Saturday, February 2, 2013

Backtrack Forensics: Xplico

Menu: Forensics -> Network Forensics
Directory: /usr/local/bin/
Official Website:
License: GNU GLP v2 + Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported

Xplico is an open source network forensic tool, which can extract various data from network traffic, it can either work from a capture file or do a capture itself. It can extract images, emails, web pages, VoIP streams, chat (MSN, IRC,...), telnet, ftp data, etc... It has a command line and a graphical interface. Let's see some basic usage:

I will use the graphical version, which we can start from the Backtrack menu. We get this:

We can go to the http://localhost:9876/ address, and can login from there.
The default users are:
admin/xplico - for administration, we can't do the normal work with this account.
xplico/xplico - for normal work. 
Once we logged in, we need to open a new case. We need to decide there if we will work from files or from live captures later. Both won't work in a single case.

Once we have a case, we can click on it, and thus start work.

In the case, we need to create sessions. where we can load the pcap files, or do the captures.

Once we have a session, we can enter to it.

Once we enter to a session, we can upload file at the right bottom corner, or if we have a live capture case, then start the capture there. On the left side we have the navigation bar, where we can select the various extracted information, and browse within them. At the middle, we have an overview, about how much items we have in each various data type.

Here is an example of images:

Here is a picture of the web URls found in the session.

That's all in short. I run a few captures, and the tool doesn't really find all of the images in a session. It might work better with other items.

No comments: