I posted about file carving previously. I recently discovered a manual way of carving files out of network packets whilst writing a new article. Locate the file you want to extract from your captured packets in Wireshark. The suspicious file I want to extract is shown as "malicious.doc" in the packet stream but you can tell that it is actually an executable file from the ASCII values of "MZ" at the beginning of the file and its hexadecimal equivalent of "0x4d0x5a". Right click on the line containing the filename you want to export and select on "Export Selected Packet Bytes". The bytes associated with the file will be opened in a new window. Save the bytes and you can examine them in a hex editor.
Subscribe to:
Post Comments (Atom)
VMware Workstation Pro is now free for personal use!!!
VMware Workstation Pro is now free for personal use!!! However, it was not straight forward to install on Ubuntu as I encountered error mes...
-
This annoying message popped up after I ran the update in avast! in Ubuntu yesterday. avast! crashes every time I attempt to launch it after...
-
I decided to install a digital certificate for my Gmail account. This is simple and free to set up. Apply for a free certificate from Comod...
No comments:
Post a Comment