Michael N. Dundas

I remember a few consulting gigs years ago where I was required to extract binary data such as Microsoft Word documents, audio and video files from network captures. The process was quite involved using sniffer, hex editors, base64 decoders and other software to accomplish the task. Today, there are many commercial and freely available pieces of software that hide the process involved in conducting these activities.

Assuming you have access to a network stream, either in your corporate network or at an ISP via a warrant and you capture the network data of a particular subject, how do you review the binary data contained in the capture? Let’s assume that you are profiling a subject and they are visiting myspace briefly and appear to be listening to an audio track that is streaming from a server to the subject.

To accomplish this, I often use a utility called Chaosreader. Chaosreader is an older utility written in Perl, but I find it still does a good job extracting binary data from a network capture in the standard pcap format. The other benefit is that since it is written in Perl, code review is possible to understand how technically this is accomplished.

To keep this post as focused and easy to understand I isolated the capture file to contain just the area where the user connected to myspace to start listening to the audio file in question but this is not a requirement in a normal investigation.
Running Chaosreader on the capture file is a simple step. A summary of the files created from the capture file is listed and it creates an index.html file which you can point your browser to.
Looking at the resulting output, it is obvious the two files of interest are the session_0005.part_01.data and the session_0005.www.html. In a large capture with many sessions it is easier to view the index.html that was generated.
Viewing the index.html file with your browser will show a chart that breaks down each of the sessions listing a timestamp, duration, 5 tuple, service, data size transmitted, and links to the files that are associated with the flow.

The session we are interested in is session 5. It is by far the largest and will be the audio file that was being streamed to the subject. What we do not know is what type of data was streamed. Was it wmv, mpeg, or some other protocol? Selecting the as_html link for session 5, a text version of the file including headers will be displayed.

Here we can see two blocks of text. The first block in red shows the subject (client) requesting the resource to be streamed to them. The second block of text in blue is the data response to the request from the server. The header information is transmitted prior to the data which informs the client of the data that is about to be transmitted, then the binary data is transmitted to the client. Specifically if you look at the ‘Content-Type‘ header, the data format is ‘audio/mpeg‘.

Armed with this information, we simply rename the file session_0005.part_01.data which contains the binary stream to something more meaningful with a .mpg extension.
Select your preferred mpg player and play the file.
Keep in mind is that depending on the quality of the network connection, there is sometimes minor ‘noise’ in the output due to retransmits that happen on the network. Chaosreader provides other information not discussed here. I encourage anyone interested to experiment with it and other software available via the open source community.