Rosado, >Has anyone attempted to re-construct image files from raw network packets >provided by NAI's Sniffer Basic/Pro (or other types of network packet We use snort (main capture facility) and tcpdump (backup) in our honeypot to recover attacker's files from captured traffic. The procedure is as follows: 0. set the program above to record all traffic (e.g. 'tcpdump -s 1600 -w all.log'). I am pretty sure NAI sniffer can do it as well. 1. get a binary dump to your analysis machine 2. get 'tcpflow' program 3. run it - all individual connections are saved into separate files 4. run a 'file' on the above files to id file types you want to recover. 5. if download was done over HTTP, manual header removal is needed as well. FTP downloads are saved as the right files by defauls, just rename and open them. steps 2)-4) can also be done by ethereal ("Follow TCP stream" functionality) Let me know if you need more on that. Best, -- Anton A. Chuvakin, Ph.D. http://www.chuvakin.org http://www.info-secure.org ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 04:34:56 PDT