Digital Forensics and Incident Response - Second Edition by Gerard Johansen

Author:Gerard Johansen [Gerard Johansen]
Language: eng
Format: epub
Tags: COM015000 - COMPUTERS / Security / Viruses and Malware, COM043050 - COMPUTERS / Security / Networking, COM060040 - COMPUTERS / Security / Online Safety and Privacy
Publisher: Packt
Published: 2020-01-29T05:43:15+00:00

Command-line tools

There are several command-line tools that can be utilized during the analysis of network packet captures. During more in-depth or lengthy incident response engagements, analysts may gather several packet captures files. It may be beneficial to combine these multiple packet captures into one single file to make analysis easier. The application Mergecap does just that by combining several packet capture files. Mergecap is offered as part of the CAINE OS and can be executed utilizing the following command:

caine@caine:~$ mergecap -w mergedpacketcapture.pcap packetcapture1.pcap packetcapture2.pcap

Another command-line tool that is useful in analyzing packet captures is the tool Editcap. Editcap allows analysts to manipulate the packet capture files into smaller segments for easier review. For example, an analyst may only want to look at captures that are broken up into 50,000 packet segments. This would be helpful if an analyst has a large packet capture and dividing would make searching easier. To do this, the analyst would type the following into the command line:

caine@caine:~$ editcap -F pcap -c evidence.pcap split.pcap

In the preceding command, Editcap took the evidence.pcap evidence file and divided it out into 50,000 packet segments. Another technique that Editcap can be leveraged for is to divide a larger packet capture into time segments. For example, if analysts want to divide a packet capture into 10-minute segments, they type in the following:

caine@caine:~$ editcap -F pcap-t+600 evidence.pcap split.pcap

Analysts may also find that, in some circumstances, they may want to isolate domain name registration traffic. This is due in large part to a variety of adversarial actions such as C2 traffic, data exfiltration, and the possible redirection to compromised websites, often leveraging vulnerabilities in the DNS system. The application Dnstop parses packet capture files and ascertains the sources and count of DNS queries from internal hosts. To install on a Linux system, the following command is used:

dfir@ubuntu:~$ sudo apt-get install dnstop

This command will download and install Dnstop. In the following example, the following packet capture was taken from the Malware Traffic Analysis site located at https://www.malware-traffic-analysis.net/2019/03/13/index.html. If an incident response analyst wants to determine whether any IP addresses were sending outbound DNS queries for packet capture, they simply execute the following command:

dfir@ubuntu:~/Documents/Packet Captures$ dnstop 2019-03-13-Emotet-with-Trickbot.pcap

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.