Network Forensics  - XPLICO Network Analysis - Network Forensics Analysis – How to analyse a PCAP file WITH XPLICO

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.

Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

WHAT IS A PCAP FILE

In the field of computer network administration, pcap (packet capture) consists of an interface (API) for capturing network traffic.

Unix-like systems implement pcap in the libpcap library; Windows uses a port of libpcap known as WinPcap.

It is a Data file created by Wireshark (formerly Ethereal), a free program used for network analysis; contains network packet data created during a live network capture; used for “packet sniffing” and analyzing data network characteristics; can be analyzed using software that includes the libpcap or WinPcap libraries

FORENSIC ANALYSIS MEDIUM

Well, we will be using a tool known as XPLICO, xplico is an open source NFAT (Network Forensic Analysis Tool), the goal of Xplico is extracted from an internet traffic capture the application’s data contained.

Must Read Complete Kali Tools tutorials from Information gathering to Forensics

For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on
To know more about XPLICO tool click here

PROCEDURE – Network Forensics

  • Open the terminal and start the xplico service by the command “etc/init.d/xplico start” or “service xplico start”

- NFAT 1 - Network Forensics Analysis – How to analyse a PCAP file WITH XPLICO

  • Go to browser and type the following url “ http://localhost:9876/ ”By the following credentials login to the xplico web interface

“Username : xplico”
“Password : xplico”

- NFAT 2 - Network Forensics Analysis – How to analyse a PCAP file WITH XPLICO

  • Click on the new case and give it a name and a reference number and click create.

- NFAT 3 - Network Forensics Analysis – How to analyse a PCAP file WITH XPLICO

  • Click on the case name (eg:test)

- NFAT 4 - Network Forensics Analysis – How to analyse a PCAP file WITH XPLICO

  • Click on new session and give it a name (eg: analysis-1) and click on create

- NFAT 5 - Network Forensics Analysis – How to analyse a PCAP file WITH XPLICO

  • Click on the name of the session (eg analysis-1)

- NFAT 6 - Network Forensics Analysis – How to analyse a PCAP file WITH XPLICO

  • Click on browse and browse your PCAP file

- NFAT 7 - Network Forensics Analysis – How to analyse a PCAP file WITH XPLICO

  • After loading it on xplico interface click on upload button

- NFAT 8 - Network Forensics Analysis – How to analyse a PCAP file WITH XPLICO

  • After the uploading process the tool will start decoding

- NFAT 9 - Network Forensics Analysis – How to analyse a PCAP file WITH XPLICO

  • After the decoding process, you will get the status as shown below

- NFAT 10 - Network Forensics Analysis – How to analyse a PCAP file WITH XPLICO

  • Now you can get the overview of analysis and in the left pane you will have the option to navigate to the analysis done (below is the screenshot of the graph of DNS messages).

- NFAT 11 - Network Forensics Analysis – How to analyse a PCAP file WITH XPLICO

CONCLUSION

XPLICO – This tool is simple and easy to use also it does an intense analysis of the Packet Capture –PCAP file, This tool pre-loaded in many penetration testing flavors such as KALI , PARROT OS, DEFT, Security Onion, Backbox, Pentooetc.

Source & credits

This article provided to www.gbhackers.com by Shankara Narayanan Co-Leader at Day, student at TamilNadu Dr. Ambedkar Law University.



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here