1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<\/div><\/td>
root @<\/span>GnackTrackR7:\/<\/span># foremost -v -i stream.raw<\/span>
\nForemost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
\nAudit File
\nForemost started at Sun May 8<\/span> 14<\/span>:20<\/span>:33<\/span> 2011<\/span>
\nInvocation: foremost -v<\/span> -i<\/span> stream.raw
\nOutput directory: \/<\/span>output
\nConfiguration file: \/<\/span>usr\/<\/span>local\/<\/span>etc\/<\/span>foremost.conf
\nProcessing: stream.raw
\n|<\/span>------------------------------------------------------------------
\nFile: stream.raw
\nStart: Sun May 8<\/span> 14<\/span>:20<\/span>:33<\/span> 2011<\/span>
\nLength: 395<\/span> KB (<\/span>405422<\/span> bytes)<\/span>
\n
\nNum Name (<\/span>bs<\/span>=512<\/span>)<\/span> Size File Offset Comment
\n
\n0<\/span>: 00000000.htm 1<\/span> KB 308<\/span>
\n1<\/span>: 00000004.htm 1<\/span> KB 2405<\/span>
\n2<\/span>: 00000008.htm 1<\/span> KB 4202<\/span>
\n3<\/span>: 00000790.htm 506<\/span> B 404914<\/span>
\n4<\/span>: 00000012.pdf 389<\/span> KB 6286<\/span>
\n*|<\/span>
\nFinish: Sun May 8<\/span> 14<\/span>:20<\/span>:34<\/span> 2011<\/span>
\n
\n5<\/span> FILES EXTRACTED
\n
\nhtm:= 4<\/span>
\npdf:= 1<\/span>
\n------------------------------------------------------------------<\/span>
\n
\nForemost finished at Sun May 8<\/span> 14<\/span>:20<\/span>:34<\/span> 2011<\/span>
\nroot@<\/span>GnackTrackR7:\/<\/span># cd output\/<\/span>
\nroot@<\/span>GnackTrackR7:\/<\/span>output\/<\/span># ls<\/span>
\naudit.txt htm pdf
\nroot@<\/span>GnackTrackR7:\/<\/span>output# cd pdf\/<\/span>
\nroot@<\/span>GnackTrackR7:\/<\/span>output\/<\/span>pdf# ls<\/span>
\n00000012.pdf<\/div><\/td><\/tr><\/tbody><\/table><\/div>\nAm bam there you have it, the pdf file opened fine and a quick screen grab was placed in the report \ud83d\ude09<\/p>\n","protected":false},"excerpt":{"rendered":" So on a job i had captured some data transfer off the wire but wanted to put some proof of that in the report and for some brownie points. I wasn’t entirely sure what tool to use but a quick google pointed me in the direction of foremost. The pcap was captured in wireshark so […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[88,86,87,89,85],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/66"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=66"}],"version-history":[{"count":3,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/66\/revisions"}],"predecessor-version":[{"id":197,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/66\/revisions\/197"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=66"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=66"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=66"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} |