pcapfex – Packet CAPture Forensic Evidence eXtractor

pcapfex ‘Packet CAPture Forensic Evidence eXtractor’ is a tool that finds and extracts files from packet capture files. The power of pcapfex lies in it’s ease of use. You only provide it a pcap-file and are rewarded a structured export of all files found in it.

pcacpfex allows data extraction even if non-standard protocols were used. It’s easy to understand plugin-system offers python developers a quick way to add more file-types, encodings or even complex protocols.

pcapfex - Packet CAPture Forensic Evidence eXtractor
pcapfex – Packet CAPture Forensic Evidence eXtractor

There are several protocols and services that may transfer files over the network in clear including HTTP, FTP,SMB or TFTP. If the incident response team will collect the full packet capture it will be possible to recover required files for analysis.

Depending on the tool and protocol for certain cases it will be possible to extract the files partly while it is also possible to have the full file transmitted. The tool have a checksum verification option which may check network capture content. The plugin have a way to decode recognize required extensions such as zip files, bmp, elf, exe, gif, jpeg, mp3, mpg, pdf, png, rar, wav, mkv and more.

You can read more and download the tool over here: https://github.com/vikwin/pcapfex

Notify of
Inline Feedbacks
View all comments