流量取證-流量中提取文件

• 2020 年 12 月 2 日
• 筆記
• 電子取證

以前整理的一些東西，拿出來做備忘

PCAP 報文就是抓取實際在網路中傳輸的圖片，影片等數據，然後以PCAP 格式存儲形成的文件。工作中對離線的數據包進行回溯分析，有時會遇到將 PCAP 中的碼流還原成相應的圖片、影片、郵件等原有格式的需求。

從流量中取證文件大部分情況下是為了提取流量中的可執行程式。

1、 tcpxtract
安裝：
apt-get install tcpxtract
//www.rpmfind.net/linux/rpm2html/search.php?query=tcpxtract # 下載對應版本

查看幫助：
root@kali:~# tcpxtract -h
Usage: tcpxtract [OPTIONS] [[-d ] [-f ]]
Valid options include:
–file, -f to specify an input capture file instead of a device 指定輸入捕獲文件
–device, -d to specify an input device (i.e. eth0) 指定輸入設備(即eth0)
–config, -c use FILE as the config file 使用FILE作為配置文件
–output, -o dump files to DIRECTORY instead of current directory 將文件轉儲
–version, -v display the version number of this program
–help, -h display this lovely screen

下載 pcap 流量包：
wget //forensicscontest.com/contest01/evidence01.pcap

查看要恢復的文件：
tcpxtract -f evidence01.pcap

查看恢復後的文件

打開文件：
leafpad 00000042.html

2、 NetworkMiner
安裝 NetworkMiner：
從 //sourceforge.net/projects/networkminer/files/latest/download 下載
或者
//nchc.dl.sourceforge.net/project/networkminer/networkminer/NetworkMiner-1.6.1/NetworkMiner_1-6-1.zip

打開 PCAP 文件

查看提取出來的文件

3、wireshark 還原文件
查看幫助
root@kali:~# wireshark -h
Wireshark 2.6.6 (Git v2.6.6 packaged as 2.6.6-1)
Interactively dump and analyze network traffic.
See //www.wireshark.org for more information.

Usage: wireshark [options] … [ ]

Capture interface:
-i name or idx of interface (def: first non-loopback)
-f packet filter in libpcap filter syntax
-s packet snapshot length (def: appropriate maximum)
-p don’t capture in promiscuous mode
-k start capturing immediately (def: do nothing)
-S update packet display when new packets are captured
-l turn on automatic scrolling while -S is in use
-I capture in monitor mode, if available
-B size of kernel buffer (def: 2MB)
-y link layer type (def: first appropriate)
–time-stamp-type timestamp method for interface
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
–list-time-stamp-types print list of timestamp types for iface and exit

Capture stop conditions:
-c stop after n packets (def: infinite)
-a … duration:NUM – stop after NUM seconds
filesize:NUM – stop this file after NUM KB
files:NUM – stop after NUM files
Capture output:
-b … duration:NUM – switch to next file after NUM secs
filesize:NUM – switch to next file after NUM KB
files:NUM – ringbuffer: replace after NUM files
Input file:
-r set the filename to read from (no pipes or stdin!)

Processing:
-R packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N enable specific name resolution(s): “mnNtdv”
-d <layer_type>,<decode_as_protocol> …
“Decode As”, see the man page for details
Example: tcp.port8888,http
–enable-protocol <proto_name>
enable dissection of proto_name
–disable-protocol <proto_name>
disable dissection of proto_name
–enable-heuristic <short_name>
enable dissection of heuristic protocol
–disable-heuristic <short_name>
disable dissection of heuristic protocol

User interface:
-C start with specified configuration profile
-Y start with the given display filter
-g go to specified packet number after “-r”
-J jump to the first packet matching the (display)
filter
-j search backwards for a matching packet after “-J”
-m set the font name used for most text
-t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-X : eXtension options, see man page for details
-z show various statistics, see man page for details