Carving out files from pcap - cyber

Sec 503.5 Case 2
Find a string in a packet
Find the string smsses.exe
Frame 208 is the 1st Fragment
Frame 209 gives us the last
fragment frame
Frame 231 is the Last Fragment
and Contains the File Size
Analyze>Follow TCP Stream
shows the PE Header (MZ)
Further into the stream is the end
of the executable
Save the raw file
The extract_file.raw is considerably
larger than SMSSES.EXE
(file size 24576)
Open extract_file.raw in Hex Editor
Locate the Header MZ or
Hex 4D5A90
Remove Packet Data before MZ
File after removing bytes
preceeding MZ Header
24576 is 6000 in Hex
Remove everything after the offset
Find ics.exe
Packet 8092 start of tranfer
Packet 8093 shows last fragment is
8134 (which will have the file size)
File size is 45056
Total size of raw file