[JedClampett]

I'd like to learn all about computer Network Forensics - ideally how to recover MIME type attachments sent via email, and also downloaded over TCP connections. Is there a way to recover these types of data from a WireShark pcap (Packet Capture) file please?

Is there a Computer forensics forum that somebody can recommend me to join to learn these techniques please?

Jed

This post has been edited by JedClampett: 18 December 2011 - 12:58 PM

[CoffeeFiend]

JedClampett, on 18 December 2011 - 12:56 PM, said:

how to recover MIME type attachments sent via email

Well, recover how? From a network capture? From an outlook pst file? The question isn't very clear. But basically you have to know how it's encoded (e.g. base64) and how it's stored (data structures) or transmitted (protocols).

JedClampett, on 18 December 2011 - 12:56 PM, said:

downloaded over TCP connections

Email is sent via other protocols (e.g. SMTP) which use TCP underneath. Again, it's mainly a matter of understanding the protocols used. Then again, the protocol may be encrypted too (SSL/TLS) which is a lot more "fun".

JedClampett, on 18 December 2011 - 12:56 PM, said:

Is there a way to recover these types of data from a WireShark pcap (Packet Capture) file please?

That depends on which protocol it was sent with and so on.

I'm not sure what would be the best way to learn the tools. Obviously, you have to know how to use the basics of wireshark, but MUCH more importantly, it's understanding the traffic that it shows. There is no way around having a solid understanding of how TCP/IP works and various other protocols. If you don't know how a TCP handshake works, how addressing works, how NAT works, the difference between UDP and TCP and so on (ARP, HTTP, DHCP, ICMP, etc), you're not going to really understand much of anything Wireshark will show you.