• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
JedClampett

Computer and Network Forensics Forum ?

2 posts in this topic

I'd like to learn all about computer Network Forensics - ideally how to recover MIME type attachments sent via email, and also downloaded over TCP connections. Is there a way to recover these types of data from a WireShark pcap (Packet Capture) file please?

Is there a Computer forensics forum that somebody can recommend me to join to learn these techniques please?

Jed :)

Edited by JedClampett
0

Share this post


Link to post
Share on other sites

how to recover MIME type attachments sent via email

Well, recover how? From a network capture? From an outlook pst file? The question isn't very clear. But basically you have to know how it's encoded (e.g. base64) and how it's stored (data structures) or transmitted (protocols).

downloaded over TCP connections

Email is sent via other protocols (e.g. SMTP) which use TCP underneath. Again, it's mainly a matter of understanding the protocols used. Then again, the protocol may be encrypted too (SSL/TLS) which is a lot more "fun".

Is there a way to recover these types of data from a WireShark pcap (Packet Capture) file please?

That depends on which protocol it was sent with and so on.

I'm not sure what would be the best way to learn the tools. Obviously, you have to know how to use the basics of wireshark, but MUCH more importantly, it's understanding the traffic that it shows. There is no way around having a solid understanding of how TCP/IP works and various other protocols. If you don't know how a TCP handshake works, how addressing works, how NAT works, the difference between UDP and TCP and so on (ARP, HTTP, DHCP, ICMP, etc), you're not going to really understand much of anything Wireshark will show you.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.