Extract files from captured network traffic pcap (1)

Table of Contents


Introduction

The process is mostly the same in network packets data-carving, which comprises of:

  • Gain access and collect the raw bytes
  • Strip the protocol information
  • Extract and write the data to file

The differences of these tools are their capabilities i.e., the supported protocols and file formats.


Wireshark

HTTP objects and files

To extracts the HTTP objects and files with Wireshark,

  1. Navigate to ‘File’ → ‘Export Objects’ and select the type, currently it supports four protocols:

  2. Then select the target filename followed by ‘Save’ or simply ‘Save All’:

  3. Once extracted, the list of exported objects and the respective file types can be seen:

  4. Alternatively, the ‘Follow’ → ‘TCP Stream’ can also be used to extract raw files from the stream:


Binary files

In real world scenario, malware often spread through http protocol, thus we could search the common strings used by malware such as GetProcAddress, ExitProcess and etc. (statistically reported in paper by Gong et al. [1]).

  1. To get to that for extraction purposes, use the display filter ' http contains "GetProcAddress" ' :

  2. There are multiple ways to export the packets (binary file):

    1. ‘Export Objects’ → ‘HTTP’, and select the file from the list:

    2. Or, right-click and ‘Export Packet Bytes’:

  3. Once the binary is obtained, we could use hex editor to view the binary file, and locate the matching strings:

    $ xxd mal.bin |less
    
  4. And start attribution and digital signature with fingerprinting the binary with MD5 checksum, etc. :


Tcpflow & Foremost

Assuming the pcap file 192.168.1.0.pcap contains the packets captured from the 192.168.1.0/24 network, we could use tcpflow to extract the data streams into individual files by ip-addresses:

  1. Tcpflow only handles the direction of the data streams, and if the target binary files were not split into individual files by tcpflow, we could use foremost utility to complement the processes:

    Note: add the following line to /etc/foremost.conf to add Mach-O binary file format’s signature.

    bin    n    4096000    \xCF\xFA\xED\xFE\x07\x00
    

    where,

    [filetype]  [case-sensitivity]  [upper-limit-for-size]  [signature header]  [footer]
    
  2. Concatenate the data files generated by tcpflow into a single file:

  3. Parse the file with foremost, followed by validation with md5sum which yielded identical result to previous digital signature fingerprint of mal.bin file extracted with wireshark in above section from host 192.168.1.7 :

Note: tcpflow only support TCP packets, it does not handle UDP packets. To separate the packets not processed by tcpflow, use the -w option:

 -w filename.pcap
    Write packets that were not processed to filename.pcap. Typically this will be UDP packets.

References:

  1. Gong, M., Girkar, U., & Xie, B. Classifying Windows Malware with Static Analysis.
  2. https://www.sans.org/reading-room/whitepapers/forensics/extracting-files-network-packet-captures-36562