The other day we had a situation where an employee was involved in some questionable activities. We were concerned that sensitive data had left the company, so I analyzed the pcaps from this employees Internet activities. I found some suspcious MSN messenger sessions (over regular port 80), but the payload appeared to be encrypted, making it a real pain to try find out what actually took place.
Is there any tool out there that can generate decrypted (or similar) session transcripts from pcap files for common protocols (like messenger)?
Some sessions involve ftp uploads, and since I have the full pcap files, I should be able to recreate the file uploaded so that I can view it in the proper app (like a word or excel file) - is there any tool for this out there?
Thanks,
JB |