Best way to find and extract images from traffic captured from SO

[val...@gmail.com]

I am looking for a specific image that should have been captured by SO. What is the fastest and most efficient way to find and extract this data? The data may also have been over https.

Thanks

[Lee Sharp]

On 10/15/2014 04:53 PM, val...@gmail.com wrote:
> I am looking for a specific image that should have been captured by SO. What is the fastest and most efficient way to find and extract this data? The data may also have been over https.

Network Miner. It is installed on the Securito Onion server at
/opt/networkminer/networkminer and can be downloaded from
http://sf.net/projects/networkminer/files/latest and ignore the .exe...
It can run in Linux with mono. It can load pcaps and extract the files
from them. But, it can take a long time. The pcaps are located in
/nsm/sensor_data/HOSTNAME-INTERFACE/dailylogs/DATE/snort.log.SERIAL and
do not have a pcap extension. :)

Lee

[jswan]

On Wednesday, October 15, 2014 3:53:58 PM UTC-6, val...@gmail.com wrote:
> I am looking for a specific image that should have been captured by SO. What is the fastest and most efficient way to find and extract this data? The data may also have been over https.
>
> Thanks

If the data was transferred via HTTPS you're out of luck unless you have the private key.

If it was transferred in the clear, the easiest way would be to find the corresponding Bro log entries using ELSA, extract the PCAP using CapME, then open the pcap in Networkminer or Wireshark and extract the image file.