wireless investigations using xplico
DESCRIPTION
A quick guide using Xplico for wireless investigations. Xplico analyzes a capture file taken from a suspect's wireless and performs carving techniques to extract artifacts.TRANSCRIPT
XPLICOFor forensics investigation
Basic usage guide
By Chris Harrington
Linux OS◦ Kali (used for this test)◦ Backtrack◦ Others will work too
Installed Applications◦ Xplico◦ Apache
CAPTURE file from suspect’s wireless
Requirements
Open a terminal window and type:/etc/init.d/apache2 start
Start Apache
Start Xplico services/etc/init.d/xplico start
Start Xplico
Navigate to http://localhost:9876Xplico listens on port 9876 by default
Open a browser window
Default username and password Username: xplico Password: xplico
Login to Xplico
After logging in, the case overview shows Create a new case
Create a new case
Specify a case name and create the case
New case information
The new case is shown here in case overview
Click on the new case to enter it
Case overview
Within the Case Overview is the Sessions overview. Sessions are Capture files linked to the case
Click New Session
Case sessions
Enter the session name
New session
The new session is shown and click on it to enter it
Session overview
This page shows artifacts found in previous CAPTURE files. Click browse and upload the suspect’s CAPTURE file
Analysis overview
It may take time depending on the size of your CAPTURE file to finish decoding and searching for artifacts
Decoding
The overview shows which artifacts were found. Use the menu on the left to navigate through them
Finished decoding
Websites visited that were found and extracted
Example
Xplico offers quick and easy packet analysis.
Other data that can be extracted:◦ RTP and SIP streams◦ Emails ◦ Images ◦ And much more
Always a good idea to run other carving tools on the CAPTURE file
Notes