File carving part II

I posted about file carving previously. I recently discovered a manual way of carving files out of network packets whilst writing a new article. Locate the file you want to extract from your captured packets in Wireshark. The suspicious file I want to extract is shown as "malicious.doc" in the packet stream but you can tell that it is actually an executable file from the ASCII values of "MZ" at the beginning of the file and its hexadecimal equivalent of "0x4d0x5a". Right click on the line containing the filename you want to export and select on "Export Selected Packet Bytes". The bytes associated with the file will be opened in a new window. Save the bytes and you can examine them in a hex editor.