Welcome to MSFN

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.


JedClampett

Computer and Network Forensics Forum ?

2 posts in this topic

I'd like to learn all about computer Network Forensics - ideally how to recover MIME type attachments sent via email, and also downloaded over TCP connections. Is there a way to recover these types of data from a WireShark pcap (Packet Capture) file please?

Is there a Computer forensics forum that somebody can recommend me to join to learn these techniques please?

Jed :)

Edited by JedClampett
0

Share this post


Link to post
Share on other sites

how to recover MIME type attachments sent via email

Well, recover how? From a network capture? From an outlook pst file? The question isn't very clear. But basically you have to know how it's encoded (e.g. base64) and how it's stored (data structures) or transmitted (protocols).

downloaded over TCP connections

Email is sent via other protocols (e.g. SMTP) which use TCP underneath. Again, it's mainly a matter of understanding the protocols used. Then again, the protocol may be encrypted too (SSL/TLS) which is a lot more "fun".

Is there a way to recover these types of data from a WireShark pcap (Packet Capture) file please?

That depends on which protocol it was sent with and so on.

I'm not sure what would be the best way to learn the tools. Obviously, you have to know how to use the basics of wireshark, but MUCH more importantly, it's understanding the traffic that it shows. There is no way around having a solid understanding of how TCP/IP works and various other protocols. If you don't know how a TCP handshake works, how addressing works, how NAT works, the difference between UDP and TCP and so on (ARP, HTTP, DHCP, ICMP, etc), you're not going to really understand much of anything Wireshark will show you.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.