Project: PCAP Forensics

root@kali:~/forensics$ python3 artifact_extractor.py -f evidence_001.pcap

--- Initializing Forensics Module ---

[*] Loading PCAP file (150MB)... Done.

[+] Analysis Started at 14:02:00

Scanning for DNS Anomalies...

> Found 12 unique DNS queries.

> Suspicious Domain Detected: update-windows-kernel.com (192.168.1.15)

Scanning for Plaintext Credentials (HTTP/FTP)...

[!] ALERT: Basic Auth Creds Found!

User: admin | Pass: P@ssw0rd123

Source: 192.168.1.5 -> Dest: 10.0.0.80 (Port 80)

Scanning for User Agents...

> Found: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

> Found: Python-urllib/2.7 (Potentially malicious script)

[*] Extraction Complete. Evidence saved to: artifacts_report.json

The Objective

During network incident response, analysts often have to sift through gigabytes of packet captures (PCAPs) to find "smoking gun" evidence. While tools like Wireshark are powerful, manual inspection is slow.

I wanted to build a tool that could automate the Initial Triage phase by programmatically parsing PCAP files and extracting high-value artifacts (Credentials, DNS queries, and User Agents) without human intervention.

The Solution

Using Python and the Scapy library, I built a script that iterates through network packets to identify specific protocol layers.

Forensic Capabilities:

Credential Harvesting: regex matching on TCP payloads to find "Authorization: Basic" headers in HTTP traffic.
DNS Mapping: Extracts all DNS QR (Query Records) to identify C2 (Command & Control) domains.
User Agent Analysis: Flags non-standard User Agents (e.g., Python scripts, Curl, Wget) often used by malware droppers.

                    def extract_http_headers(packet):

                      if packet.haslayer(http.HTTPRequest):

                        headers = packet[http.HTTPRequest].fields

                        if 'Authorization' in headers:

                          print(f"[!] Creds Found: {headers['Authorization']}")

View Project on GitHub