Posts

Showing posts from January, 2024

Extracting data from wireshark

Image
 I was given a PCAP file with something inside, at this point I didn't know what it could be. I looked around the file for common protocols that could be used to send information such as http and ftp, I then tried to extract the file but it failed. I tried to check if Wireshark would extract it by going into file, extracting the object and choosing http or ftp, but that also failed. after looking for a while and filtering for ftp-data I found something that said test.jpg so I took a closer look at it. I followed the tcp stream and got the full data. I then converted it to raw and saved it on my desktop and finally got the image. This lab taught me that I could extract data from Wireshark that is not encrypted. I found this lab very fun and I got to play with Wireshark.  

Making a disk image

Image
 On this lab I will play around with making a disk image and then opening it on my FTKimager.  I started by having 2 files which I then got the hash for both to show that they are the same files once I open them on FTKimager on my other machine. After partitioning my drive, I have 2 files here. I checked the md5 hash and the sha1 hash because that is what was supported by FTKimager. I used dd to make the image. dd if=/dev/sda1 conv=sync,noerror bs=64K | gzip -c > lab4image.gz Here I opened both files on my other machine and checked their hashes. As can be seen they are both the same.

Alternative Data Streams

Image
In this lab, I will play around with alternative data streams. I was provided a disk image with a lot of files. I will use FTK Imager to try and find any data that might have been hidden in the alternative data stream. I found some alternative file streams and looked at all of them Here are some others I found. There seems to be a password in this one, which I could use to unlock a a file later on. now I found a weird jpg which was called SeceretEvidence, I tried to export it to another location and then attempted to use Exiftool on it. This did not work. I tried putting in on cyberchef to see if one of the options could work. I tried to see which type of file it was. If maybe I could forcefully unzip it, or maybe if I could extract any files that it might have hidden inside. None of this worked so I went back to the original location of the file to play with it. When I went back to look at the file it asked me for a password which was the same one I had previously found so I just used