Mastering Python Forensics by Dr. Michael Spreitzenbarth

Author:Dr. Michael Spreitzenbarth
Language: eng
Format: epub
Publisher: Packt Publishing

Dshell can be installed in our lab environment by cloning the sources from GitHub at, https://github.com/USArmyResearchLab/Dshell and running install-ubuntu.py. This script will automatically download the missing packages and build the executables that we will need afterwards. Dshell can be used against the pcap files that have been recorded during the incidents or as a result of an IDS alert. A packet capture (pcap) file is either created by libpcap (on Linux) or WinPcap (on Windows).

In the following section, we will explain how an investigator can make use of Dshell by demonstrating the toolkit with real-world scenarios that are gathered from http://malware-traffic-analysis.net.

The first example is a malicious ZIP file that a user has encountered through an email link. The user logged in to Gmail and clicked the download link in the mail. This can easily be seen with the web decoder of Dshell, as follows:

user@lab:~$ source labenv/bin/activate (labenv)user@lab:~$ ./dshell (labenv)user@lab:~$ Dshell> decode -d web infected_email.pcap web 2015-05-29 16:23:44 10.3.162.105:62588 -> 74.125.226.181:80 ** GET mail.google.com/ HTTP/1.1 // 200 OK 2015-05-29 14:23:40 ** web 2015-05-29 16:24:15 10.3.162.105:62612 <- 149.3.144.218:80 ** GET sciclubtermeeuganee.it/wp-content/plugins/feedweb_data/pdf_efax_message_3537462.zip HTTP/1.1 // 200 OK 2015-05-28 14:00:22 **

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.