Join Us!

Notifications
Clear all

hex editing and file carving issue  

  RSS
psalmtopzy
(@psalmtopzy)
New Member

Hello good day.. pls i am new to network forensics and currently working on Ann Aim Case In Network forensics tracking hacker through cyberspace book….. i used wireshark to follow a TCP stream then i saved the tcp stream in raw format then and tried to carve out a docx file but i noticed that dot sign "." in hex value was "2E" which was suppose to be "00"..then i ignored that. ..after i got the start and end of file of the docx file and carved the docx file out.. it couldnt open showing that the file is corrupted or some part are missing….so i concluded thar the 2E hex value representing the dot sign instead of 00 might be the problem…. i opened the TCP stram raw data with other hex editor but it was still the same….. but the hex dump of wireshark Tcp stream shows that the 2E is representing 00….anyway to re tify this issue

Quote
Posted : 27/10/2018 1:23 pm
psalmtopzy
(@psalmtopzy)
New Member

Got a solution to the problem…. I'm saved the tcp stream as ASCII instead of raw format…..saving as raw format produced the real hex value

ReplyQuote
Posted : 28/10/2018 8:36 am
Share: