tag:blogger.com,1999:blog-5331717412477431742024-02-08T05:07:18.063-08:00PCAP Analysis Tools for Network Forensic Investigaxenadminhttp://www.blogger.com/profile/11907760737996983265noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-533171741247743174.post-79164964206420247542009-10-31T21:39:00.000-07:002009-10-31T22:03:35.949-07:00Unknow Binary Files?What to do if unknown executable file is running on your system?<br /><br />1. Upload to virustotal - <a href="http://www.virustotal.com/">http://www.virustotal.com/</a> then read the report carefully if it is identified as malicious software (check the links on extra info about the executable e.g. ThreatExpert)<br /><br />2. Upload to sandbox to get a report on the system level behavior of the malicious software<br />- I strongly recommend below listed free sanboxes<br /> * Anubis - <a href="http://anubis.iseclab.org/">http://anubis.iseclab.org/</a><br /> * Sunbelt CWSandbox - <a href="http://www.sunbeltsecurity.com/">www.sunbeltsecurity.com</a><br /> * Norman Sandbox - <a href="http://www.norman.com/technology/norman_sandbox/">www.norman.com/technology/norman_sandbox/</a><br /><br />3. Use sysinternals tools (now aquired by Microsoft) like tcp view, process monitor and process explorer<br /><br />4. If you have a sacrificial PC or virtual PC then try to run the binary on it and monitor change using file integrity tools. Also use wireshark to monitor & capture network level activityxenadminhttp://www.blogger.com/profile/11907760737996983265noreply@blogger.com0tag:blogger.com,1999:blog-533171741247743174.post-53954481336346426962009-10-31T21:26:00.000-07:002009-10-31T21:37:42.172-07:00PCAP Analysis ToolsI found these tools extremely easy to operate and useful in network level forensic investigation - <span id="SPELLING_ERROR_0" class="blsp-spelling-error">Wireshark</span> captured file (*.<span id="SPELLING_ERROR_1" class="blsp-spelling-error">pcap</span>)<br /><br />1. Network Miner- <a href="http://networkminer.sourceforge.net/">http://networkminer.sourceforge.net/</a><br />2. <span id="SPELLING_ERROR_2" class="blsp-spelling-error">Netwitness</span> Investigator - <a href="http://download.netwitness.com/">http://download.netwitness.com</a><br />3. <span id="SPELLING_ERROR_3" class="blsp-spelling-error">Xplico</span> - <a href="http://www.xplico.org/">http://www.xplico.org/</a><br /><br />Yes there are free ;)<br /><br />Additional details on <span id="SPELLING_ERROR_4" class="blsp-spelling-error">Xplico</span> <span id="SPELLING_ERROR_5" class="blsp-spelling-error">fo</span> <span id="SPELLING_ERROR_6" class="blsp-spelling-error">Ubuntu</span> 9.x<br />- run apt-get install apache2<br />- run apt-get install xplico<br />- edit /etc/php5/apache2/php.ini to increase the size of files to upload:<br /> * post_max_size = 100M<br /> * upload_max_filesize = 100M<br />- restart Apache2<br />- sudo sh /opt/xplico/script/sqlite_demo.sh<br />- <a href="http://localhost:9876/">http://localhost:9876</a><br />- create new case in Xplico<br />- create new session then upload you pcap filexenadminhttp://www.blogger.com/profile/11907760737996983265noreply@blogger.com0