流量取证-流量中提取文件

以前整理的一些东西，拿出来做备忘

PCAP 报文就是抓取实际在网络中传输的图片，视频等数据，然后以PCAP 格式存储形成的文件。工作中对离线的数据包进行回溯分析，有时会遇到将 PCAP 中的码流还原成相应的图片、视频、邮件等原有格式的需求。

从流量中取证文件大部分情况下是为了提取流量中的可执行程序。

1、 tcpxtract
安装：
apt-get install tcpxtract
http://www.rpmfind.net/linux/rpm2html/search.php?query=tcpxtract # 下载对应版本

查看帮助：
root@kali:~# tcpxtract -h
Usage: tcpxtract [OPTIONS] [[-d ] [-f ]]
Valid options include:
--file, -f to specify an input capture file instead of a device 指定输入捕获文件
--device, -d to specify an input device (i.e. eth0) 指定输入设备(即eth0)
--config, -c use FILE as the config file 使用FILE作为配置文件
--output, -o dump files to DIRECTORY instead of current directory 将文件转储
--version, -v display the version number of this program
--help, -h display this lovely screen

下载 pcap 流量包：
wget http://forensicscontest.com/contest01/evidence01.pcap

查看要恢复的文件：
tcpxtract -f evidence01.pcap

查看恢复后的文件

打开文件：
leafpad 00000042.html

2、 NetworkMiner
安装 NetworkMiner：
从 http://sourceforge.net/projects/networkminer/files/latest/download 下载
或者
https://nchc.dl.sourceforge.net/project/networkminer/networkminer/NetworkMiner-1.6.1/NetworkMiner_1-6-1.zip

打开 PCAP 文件

查看提取出来的文件

3、wireshark 还原文件
查看帮助
root@kali:~# wireshark -h
Wireshark 2.6.6 (Git v2.6.6 packaged as 2.6.6-1)
Interactively dump and analyze network traffic.
See https://www.wireshark.org for more information.

Usage: wireshark [options] ... [ ]

Capture interface:
-i name or idx of interface (def: first non-loopback)
-f packet filter in libpcap filter syntax
-s packet snapshot length (def: appropriate maximum)
-p don't capture in promiscuous mode
-k start capturing immediately (def: do nothing)
-S update packet display when new packets are captured
-l turn on automatic scrolling while -S is in use
-I capture in monitor mode, if available
-B size of kernel buffer (def: 2MB)
-y link layer type (def: first appropriate)
--time-stamp-type timestamp method for interface
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
--list-time-stamp-types print list of timestamp types for iface and exit

Capture stop conditions:
-c stop after n packets (def: infinite)
-a ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r set the filename to read from (no pipes or stdin!)

Processing:
-R packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N enable specific name resolution(s): "mnNtdv"
-d <layer_type>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port8888,http
--enable-protocol <proto_name>
enable dissection of proto_name
--disable-protocol <proto_name>
disable dissection of proto_name
--enable-heuristic <short_name>
enable dissection of heuristic protocol
--disable-heuristic <short_name>
disable dissection of heuristic protocol

User interface:
-C start with specified configuration profile
-Y start with the given display filter
-g go to specified packet number after "-r"
-J jump to the first packet matching the (display)
filter
-j search backwards for a matching packet after "-J"
-m set the font name used for most text
-t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-X : eXtension options, see man page for details
-z show various statistics, see man page for details

Output:
-w <outfile|-> set the output filename (or '-' for stdout)

Miscellaneous:
-h display this help and exit
-v display version info and exit
-P : persconf:path - personal configuration files
persdata:path - personal data files
-o : ... override preference or recent setting
-K keytab file to use for kerberos decryption
--display=DISPLAY X display to use
--fullscreen start Wireshark in full screen

打开pcap文件：
wireshark evidence01.pcap

查看还原文件：
文件--》导出对象--》HTTP

查看PE文件
file * | grep PE

foremost
kali 2.0 默认安装

查看帮助
root@kali:~# foremost -h
foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus.
$ foremost [-v|-V|-h|-T|-Q|-q|-a|-w-d] [-t ] [-s ] [-k ]
[-b ] [-c ] [-o

] [-i <file]

-V - display copyright information and exit
-t - specify file type. (-t jpeg,pdf ...)
-d - turn on indirect block detection (for UNIX file-systems)
-i - specify input file (default is stdin)
-a - Write all headers, perform no error detection (corrupted files)
-w - Only write the audit file, do not write any detected files to the disk
-o - set output directory (defaults to output)
-c - set configuration file to use (defaults to foremost.conf)
-q - enables quick mode. Search are performed on 512 byte boundaries.
-Q - enables quiet mode. Suppress output messages.
-v - verbose mode. Logs all messages to screen