- Filter Wireshark for the FTP packets.
- Now if you already know the format of the file you are looking for great, if not, find the packet that says “Transfer OK” or “Transfer Complete”. Work backwards from that packet and find the name of the file and format.
- Google the format’s File Signature (i.e. PPTX File Signature). Then, in Wireshark CTRL+F and look for the Hex value of the File Signature.
- Right click the packet and click on Follow > TCP Stream.
- Once that is loaded change Show and save the data as “RAW”. Click on Save as…
The below video uses Capture the Packet’s scenario 1 | Insider Threat | Obfuscation. This is a private video. The video starts off on Step 3 and continues to on to find the secret message and decodes it.
