Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Extracting pcap from memory - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Extracting pcap from memory

I have talked many times about memory forensics and how useful its. In this diary I am going to talk about how to extract a pcap file from a memory image using bulk_extractor.

Of course when we are extracting a pcap file from a memory image we are going to not have everything but there will be some remanence that can help in our investigation

bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results can be easily inspected, parsed, or processed with automated tools. bulk_extractor also creates a histograms of features that it finds, as features that are more common tend to be more important. The program can be used for law enforcement, defense, intelligence, and cyber-investigation applications.”[1]

Bulk_extractor can be obtained from http://digitalcorpora.org/downloads/bulk_extractor/

For this diary I have run netcat on my linux vm

nc -l –p 80

 

Then I used telnet client from my window machine to communicate to netcat over port 80.

telnet 192.168.8.101 80

 

Then I captured the memory of my windows machine using Dumpit[2].

 

since I am interested in extracting the pcap from the memory image only ,I will disable all the scanners using –x all option and enable the net scanner only using –e net.

bulk_extractor -x all -e net -o Win8bulk/ Win8-64bit.raw

 

-o specifies output directory.

Now let’s check the Win8bul directory

ls Win8bulk/

alerts.txt           ether.txt         ip.txt        report.xml

ether_histogram.txt  ip_histogram.txt  packets.pcap

 

Here is a brief explanations of the above files

ether.txt -- Ethernet MAC addresses found through IP packet carving of swap files and compressed system hibernation files and file fragments.

ip.txt -- IP addresses found through IP packet carving.

ether_histogram. witll show the histogram of Ethernet Mac addresses

ip_histogram will show the histogram of the ip addresses.

packet.pcap is The file packets.pcap is a pcap file made from carved packet

 

now let check the pcap file to see if it contain the sessions the I have tested

tcpdump -nn -r Win8bulk/packets.pcap 'ip host 192.168.8.101 and tcp'

 

And here is the output

00:00:00.000000 IP 192.168.8.100.49684 > 192.168.8.101.80: Flags [.], ack 422809692, win 64, length 0

00:00:00.000000 IP 192.168.8.100.49684 > 192.168.8.101.80: Flags [P.], seq 0:1, ack 1, win 64, length 1

00:00:00.000000 IP 192.168.8.100.49684 > 192.168.8.101.80: Flags [P.], seq 1:2, ack 1, win 64, length 1

00:00:00.000000 IP 192.168.8.100.49684 > 192.168.8.101.80: Flags [P.], seq 2:3, ack 1, win 64, length 1

00:00:00.000000 IP 192.168.8.100.49684 > 192.168.8.101.80: Flags [P.], seq 3:4, ack 1, win 64, length 1

00:00:00.000000 IP 192.168.8.100.49684 > 192.168.8.101.80: Flags [P.], seq 4:5, ack 1, win 64, length 1

00:00:00.000000 IP 192.168.8.100.49684 > 192.168.8.101.80: Flags [P.], seq 5:6, ack 1, win 64, length 1

00:00:00.000000 IP 192.168.8.100.49684 > 192.168.8.101.80: Flags [P.], seq 6:7, ack 1, win 64, length 1

00:00:00.000000 IP 192.168.8.100.49684 > 192.168.8.101.80: Flags [P.], seq 7:8, ack 1, win 64, length 1

00:00:00.000000 IP 192.168.8.100.49684 > 192.168.8.101.80: Flags [S], seq 2574360603, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

 

As we can see the pcap is missing at least the three way handshaking packets.

But let see what we can get from these packets in Wireshark

Now let’s check what we can get with “follow tcp stream”

And that’s what I have typed during the test connection


Basil

56 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!