-Pamela Stacey

What is Wireshark?
Wireshark is an open-source packet analyzer, which is used for education, analysis,
software development, communication protocol development, and network
troubleshooting.

It is used to track the packets so that each one is filtered to meet our specific needs. It
is commonly called a sniffer, network protocol analyzer, and network analyzer. It is also
used by network security engineers to examine security problems.

Installation of Wireshark Software

Below are the steps to install the Wireshark software on the computer:

○ Open the web browser.

○ Search for 'Download Wireshark.'

○ Select the Windows installer according to your system configuration, either 32-bt
or 64-bit. Save the program and close the browser.

○ Now, open the software, and follow the install instruction by accepting the
license.

○ The Wireshark is ready for use.

On the network and Internet settings option, we can check the interface connected to
our computer.

If you are Linux users, then you will find Wireshark in its package repositories.

By selecting the current interface, we can get the traffic traversing through that
interface. The version used here is 3.0.3. This version will open as:
The Wireshark software window is shown above, and all the processes on the network
are carried within this screen only.

The options given on the list are the Interface list options. The number of interface
options will be present. Selection of any option will determine all the traffic. For
example, from the above fig. select the Wi-Fi option. After this, a new window opens up,
which will show all the current traffic on the network. Below is the image which tells us
about the live capture of packets and our Wireshark will look like:
The above arrow shows the packet content written in hexadecimal or the ASCII format.
And the information above the packet content, are the details of the packet header.

It will continue listening to all the data packets, and you will get much data. If you want
to see a particular data, then you can click on the red button. The traffic will be
stationary, and you can note the parameters like time, source, destination, the protocol
being used, length, and the Info. To view in-depth detail, you can click on that particular
address; a lot of the information will be displayed below that.

There will be detailed information on HTTP packets, TCP packets, etc. The red button is
shown below:

The screen/interface of the Wireshark is divided into five parts:

○ First part contains a menu bar and the options displayed below it. This part is at
the top of the window. File and the capture menus options are commonly used in
 Wireshark. The capture menu allows to start the capturing process. And the File
menu is used to open and save a capture file.

○ The second part is the packet listing window. It determines the packet flow or the
captured packets in the traffic. It includes the packet number, time, source,
destination, protocol, length, and info. We can sort the packet list by clicking on
the column name.

○ Next comes the packet header- detailed window. It contains detailed information
about the components of the packets. The protocol info can also be expanded or
minimized according to the information required.

○ The bottom window called the packet contents window, which displays the
content in ASCII and hexadecimal format.

○ At last, is the filter field which is at the top of the display. The captured packets
on the screen can be filtered based on any component according to your
requirements. For example, if we want to see only the packets with the HTTP
protocol, we can apply filters to that option. All the packets with HTTP as the
protocol will only be displayed on the screen, shown below:
You can also select the connection to which your computer is connected. For example,
in this PC, we have chosen the current network, i.e., the ETHERNET.

After connecting, you can watch the traffic below:

In view option on the menu bar, we can also change the view of the interface. You can
change the number of things in the view menu. You can also enable or disable any
option according to the requirements.

There is a filter block below the menu bar, from where a large amount of data can be
filtered. For example, if we apply a filter for HTTP, only the interfaces with the HTTP will
be listed.
If you want to filter according to the source, right-click on the source you want to filter
and select 'Apply as Filter' and choose '...and filter.'

Steps for the permanent colorization are: click on the 'View' option on the menu bar and
select 'Coloring Rules.' The table will appear like the image shown below:
For the network administrator job, advanced knowledge of Wireshark is considered as
the requirements. So, it is essential to understand the concepts of the software. It
contains these 20 default coloring rules which can be added or removed according to
the requirements.

Select the option 'View' and then choose 'Colorize Packet List,' which is used to toggle
the color on and off.

Apply the filter by the name 'http.' After the filter is applied, the screen will look as:

The above screen is blank, i.e.; there is no network traffic as of now.

Q1. Determine the website browsed using Wireshark

Open the browser. In this example, we have opened the 'Internet Explorer.' You can
choose any browser.

As soon as we open the browser, and type any address of the website, the traffic will
start showing, and exchange of the packets will also start. The image for this is shown
below:
The above explained process is called packet sniffing.

Q 2. Username & Password Sniffing

It is the process used to know the passwords and username for the particular website.
Let's take an example of gmail.com. Below are the steps:
○ Open the Wireshark and select the suitable interface.

○ Open the browser and enter the web address. Here, we have entered gmail.com,
which is highly secured. Enter your email address and the password. The image
is shown below:

○ Now, go to the Wireshark and on the filters block, enter 'frame contains
gmail.com.' Then you can see some traffic.
 ○ Right-click on the particular network and select 'Follow', and then 'TCP Stream.'
You can see that all the data is secured in the encrypted form.

Questions will be asked based on above material

Reference Link: https://www.javatpoint.com/wireshark
Q3 Capture Ram/TCP dump
Step 1: Using the FTK Imager to Capture Memory
Once we have downloaded and installed FTK Imager, we should be greeted
by a screen like that below.

Next, click on the "File" pull down menu and go to the "Capture Memory"
selection.
It will open a window like that below. You will have to select where to store
your memory dump, what to call the file, whether you want to include the
page file (virtual memory), and whether you want to create an AD1 file
(AccessData's proprietary data type).
In my case, I created a directory called "memory dumps", named the file
memdump.mem
QuickCrypto: Steganography
Digital Forensics With Autopsy

What is Autopsy?

Autopsy is an open source digital forensics tool developed by Basis Technology,

first released in 2000. It is a free to use and quite efficient tool for hard drive
investigation with features like multi-user cases, timeline analysis, registry
analysis, keyword search, email analysis, media playback, EXIF analysis,
malicious file detection and much more.

How to install Autopsy?

Step 1: Download Autopsy from here.

Step 2: Run the Autopsy msi installer file.

Step 3: If you get a Windows prompt, click Yes.

Step 4: Click through the dialog boxes until you click a button that says Finish.

Step 5: Autopsy should be installed now.

Sample Questionare
Q1. What is the image hash?
Soln. AEE4FCD9301C03B3B054623CA261959A.
To check the image hash, click on image and go to File Metadata tab. (We check the
image hash in order to verify that it is the same as the hash created during the time
when the image was created.)
Q2: What operating system was used on the computer?
Soln: Microsoft Windows XP.
For this, in the left side panel, we go to Results > Extracted Content > Operating System
Information.

Q3: When was the install date?

Soln: GMT: Thursday, August 19, 2004 10:48:27 PM
Q4. Who is the registered owner?
Soln. Greg Schardt

Q5. What is the computer account name?

Soln. N-1A9ODN6ZXK4LQ (Click on System file)
Q6. When was the last recorded computer shutdown date/time?
Soln. 2004/08/27–10:46:27
To find this we go to
C:\WINDOWS\system32\config\software\Microsoft\WindowNT\CurrentVersion\Prefetch
er\ExitTime
Q7. How many accounts are recorded (total number)?
Soln. 5 accounts: Administrator, Guest, HelpAssistant, Mr. Evil, and SUPPORT_388945a0
(Look at the Account Type column).
In the left side panel, we go to Results > Extracted Content > Operating System User
Account
Q8.Who was the last user to logon to the computer?
Soln. Mr. Evil (Can be checked through Date Accessed column)

Q9. List the network cards used by this computer?

Soln. Xircom CardBus Ethernet 100 + Modem 56 (Ethernet Interface)
Compaq WL110 Wireless LAN PC Card
We find answer at C:\WINDOWS\system32\config\software\Microsoft\Windows
NT\CurrentVersion\NetworkCards\
Q10. What is the IP address and MAC address of the computer?
Soln. IP=192.168.1.111
MAC=00:10:a4:93:3e:09
We go to C:/Program Files/Look@LAN/irunin.ini
Q11. List down the programs that can be used for hacking purpose?
Soln. Cain & Abel v2.5 beta45 (password sniffer & cracker)
Ethereal (packet sniffer)
123 Write All Stored Passwords (finds passwords in registry)
Anonymizer (hides IP tracks when browsing)
CuteFTP (FTP software)
Look@LAN_1.0 (network discovery tool)
NetStumbler (wireless access point discovery tool)
WinPcap (provide low-level network access and a library that is used to easily access
low-level network layers.)
In the left side panel, we go to Results > Extracted Content > Installed Programs

Q12. Which Email client is used by Mr. Evil?

Soln: Outlook Express, Forte Agent, MSN Explorer, MSN (Hotmail) Email
Go to C:/WINDOWS/system32/config/Clients/Mail
Q13. What is the SMTP email address for Mr. Evil?
Soln: whoknowsme@sbcglobal.net
We find the answer at C:\Program Files\Agent\Data\AGENT.INI
Q14. How many executable files are in the recycle bin?
Soln. There are 4 namely, Dc1.exe, Dc2.exe, Dc3.exe, Dc4.exe
We find those at C:/RECYCLER (RECYCER is the directory for Recycle Bin.)
Q15. Are there any viruses on the computer?
Soln. Yes, a zip bomb(unix_hack.tgz) is present.
For this, in the left side panel, we go to Results > Interesting Items > Possible ZipBomb >
Interesting Files (Interesting Items is where Autopsy shows possibly malicious files.)

Q16. A popular IRC (Internet Relay Chat) program called MIRC was
installed. What are the userid, username, email and nickname used
when the user was online in a chat channel?
Soln. user=Mini Me, email=none@of.ya, nick=Mr, anick=mrevilrulez
We can find that at C:\Program Files\mIRC\mirc.ini
Q17. Ethereal, a popular “sniffing” program that can be used to
intercept wired and wireless internet packets was also found to be
installed. When TCP packets are collected and re-assembled, the
default save directory is that users /My Documents directory. What is
the name of the file that contains the intercepted data?
Soln. File name is ‘Interception’
As hinted we need to go to through My Documents which in this case would be
Documents and Setting/Mr.Evil
Q18. What type of wireless computer was the victim (person who had
his internet surfing recorded) using?
Soln: Internet Explorer 4 on Windows CE
We find this in Interception file.

Q19. What websites victim was accessing?

Soln. Mobile.msn.com, MSN (Hotmail) Email
Q20. What is the web-based email address for main user?
Soln. mrevilrulez@yahoo.com (Through web history)
To find this, in the left side panel, we go to Results > Extracted Content > Web History and
look at websites where login might be required.

Tshark commands: https://opensource.com/article/20/1/wireshark-linux-tshark