying to be helpful to folks who are looking to get into InfoSec. Often I see "If you want to be in Information Security (Cyber Security) then you HAVE to be a programmer" or "If you want to be successful you have to be a hacker/have a criminal record/have abused systems without permission" etc. While having technical capabilities (such as programming) and having the ability to compromise a system shows a specific skillset neither are required. When talking to people who are interested in Information Security I often refer to it as a cake, there are tons of slices, many flavors, many pieces and parts you can sample, choose to focus on, will be expected to know something about, etc. Incident Response and Forensics (my current focus) is not the only part of Information Security, and certainly not the only part tha
Post a Comment
Read more

Busting the myth of the malicious insider

The Myth of the Insider Threat Too often after the announcement of a new breach, the first reaction from the victim company and the media is "another malicious insider attack".  Case in point, I was catching up on news from various sources and came across the following: http://www.idgconnect.com/abstract/19647/lessons-sage-leak " “We believe there has been some unauthorised access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation,” the Newcastle, England-headquartered firm said in a statement." Of course an internal login was used to access the data, as part of the attack lifecycle, during your reconnaissance phase you identify accounts to target for possible compromise, based on the access/role of the individual.   Phishing attacks or other simply attacks are often successful in gathering login credentials for individual users, which can then of
Post a Comment
Read more
Weekly recap and why you should be concerned about "attackers" even if you have "nothing to hide" Why you should be aware of, defend against, and prevent attackers... even at home: I often hear from future victims "well I don't have anything to hide/anything of value/why would they target me!?" It's really not about you, usually the attackers aren't looking for your data (if they get it, or have easy access to it, they may try to profit from it, but the people doing the compromising aren't usually the same folks that monetize). What the attackers want are compromised systems they can use to do what they want at scale. So if they can compromise 50 systems, they can send 50X the amount of SPAM... 100 systems, 100X, etc. Some operations get paid based on the number of emails they can send per day. Of course the email will likely not just be SPAM, but may also be malicious (ransomware, etc.). http://thehackernews.com/2017/09/linux-ma
Post a Comment
Read more