[Bro] Renaming carved files
Seth Hall
seth at icir.org
Thu Mar 3 06:54:53 PST 2016
> On Mar 3, 2016, at 8:32 AM, Michael Cochran <macochran0 at gmail.com> wrote:
>
> This is pretty common practice among forensic network analysis tools. The page preview function is one of the reasons Netwitness is so popular with analysts. Dangerous as well, it will attempt to render entire pages of HTTP based off of carved files. I've recommended the analysts just look in files.log if they want to see the original file name.
I've never used netwitness, but wow. I suppose you're saying that you need the files named as they were on the remote server so the page display works? I would expect more html/css munging to be required even with the files named in the same way though, so you might as well just name the files in another way. :)
> From my perspective, the best solution is the mime type file analysis. To take it a step further a simple check to see if the mime type matches the file extension seen in the content-disposition header.
I'd be curious to see how many files don't match their declared mime types, I bet a lot. I thought about writing a script to do this once, but then stopped myself because at the very least, there are lots of favicon files that are jpegs and gifs, but the remote server even declares in the header that it's actually an icon file (since servers typically just base on the file extension). I would still be interested to see what people's experiences are if anyone ever takes it on though (i.e., does it catch anything worth following).
Thanks,
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list