Packet #157 is where the actual file transfer begins, which is viewable in Wireshark as its own TCP stream. This helps remove some of the guess-work in verifying the file signature later. With this being an FTP session, the filename is shown and the file requested appears to be an executable (original.exe). This is where the Mac client actually requests a file from the FTP server. At this point, analysis of the packet capture begins (Figure 1).įigure 1 – Packet Capture showing FTP traffĪfter reviewing the FTP login, directory listings, and other user commands, I’ve identified the FTP RETR command issued by the client in packet #154. With the packet capture running, login to the FTP server from the Mac client and transfer the file original.exe (saving it to the Mac client as copy.exe). Quite often the forensic analyst will not have access to either the client or server systems, but for the sake of demonstration the md5-hash of original.exe file on the server is ls -l
A win32 executable original.exe is located on the FTP server, which will be downloaded to my Mac client as copy.exe. In testing, a lab environment was setup with two hosts – a Linux FTP server 192.168.1.68 and a Mac client 192.168.1.2. There are tools available which automate this process in many scenarios, but forensic analysts should understand the underlying concepts so, in the case that an automated tool falls short, files can be extracted manually. The only tool required is Wireshark which is freely available for Mac, Linux, and Windows operating systems.
This will demonstrate a simple method of extracting an executable transferred across an FTP session identified in a packet capture. With a full content packet capture it is possible to extract a bit-for-bit copy of files transferred between hosts across many application-layer protocols, both TCP and UDP based. A key component of this process is being able to replicate content transferred between hosts based solely on the packet capture. Depending on the placement of the capture device, an analyst is sometimes able to recreate an exact timeline of events between two or more hosts. Full content packet captures can provide valuable insight into an analysis or investigation.
0 kommentar(er)
