SANS Digital Forensics and Incident Response Blog: Daily Archives: Mar 10, 2009

Digital Forensics Training in Tysons Corner, VA

Great opportunity for digital forensic learning in Tysons Corner, Virginia!!

Wednesday, April 15, 2009 - Monday, April 20, 2009

Tired of courses with 40 people in the room and feeling ? SANS not only has the major events 4 times a year, but we also offer our training at smaller local event venuespreferable instructor teacher ratios. If you enjoy working in an environment where you have more attention from the instructor with class room sizes 20 or smaller then consider coming to Tysons Corner in April this year to take the in-demand SEC508 Computer Forensics, Investigation, and Response Course.

The Sheraton Premier Hotelat Tysons Corner is the location


Pulling binaries from pcaps

When I started writing this post, my intention was to show off some of the capabilities of NetworkMiner for recovering files from network packet captures. I have used NetworkMiner a few times to recover malware from pcaps. I like it because it automates the process. My plan was to contrast NetworkMiner's automated process against the more manual process of extracting files using Wireshark and a hex editor or the `foremost` command.

However, NetworkMiner failed to automatically extract all the files that were being downloaded in the pcap file I was using. This underscores the importance of testing your tools. I have successfully used NetworkMiner with other pcaps to extract all files, so you mileage may vary. If you've got a packet capture that you want to extract files from, my suggestion would be to try NetworkMiner, it will