[Bro] Renaming carved files
Michael Cochran
macochran0 at gmail.com
Thu Mar 3 05:32:58 PST 2016
This is pretty common practice among forensic network analysis tools. The
page preview function is one of the reasons Netwitness is so popular with
analysts. Dangerous as well, it will attempt to render entire pages of HTTP
based off of carved files. I've recommended the analysts just look in
files.log if they want to see the original file name. From my perspective,
the best solution is the mime type file analysis. To take it a step further
a simple check to see if the mime type matches the file extension seen in
the content-disposition header.
On Thu, Mar 3, 2016 at 12:21 AM, Seth Hall <seth at icir.org> wrote:
>
> > On Mar 1, 2016, at 12:35 PM, Michael Cochran <macochran0 at gmail.com>
> wrote:
> >
> > I'm trying to find a simple way to rename a carved file back to it's
> original file name using bro-script rather than having bash try to rip it
> out of the files.log file.
>
> I actually had this fully implemented a long time ago (naming files as
> they were named on the wire), but then I ripped it all out because it gave
> attackers the ability to control files being written on your file system.
> FireEye just got caught doing nearly this same thing recently and it turned
> out to be an evasion for them. I generally would not recommend going down
> the path of letting attackers control file names on your disk because
> you're likely to open a much larger hole than an evasion if you aren't
> extremely careful.
>
> I am curious why you would like to do that though? Is it purely for
> convenience when you are doing analysis?
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160303/c5bcf00c/attachment.html
More information about the Bro
mailing list