Extracting Files from Network Packet Captures

by Stephen Deck
Sept. 1, 2017 0 comments SANS Institute Pen Testing & Audits forensics

Extracting files from full packet captures can save security analysts a great deal of time. Time-consuming procedures, such as performing a complete forensic analysis on suspect machines, can often be avoided if analysts are able to extract files from the network traffic. There are several tools to perform this function, but they all have shortcomings. In order to make an informed assessment of packet captures, analysts must familiarize themselves with these limitations. This paper compares the capabilities of currently available tools which automate this task, explores the process of manually extracting artifacts from packet captures, and offers a script to extend the functionality of TShark to include file extraction. This will familiarize new security analysts with current tools as well as establish a baseline knowledge of how these tools function