Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Computer and Network Forensics Forum ?

- - - - -

  • Please log in to reply
1 reply to this topic

#1
JedClampett

JedClampett

    Junior

  • Member
  • Pip
  • 81 posts
  • Joined 29-August 11
  • OS:XP Home
  • Country: Country Flag
I'd like to learn all about computer Network Forensics - ideally how to recover MIME type attachments sent via email, and also downloaded over TCP connections. Is there a way to recover these types of data from a WireShark pcap (Packet Capture) file please?

Is there a Computer forensics forum that somebody can recommend me to join to learn these techniques please?

Jed :)

Edited by JedClampett, 18 December 2011 - 12:58 PM.

Come and listen to a story 'bout a man named Jed
Poor mountaineer barely kept his family fed
Then one day he was shooting for some food,
And up through the ground come a bubbling crude
(Oil that is, black gold, Texas tea)

XP Home, Vista Home Premium, Windows 7 Home Premium


How to remove advertisement from MSFN

#2
CoffeeFiend

CoffeeFiend

    Coffee Aficionado

  • Super Moderator
  • 5,399 posts
  • Joined 14-July 04
  • OS:Windows 7 x64
  • Country: Country Flag

how to recover MIME type attachments sent via email

Well, recover how? From a network capture? From an outlook pst file? The question isn't very clear. But basically you have to know how it's encoded (e.g. base64) and how it's stored (data structures) or transmitted (protocols).

downloaded over TCP connections

Email is sent via other protocols (e.g. SMTP) which use TCP underneath. Again, it's mainly a matter of understanding the protocols used. Then again, the protocol may be encrypted too (SSL/TLS) which is a lot more "fun".

Is there a way to recover these types of data from a WireShark pcap (Packet Capture) file please?

That depends on which protocol it was sent with and so on.

I'm not sure what would be the best way to learn the tools. Obviously, you have to know how to use the basics of wireshark, but MUCH more importantly, it's understanding the traffic that it shows. There is no way around having a solid understanding of how TCP/IP works and various other protocols. If you don't know how a TCP handshake works, how addressing works, how NAT works, the difference between UDP and TCP and so on (ARP, HTTP, DHCP, ICMP, etc), you're not going to really understand much of anything Wireshark will show you.
Coffee: \ˈkȯ-fē, ˈkä-\. noun. Heaven in a cup. Life's only treasure. The meaning of life. Kaffee ist wunderbar. C8H10N4O2 FTW.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN