First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

intrusion to laptop

I’m pretty new with WireShark. I'm trying to prove that some files were intentionally altered by some intrusion to my laptop. When first finding these files having been changed, I started capturing my network connection with WireShark. The names have obviously been changed, but I’m looking for some forensic evidence in the packets I've captured as to how this was done. Is there a way to show a file that was created and named ExampleFile at a specific time/date, then, at a later time/date was changed to ExampleFileAltered?

bigjohn888jb's avatar
1
bigjohn888jb
asked 2021-10-13 21:03:00 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

If the file was altered by remote means and you were capturing at the time and the traffic wasn't encrypted (or you somehow have the encryption key) then you might be able to infer that. In all likelihood this isn't the case.

grahamb's avatar
23.8k
grahamb
answered 2021-10-14 08:23:01 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for the response.

Can you break down for me more specifically how I would be able to infer a purposeful alteration? When I saw that my files were altered, I suspected an intrusion. So, I scanned my computer and changed the password and then started running Wireshark on a regular basis for several months. Once again, I found files that had been altered.

Is there a way to cross-reference the date of modification with a Wireshark file and then what would I be looking for?

Are there any abnormalities that could be seen in the structure of an altered file I could compare to a similar file that wasn't altered?

I appreciate the help.

bigjohn888jb's avatar bigjohn888jb (2021-10-14 14:22:32 +0000) edit
more
  • delete

Wireshark is a networking tool. That is the scope of the tool.

You are looking for a tool that should have been implemented on your machine before the attempt is made.

If a third party has access to you computer then anything happening after that can't be trusted.You don't have the skillset to determine this (based on your question) and it is not something you can just learn with 15 minutes of youtube.

anything happening through encrypted channels is obviously not something you can look at.

hugo.vanderkooij's avatar hugo.vanderkooij (2021-10-15 06:40:36 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer