Version 3.1.3 of Autopsy Required
This Autopsy Module extracts Packet Captures (pcaps) from Data Sources. It then sorts them under a "PCAPs" tab within "Interesting Files" and allows the extracted pcaps to be parsed by KeywordSearch.
In order to use this module, you must have Autopsy version 3.1.3 installed.
Directions to load and run the module are outlined below:
- Run Autopsy
- Add Data Source
- Navigate to Tools on the Autopsy Menu
- Choose Python Plugins
- Create a folder with the name of the plugin
- Copy netarchae.py into the folder
- Close out of the Python Plugins folder
- Right click on the Data Source you would like to parse for packet captures
- Select Run Ingest Modules
- Check the box next to the modules you would like to run
- in this case, choose NetArchae (note that you can choose multiple modules)
- Once the module has run, provided it yields results, you will see a new "PCAPs" tab under "Interesting Items". You can also see extracted pcaps by generating a report or clicking on the "Ingest Messages" icon.