Xplico

In this version:

• migrating to SQLite3
• telnet dissector
• webmail dissector
• webmail manipulator: Yahoo!, AOL, Hotmail (all without attachments)
• Improved LLC dissector
• Improved XI
• script to check new release (only in source code)

Hotmail (Live) depends on the language. Currently the languages supported are Italian and English.
Any feedback are welcome: forum.

You can download VirtualBox image, source code and Ubuntu 9.10 package here.

Currently there are at least 2 Forensic challenges in which Xplico can be used and can facilitate the analysis. These two challenges are:

• Forensic Challenge 2010 – pcap attack trace
• Ann’s AppleTV

We do not answer the questions, here we will give some indication of use of Xplico.

The “Ann’s AppleTV” pcap file has no particular problems of decoding, in fact if you process the pcap you obtain the data represented in the  two pictures below.

For the “Forensic Challenge 2010 – pcap attack trace” pcap  decoding requires more attention. In fact this pcap file has corrupted packet  (and not retransmitted), so you must disable the Xplico checksum verification (HowTo).

From cli the command is:

./xplico -c config/xplico_cli_nc.cfg -m pcap -f attack-trace.pcap

Since Xplico is able to recognize the protocols (not all) even if they use non-standard ports is easy to see what protocol was used and which data file was downloaded.
In the figure below there is the result of decoding with XI.

Enjoy .

This version of Xplico introduce new and important features:

• Facebook web chat dissector
• New XI based on CakePHP 1.2.5
• New representation of images
• For each image you can see (with the proxy enabled) the page where the image is contained
• WLAN and LLC basic dissectors
• HTTP dissector Improvements

You can download source code, Ubuntu 9.10 package and VirtualBox.org image here.

You can find this release in DEFT Vx5 Linux distribution.
You can download source code, Ubuntu 9.10 package and VirtualBox.org image here.

This version of Xplico introduce many new features:

• snoop Packet Capture File Format as input file
• DNS dissector with graphical representation in Xplico Interface (XI)
• NNTP dissector
• PPPOE dissector
• direct live acquisition from XI
• new dispatcher named CLI: this dispatcher organize the data extracted in a tree as this:
  
xdecode/<ip_src_1>/http
xdecode/<ip_src_1>/mail/
xdecode/<ip_src_1>/nntp
xdecode/<ip_src_1>/ftp
xdecode/<ip_src_1>/...
xdecode/<ip_src_2>/http
xdecode/<ip_src_2>/mail/
xdecode/<ip_src_2>/nntp
xdecode/<ip_src_2>/ftp
xdecode/<ip_src_2>/...


• default  CLI dispatcher in command line execution
• file extension for the HTTP contents

We have to thank:

• Carlos Gacimartín, for his help
• Doriano Azzena, for his support in debugging
• Matteo G.P. Flora for inspiration of DNS XI graphics
• Open Flash Chart team for their wonderful tool
• all forum users for their debug

Enjoy .

This release introduce the MMS dissector. With this dissector it is possible to reconstruct the MMS message transported by HTTP protocol and extracts the media contained. With the new release of  Web interface it is possible to view photos, texts and videos contained in MMS messages.

In this release of Xplico we have introduced the generations of geographical and temporal map of data rebuilding by Xplico. This feature named GeoMap can be used both with console mode and Web interface. The files generated by GeoMap are kml files an can be used with Google Earth. To allow the visualization of the connections whose source is a private IP address, we have decided that the private IP address are located  in Venice (this is a temporary solution).

We have to thank:

• Collin Richard Mulliner for your mms messages
• Kowsik Guruswamy for your Cap’r Makr’ tool, and for your very fast support
• SecViz for inspiration of GeoMap
• MaxMin for your open source GeoIP library
• Wireshark team for… ALL

An example of MMS over HTTP you can find here.This pcap was generated with Cap’r Makr’ and with the mms of Flavio Poletti.

Any bug reports or suggestions are welcome.

If you sniff, with tcpdump or other tools, all Gmail traffic (before login) and you give this capture to Xplico using Web interface, then you can view the emails of Gmail, even if you have not read the email (this is true only for the first emails on the list).
Obviously, before capture the Gmail traffic, you must clean the cache of Firefox to force the download of all contents, this to allow Xplico to rebuild all data.
The Web interface (PHP code) is necessary and it is also necessary:

1. to use Firefox in the same machine where is Web interface (Apache)
2. to enable proxy in Firefox  (HTTP porxy: localhost Port: 80).

You can use DEFT (v3x, v4, …) to test this feature.

Even Google Calendar can  be rebuilt with Xplico. In this screenshot you can view an example, obtained from the pcap file extracted from gmail.com.pcap.e01 archive of  PyFlag project.

This feature is experimental and it is in development. Now the engine is written in PHP but we are developing an engine in C with many more features.

By March there will be a new release of  Xplico. This new release will have the geographical map of the reconstructions, and (perhaps) the dissector for Multimedia Messaging Service.
An example of geographical map can be found here.

This is the first experiment of use of Flare library.

Thanks to Raffael Marty for his help with Flare.

In this representation are listed all dissectors with their bonds of dependency.