All,
I have a pcap file that has an attachment. The attachment is an rtf with an embedded file. I don't know what the embedded file is other than I know it's an image. None of the standard jpg/gif/png headers are found in the file, so I assume that Windows does something with the header after embedding it? Anyway, what's the best way to extract this file out? I exported the selection that I thought I needed from Wireshark into a standard raw file and then opened it with a hex editor. I then copied what I thought I needed out of the hex file and saved it as an rtf. The text is legible, but the images are garbage. I have nothing but ascii characters in it.
Is there an easier way to extract the image out?
Thanks,
John
Images in RTF documents have the same headers as regular images, but are all in ASCII rather than hex. So a JPEG header will be FF D8 FF E0 in ASCII rather than 0xFF 0xD8 0xFF 0xE0.
If you've saved out the RTF and the images have messed up, then you haven't saved it out properly. If you just miss out one "{" or "}" in an RTF then it will mess up. Check where the first occurrence of "{" is and copy from then until the last occurence of "}"
Images in RTF documents have the same headers as regular images, but are all in ASCII rather than hex. So a JPEG header will be FF D8 FF E0 in ASCII rather than 0xFF 0xD8 0xFF 0xE0.
I found this in the text portion using a hex editor. I tried copying and pasting this portion into another file using the hex editor, but of course it doesn't paste the text values as hex values. I've also made 100% certain that I grabbed all of the {} symbols. While I can open the rtf file and read it, there aren't any images present. Is there a way that I could just extract the image, now that I found the header/trailers, by creating another file in the hex editor?
try parsing the pcap file with Network Miner
It's really good for extracting files from pcap files.
Maybe you missed something when you exported the data from the pcap file and if you are missing part of your RTF then that could of been part of your picture.
Hope this helps. D
Is there a way that I could just extract the image, now that I found the header/trailers, by creating another file in the hex editor?
If you just want the image, and not any meta info from the original file, why not just open up the RTF file in wordpad and copy/paste the image to a graphics program? To me it seems like you are over complicating things.