GitBook: [master] 12 pages modified

SUMMARY.md

@@ -416,14 +416,21 @@
 ## Forensics
 
 * [Malware Analysis](forensics/malware-analysis.md)
-* [Pcaps analysis](forensics/pcaps-analysis/README.md)
-  * [Wifi Pcap Analysis](forensics/pcaps-analysis/wifi-pcap-analysis.md)
-  * [USB Keyboard pcap analysis](forensics/pcaps-analysis/usb-keyboard-pcap-analysis.md)
-  * [DNSCat pcap analysis](forensics/pcaps-analysis/dnscat-exfiltration.md)
-  * [Wireshark tricks](forensics/pcaps-analysis/wireshark-tricks.md)
 * [Basic Forensic Methodology](forensics/basic-forensic-methodology/README.md)
+  * [Anti-Forensic Techniques](forensics/basic-forensic-methodology/anti-forensic-techniques.md)
+  * [Docker Forensics](forensics/basic-forensic-methodology/docker-forensics.md)
+  * [Image Adquisition & Mount](forensics/basic-forensic-methodology/image-adquisition-and-mount.md)
+  * [Linux Forensics](forensics/basic-forensic-methodology/linux-forensics.md)
   * [Memory dump analysis](forensics/basic-forensic-methodology/memory-dump-analysis/README.md)
     * [Volatility - CheatSheet](forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md)
+  * [Partitions/File Systems/Carving](forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md)
+    * [File/Data Carving Tools](forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md)
+    * [NTFS](forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)
+  * [Pcap Inspection](forensics/basic-forensic-methodology/pcap-inspection/README.md)
+    * [DNSCat pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md)
+    * [USB Keyboard pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md)
+    * [Wifi Pcap Analysis](forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md)
+    * [Wireshark tricks](forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md)
   * [Specific Software/File-Type Tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md)
     * [.pyc](forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
     * [Browser Artifacts](forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md)
@@ -434,15 +441,8 @@
     * [PNG tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md)
     * [Video and Audio file analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md)
     * [ZIPs tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md)
-  * [Partitions/File Systems/Carving](forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md)
-    * [File/Data Carving Tools](forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md)
-    * [NTFS](forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)
   * [Windows Artifacts](forensics/basic-forensic-methodology/windows-forensics/README.md)
     * [Interesting Windows Registry Keys](forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md)
-  * [Anti-Forensic Techniques](forensics/basic-forensic-methodology/anti-forensic-techniques.md)
-  * [Image Adquisition & Mount](forensics/basic-forensic-methodology/image-adquisition-and-mount.md)
-  * [Docker Forensics](forensics/basic-forensic-methodology/docker-forensics.md)
-  * [Linux Forensics](forensics/basic-forensic-methodology/linux-forensics.md)
 
 ## Physical attacks
 

forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md

@@ -48,7 +48,7 @@ This tool can scan an image and will **extract pcaps** inside it, **network info
 bulk_extractor memory.img -o out_folder
 ```
 
-Navigate through **all the information** that the tool has gathered \(passwords?\), **analyse** the **packets** \(read[ **Pcaps analysis**](../../pcaps-analysis/)\), search for **weird domains** \(domains related to **malware** or **non-existent**\).
+Navigate through **all the information** that the tool has gathered \(passwords?\), **analyse** the **packets** \(read[ **Pcaps analysis**](../pcap-inspection/)\), search for **weird domains** \(domains related to **malware** or **non-existent**\).
 
 ### PhotoRec
 

forensics/basic-forensic-methodology/pcap-inspection/README.md

@@ -1,6 +1,6 @@
-# Pcaps analysis
+# Pcap Inspection
 
-Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../malware-analysis.md).
+Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../../malware-analysis.md).
 
 A note about PCAP vs PCAPNG: there are two versions of the PCAP file format; PCAPNG is newer and not supported by all tools. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.
 
@@ -10,50 +10,27 @@ A note about PCAP vs PCAPNG: there are two versions of the PCAP file format; PCA
 * Extract **information** and search for **malware** inside a pcap in [**PacketTotal**](https://packettotal.com/)\*\*\*\*
 * Search for **malicious activity** using [**www.virustotal.com**](https://www.virustotal.com/) and [**www.hybrid-analysis.com**](https://www.hybrid-analysis.com/)\*\*\*\*
 
-## Basic Statistics
+## Extract Information
+
+The following tools are useful to extract statistic, files...
 
-### Capinfos
 
-```text
-capinfos capture.pcap
-```
 
 ### Wireshark
 
-_**You can find more Wireshark trick in:**_
+{% hint style="info" %}
+**If you are going to analyze a PCAP you basically must to know how to use Wireshark**
+{% endhint %}
+
+You can find some Wireshark trick in:
 
 {% page-ref page="wireshark-tricks.md" %}
 
-## Suricata
-
-### Install and setup
-
-```text
-apt-get install suricata
-apt-get install oinkmaster
-echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.conf
-oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
-```
-
-### Check pcap
-
-```text
-suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
-```
-
-## Ngrep
-
-If you are **looking** for **something** inside the pcap you can use **ngrep**. And example using the main filters:
-
-```text
-ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"
-```
-
-## Xplico Framework
+### Xplico Framework
 
 Xplico can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico extracts each email \(POP, IMAP, and SMTP protocols\), all HTTP contents, each VoIP call \(SIP\), FTP, TFTP, and so on.
 
-### Install
+#### Install
 
 ```bash
 sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list'
@@ -62,7 +39,7 @@ sudo apt-get update
 sudo apt-get install xplico
 ```
 
-### Run
+#### Run
 
 ```text
 /etc/init.d/apache2 restart
@@ -73,11 +50,11 @@ Access to _**127.0.0.1:9876**_ with credentials _**xplico:xplico**_
 
 Then create a **new case**, create a **new session** inside the case and **upload the pcap** file.
 
-## NetworkMiner
+### NetworkMiner
 
 Like Xplico it is a tool to analyze and extract objects from pcaps. It has a free edition that you can download [here](https://www.netresec.com/?page=NetworkMiner).
 
-## [BruteShark](https://github.com/odedshimon/BruteShark)
+### [BruteShark](https://github.com/odedshimon/BruteShark)
 
 * Extracting and encoding usernames and passwords \(HTTP, FTP, Telnet, IMAP, SMTP...\)
 * Extract authentication hashes and crack them using Hashcat \(Kerberos, NTLM, CRAM-MD5, HTTP-Digest...\)
@@ -86,8 +63,60 @@ Like Xplico it is a tool to analyze and extract objects from pcaps. It has a fre
 * Reconstruct all TCP & UDP Sessions
 * File Carving
 
+### Capinfos
+
+```text
+capinfos capture.pcap
+```
+
+### Ngrep
+
+If you are **looking** for **something** inside the pcap you can use **ngrep**. And example using the main filters:
+
+```text
+ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"
+```
+
+### Carving
+
+Using common carving techniques can be useful to extract files and information from the pcap:
+
+{% page-ref page="../partitions-file-systems-carving/file-data-carving-tools.md" %}
+
+## Check Exploits/Malware
+
+### Suricata
+
+#### Install and setup
+
+```text
+apt-get install suricata
+apt-get install oinkmaster
+echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.conf
+oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
+```
+
+#### Check pcap
+
+```text
+suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
+```
+
+### YaraPcap
+
+\*\*\*\*[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is a tool that 
+
+* Reads a PCAP File and Extracts Http Streams.
+* gzip deflates any compressed streams
+* Scans every file with yara
+* writes a report.txt
+* optionally saves matching files to a Dir
+
 ## Other pcap analysis tricks
 
-* [DNSCat pcap analysis](dnscat-exfiltration.md)
-* [USB Keyboard pcap analysis](usb-keyboard-pcap-analysis.md)
+{% page-ref page="dnscat-exfiltration.md" %}
+
+{% page-ref page="usb-keyboard-pcap-analysis.md" %}
+
+{% page-ref page="wifi-pcap-analysis.md" %}
 

forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md

@@ -4,9 +4,9 @@
 
 When you receive a capture whose principal traffic is Wifi using WireShark you can start investigating all the SSIDs of the capture with _Wireless --> WLAN Traffic_:
 
-![](../../.gitbook/assets/image%20%28426%29.png)
+![](../../../.gitbook/assets/image%20%28426%29.png)
 
-![](../../.gitbook/assets/image%20%28429%29.png)
+![](../../../.gitbook/assets/image%20%28429%29.png)
 
 ### Brute Force
 
@@ -34,7 +34,7 @@ Once you have detected **unknown MAC** addresses communicating inside the networ
 
 Edit --> Preferences --> Protocols --> IEEE 802.11--> Edit
 
-![](../../.gitbook/assets/image%20%28427%29.png)
+![](../../../.gitbook/assets/image%20%28427%29.png)
 
 
 

forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md

@@ -34,11 +34,11 @@ Practice: [https://www.malware-traffic-analysis.net/](https://www.malware-traffi
 
 You can add a column that show the Host HTTP header:
 
-![](../../.gitbook/assets/image%20%28405%29.png)
+![](../../../.gitbook/assets/image%20%28405%29.png)
 
 And a column that add the Server name from an initiating HTTPS connection \(**ssl.handshake.type == 1**\):
 
-![](../../.gitbook/assets/image%20%28408%29.png)
+![](../../../.gitbook/assets/image%20%28408%29.png)
 
 ## Identifying local hostnames
 
@@ -46,11 +46,11 @@ And a column that add the Server name from an initiating HTTPS connection \(**ss
 
 In current Wireshark instead of `bootp` you need to search for `DHCP`
 
-![](../../.gitbook/assets/image%20%28409%29.png)
+![](../../../.gitbook/assets/image%20%28409%29.png)
 
 ### From NBNS
 
-![](../../.gitbook/assets/image%20%28406%29.png)
+![](../../../.gitbook/assets/image%20%28406%29.png)
 
 
 
@@ -62,7 +62,7 @@ In current Wireshark instead of `bootp` you need to search for `DHCP`
 
 _edit>preference>protocol>ssl>_
 
-![](../../.gitbook/assets/image%20%28263%29.png)
+![](../../../.gitbook/assets/image%20%28263%29.png)
 
 Press _Edit_ and add all the data of the server and the private key \(_IP, Port, Protocol, Key file and password_\)
 
@@ -73,11 +73,11 @@ To detect this search inside the environment for to variable `SSLKEYLOGFILE`
 
 A file of shared keys will looks like this:
 
-![](../../.gitbook/assets/image%20%2862%29.png)
+![](../../../.gitbook/assets/image%20%2862%29.png)
 
 To import this in wireshark go to _edit>preference>protocol>ssl>_ and import it in \(Pre\)-Master-Secret log filename:
 
-![](../../.gitbook/assets/image%20%28191%29.png)
+![](../../../.gitbook/assets/image%20%28191%29.png)
 
 ## ADB communication