Add to collection(s) Add to saved
  1. Science
  2. Earth Science

Carving out files from pcap - cyber

advertisement 
Sec 503.5 Case 2
Solution
Find a string in a packet
Find the string smsses.exe
Frame 208 is the 1st Fragment
Frame 209 gives us the last
fragment frame
Frame 231 is the Last Fragment
and Contains the File Size
Analyze>Follow TCP Stream
shows the PE Header (MZ)
Further into the stream is the end
of the executable
Save the raw file
The extract_file.raw is considerably
larger than SMSSES.EXE
(file size 24576)
Open extract_file.raw in Hex Editor
Locate the Header MZ or
Hex 4D5A90
Remove Packet Data before MZ
Header
File after removing bytes
preceeding MZ Header
24576 is 6000 in Hex
Remove everything after the offset
Find ics.exe
Packet 8092 start of tranfer
Packet 8093 shows last fragment is
8134 (which will have the file size)
File size is 45056
Total size of raw file
Related documents
Reaction Papers
Reaction Papers
Thomas Edwards, Fox - Hollywood Post Alliance
Thomas Edwards, Fox - Hollywood Post Alliance
IP Packets Deconstructed
IP Packets Deconstructed
Unit 1 L1 What is a Sentence
Unit 1 L1 What is a Sentence
Lecture 14
Lecture 14
Faculty of Engineering Sheet 7 - Pharos University in Alexandria
Faculty of Engineering Sheet 7 - Pharos University in Alexandria
Honors Physics Work Sheet #2 Conservation of Linear Momentum l
Honors Physics Work Sheet #2 Conservation of Linear Momentum l
Formatting APA Research Paper
Formatting APA Research Paper
CS257_13.7_207_Madhuri
CS257_13.7_207_Madhuri
IP
IP
Homework 3 Solution
Homework 3 Solution
Quality of Service [Autosaved]
Quality of Service [Autosaved]
Download
advertisement