Ask Your Question
0

intrusion to laptop

asked 2021-10-13 21:03:00 +0000

bigjohn888jb gravatar image

I’m pretty new with WireShark. I'm trying to prove that some files were intentionally altered by some intrusion to my laptop. When first finding these files having been changed, I started capturing my network connection with WireShark. The names have obviously been changed, but I’m looking for some forensic evidence in the packets I've captured as to how this was done. Is there a way to show a file that was created and named ExampleFile at a specific time/date, then, at a later time/date was changed to ExampleFileAltered?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2021-10-14 08:23:01 +0000

grahamb gravatar image

If the file was altered by remote means and you were capturing at the time and the traffic wasn't encrypted (or you somehow have the encryption key) then you might be able to infer that. In all likelihood this isn't the case.

edit flag offensive delete link more

Comments

Thanks for the response.

Can you break down for me more specifically how I would be able to infer a purposeful alteration? When I saw that my files were altered, I suspected an intrusion. So, I scanned my computer and changed the password and then started running Wireshark on a regular basis for several months. Once again, I found files that had been altered.

Is there a way to cross-reference the date of modification with a Wireshark file and then what would I be looking for?

Are there any abnormalities that could be seen in the structure of an altered file I could compare to a similar file that wasn't altered?

I appreciate the help.

bigjohn888jb gravatar imagebigjohn888jb ( 2021-10-14 14:22:32 +0000 )edit

Wireshark is a networking tool. That is the scope of the tool.

You are looking for a tool that should have been implemented on your machine before the attempt is made.

If a third party has access to you computer then anything happening after that can't be trusted.You don't have the skillset to determine this (based on your question) and it is not something you can just learn with 15 minutes of youtube.

anything happening through encrypted channels is obviously not something you can look at.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2021-10-15 06:40:36 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-10-13 21:03:00 +0000

Seen: 313 times

Last updated: Oct 14 '21

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2