on Nov 14, 2012Is there any way to decode base64 encoded files from within Investigator other than resorting to outside tools? I've tried opening the session in Wireshark, but base64 decoding seems to be broken under Windows. Any suggestions?
My solution thus far has been to:
- save files from the session from the Content window
- Open the file in an hex editor
- Select the appropriate bytes and run them through a base64 decoder (there's a function in notepad++ to do this, as well as various Web sites).
- Save the contents to a file and open with the appropriate application.
Anything shorter or simple?
Thanks,
Charlie
Investigator will automatically convert base64 attachments in emails when extracting files from a session. Are you using the "extract files" capability? All this depends on your parsers correctly identifying the service type of the session.
What types of traffic are you seeing base64 files? Generally speaking, protocols that contain content-type information are automatically handled.