Digital Forensics and Incident Response by Johansen Gerard

Author:Johansen, Gerard [Johansen, Gerard]
Language: eng
Format: azw3
Tags: COM043050 - COMPUTERS / Security / Networking, COM053000 - COMPUTERS / Security / General, COM015000 - COMPUTERS / Security / Viruses and Malware
Publisher: Packt Publishing
Published: 2017-07-24T04:00:00+00:00

Command-line tools

There are several command-line tools that can be utilized during the analysis of network packet captures. During more in-depth or lengthy incident response engagements, analysts may gather several packet captures files. It may be beneficial to combine these multiple packet captures into one single file to make analysis easier. The application mergecap does just that by combining several packet capture files. Mergecap is made as part of the CAINE OS and can be executed utilizing the following command:

caine@caine:~$ mergecap -w mergedpacketcapture.pcap packetcapture1.pcap packetcapture2.pcap

Another command-line tool that is useful in analyzing packet captures is the tool editcap. Editcap allows analysts to manipulate the packet capture files into smaller segments for easier review. For example, an analyst may only want to look at captures that are broken up into 50,000 packet segments. This would be helpful if an analysts has a large packet capture and dividing makes searching easier. To do this, the analyst would type the following into the command line:

caine@caine:~$ editcap -F pcap -c evidence.pcap split.pcap

In the preceding command, editcap took the evidence file evidence.pcap and divided it out into 50,000 packet segments. Another technique that editcap can be leveraged for is to divide a larger packet capture into time segments. For example, if analysts want to divide a packet capture into 10-minute segments, they type in the following:

caine@caine:~$ editcap -F pcap-t+600 evidence.pcap split.pcap

Analysts may also find that, in some circumstances, they may want to isolate Domain Name Registration traffic. This is due in large to a variety of C2 traffic, data exfiltration, and the possible redirection to compromised websites, often leveraging vulnerabilities in the DNS system. The application DNS top parses packet capture files and ascertains the sources and count of DNS queries from internal hosts. For example, if an incident response analyst wants to determine whether any IP addresses were sending outbound DNS queries of the packet capture taken from http://www.malware-traffic-analysis.net/2017/02/21/index.html. The command entered would be:

forensics@ubuntu:~/Documents/Packet Captures$ dnstop -l 3 2017-02-21-Hancitor-malspam-traffic.pcap

The preceding command produces the following output:

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.