One of our agents managed to sniff important piece of data transferred transmitted via USB, he told us that this pcap file contains all what we need to recover the data can you find it ?
(1) PRELIMINARY ANALYSIS (wireshark)
We open the pcap file with Wireshark and quickly see that it is the capture of several USB data transfers between a host and what seems to be an USB flash drive. The filters that can be used in Wireshark for this kind of traffic are described here:
It looks like the interesting data has been transferred in packets of the USB protocol described as 'URB_BULK out' because there are interesting strings inside them and they are the ones with larger size, due to the fact that they correspond to USB messages of the type 'bulk transfer', used for bulk data transfers.
On the other hand, we see that this bulk data is transferred to a device with address '3' in the USB bus, so we build the following Wireshark filter to get those packets only:
usb.device_address==3 && usb.capdata
More precisely, the interesting data is stored in the field 'Leftover Capture Data', so we righ-click on it and select 'Apply as Column' so we can see it in the main Wireshark window.
(2) PACKET FILTERING (tshark)
We can perform the same filtering using 'tshark' from the command line, which may be useful in order to extract the packets later:
(3) PACKET EXTRACTION IN HEX FORMAT (tshark)
We proceed to extract the packets using the same filter:
-r: Read packet data from infile.
-Y: Display filter (same we used in section 2).
-T: Set the format of the output when viewing decoded packet data ('fields' format).
-e: Add a field to the list of fields to display if -T fields is selected.
usb.capdata -> get packet data from the 'USB Leftover' field one, which is the one we are interested in.
Al the extracted packets are stored in the 'raw' file, one packet on each line. In order to merge all the packets in a unique string, we edit the file and merge the lines, paying attention to append ':' between each two lines, so the hex format is not broken. This operation can be performed using any decent text editor such Notepad++. We save the results in a file named 'raw_agrupado'.
Just in case we need to analize an isolated packet, we coud use the following tshark filter (i.e. for packet 101):
(4) HEX TO BIN CONVERSION (xxd)
Now we convert our hex file to binary using 'xxd':