So on a job i had captured some data transfer off the wire but wanted to put some proof of that in the report and for some brownie points.
I wasn’t entirely sure what tool to use but a quick google pointed me in the direction of foremost.
The pcap was captured in wireshark so i opened it up again and found the correct TCP stream that contained what looked like a pdf. Clicked “follow TCP Stream” and then save as (ensure RAW is selected).
I saved the file as stream.raw and then used the foremost utility:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | root@GnackTrackR7:/# foremost -v -i stream.raw Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus Audit File Foremost started at Sun May 8 14:20:33 2011 Invocation: foremost -v -i stream.raw Output directory: /output Configuration file: /usr/local/etc/foremost.conf Processing: stream.raw |------------------------------------------------------------------ File: stream.raw Start: Sun May 8 14:20:33 2011 Length: 395 KB (405422 bytes) Num Name (bs=512) Size File Offset Comment 0: 00000000.htm 1 KB 308 1: 00000004.htm 1 KB 2405 2: 00000008.htm 1 KB 4202 3: 00000790.htm 506 B 404914 4: 00000012.pdf 389 KB 6286 *| Finish: Sun May 8 14:20:34 2011 5 FILES EXTRACTED htm:= 4 pdf:= 1 ------------------------------------------------------------------ Foremost finished at Sun May 8 14:20:34 2011 root@GnackTrackR7:/# cd output/ root@GnackTrackR7:/output/# ls audit.txt htm pdf root@GnackTrackR7:/output# cd pdf/ root@GnackTrackR7:/output/pdf# ls 00000012.pdf |
Am bam there you have it, the pdf file opened fine and a quick screen grab was placed in the report 😉
Leave a Reply
You must be logged in to post a comment.