Wednesday, January 23, 2013

Backtrack Forensics: Capturing images with driftnet

Menu: Forensics -> Network Forensic Tools
Directory: /usr/bin/

driftnet is a tool that can listen on a network port, and capture / extract images and mpeg audio (experimental only in version 0.1.6) from the TCP streams it sees, and display them on an window.

Usage:

driftnet -h - help
driftnet - will start to listen on all ports and place them in promiscuous mode
driftnet -p -i eth0 - will start to listen only on eth0, and won't place it in promiscuous mode
driftnet -v -d driftnet/ -p -i eth0 - verbose mode, and put images to "driftnet folder"

Here is the very basic run output, when we click on an image for saving it, it prints out where it is saved, and what was the name used:


Here is what I get after visiting Offensive Security and Backtrack Linux websites. It clearly couldn't extract everything. You can click on an image to save it.


Here is the output if running in verbose mode:


I visited many websites, and couple of them more times, and it doesn't find all the images, and it also finds different images at different visits. I think its network capture process not that good.

Official website: http://www.ex-parrot.com/~chris/driftnet/

No comments: