Saturday, 3 November 2012

Network Forensic Puzzle #1

Posted by at 07:39 Read our previous post
Yesterday I was learn about Network Forensic, and my case is captured paket using Wireshark. You can download the capture file here.

After download the capture. We can open it wid DD and then capture it.
For short tutor we can use the dumb way. In this case I will pulling data named "recovery.docx" So, we need to know what is the header / magic number of docx files.
If you don't know about magic number, you can browse it on Google with keyword magic number programming. The magic number of docx file is 504B. Ok, you got the key now.

Now I will use tcpflow to split the each packet on the capture file.

# tcpflow -r evidence.pcap

and some split is For short tuts, I have select the splited file that contain receipe.docx

The captured file is contains hexa. With DD you can see the hexa of captured file. I used the dumb trick method to pull up the captured file. First I will convert the file into raw.

# xdd -ps > raw.txt

Open the raw.txt with text editor like gEdit or Kate. Then search word 504B, at the first time of returned result. Please remove the line/text before 504B, and then save it.

Back to DD, and convert the raw.txt into binary.

#xdd -r -ps raw.txt > receipe.docx

Finally, open the receipe.docx with Word Processor like MS Office or Libre Office.

No comments:

Post a Comment

©2012 SECURITY is powered by Blogger - Template designed by Stramaxon - Best SEO Template