Pieces0310

取证须让证物说话,莫妄以自我心证来给案情下定论.切忌画靶射箭,为找而找. 取证的根基仰赖经验与判断,在IT各领域的经验愈丰富,愈能看出端倪. 取证须善用工具,但不过度依赖工具.工具只能帮你缩小可能范围,但无法告诉你答案,仍需靠人进行分析判断.

联系 订阅 管理
  132 Posts :: 0 Stories :: 64 Comments :: 0 Trackbacks

A case about suspicious malware App. A forensic examiner capatured some pcap files and he'd to know where the desitnation is. Let me show you how to solve it with wireshark. First you have to download GeoIP database files. Extract those archive files and put them into some directory.

 

Now goto [EDIT]->[Preference]

 

Click [Name Resolution] and [Edit] to setup the directory of GeoIP databases.

 

Click [New] to create a new entry.

 

 

Browse the directory to find where the GeoIP database files located.

 

Don't forget to click [OK] and restart wireshark.

 

 

Open a pcap file and click [Statistics]->[Endpoints]->[IPv4]

 

Take a look at [Country] and [City] and you will find where this malware has been.

 

posted on 2017-04-17 22:40 Pieces0310 阅读(...) 评论(...) 编辑 收藏