Data Exfiltration Analysis

Analysis focuses on identifying what data was accessed, how it was transferred, and assessing the impact.

Detection Indicators

• Unusual outbound data transfers

• Large volume of data sent to external IPs

• File transfer commands in protocol traffic

• Access to sensitive directories or files

• Data transfers outside normal business hours or patterns

• Use of protocols typically associated with file transfers

Analysis Workflow

1. Identify Data Transfer Activity

Filter for data transfer protocols and source/destination IPs

FTP: ftp (control) and ftp-data (actual file transfers)
HTTP: http and ip.dst == [EXTERNAL_IP]
SMB: smb2 or smb

Look for file transfer commands:

FTP: RETR (retrieve/download), STOR (store/upload)
HTTP: POST/PUT requests with file uploads, GET requests for downloads
SMB: Read/Write operations on shares

2. Understand Protocol Data Channels

• Some protocols use separate connections for control and data.

3. Identify Accessed Resources

• Examine reconnaissance commands:

FTP: LIST, NLST (directory listings), PWD (current directory)
HTTP: Directory traversal attempts, API enumeration
SMB: Share enumeration, file listings

• Document directory structure accessed

• Note targeted files or data types

4. Extract Transferred Files

• Use Wireshark's Export Objects feature:

  • File > Export Objects > [Protocol]

FTP-DATA: Files transferred via FTP
HTTP: Web resources, uploaded/downloaded files
SMB: Files accessed via SMB shares

• Save all extracted files for analysis

• Preserve original filenames and metadata

5. Analyze Exfiltrated Content

• Review extracted files for sensitive information:

  • Credentials (passwords, API keys, tokens)

  • Configuration files

  • Database backups

  • Intellectual property (source code, documents)

  • Personal identifiable information

  • Infrastructure details (IP addresses, URLs, system configs)

• Document all sensitive data discovered

• Search for embedded credentials or secondary targets

6. Timeline Reconstruction

• Establish complete attack timeline:

  • Initial access time

  • Reconnaissance period (directory listings, file searches)

  • Exfiltration start time

  • Files accessed and order of access

  • Exfiltration completion time

  • Total duration of data theft

7. Volume and Scope Assessment

• Calculate total data exfiltrated:

  • Number of files transferred

  • Total data size (Statistics > Conversations)

  • Types of data stolen

• Identify all compromised systems or accounts

• Determine if exfiltration is ongoing or completed

8. Impact Analysis

• Assess severity based on:

  • Sensitivity of exfiltrated data

  • Potential for further compromise

  • Compliance implications

  • Business impact

  • Lateral movement potential

Key Wireshark Techniques

Protocol-specific filters

• ftp-data: Isolate FTP file transfers only

• http.request.method == "POST": Find HTTP uploads

• smb2.cmd == 8: SMB2 Read operations

Export Objects: Extract all transferred files

• File > Export Objects > [FTP-DATA / HTTP / SMB]

• Save all files for forensic analysis

Follow Stream: View complete transfer context

• Right-click packet > Follow > TCP/FTP Stream

• See commands and responses in sequence

Statistics > Protocol Hierarchy: Identify protocol usage patterns

• Shows percentage of traffic per protocol

• Useful for spotting unusual protocol usage

IO Graphs

• Statistics > I/O Graphs

• Identify spikes in outbound traffic

Documentation Requirements

Attack Summary

• Initial access method and time

• Compromised credentials

• Exfiltration protocol(s) used

• Attacker IP address(es)

Data Inventory

• Complete list of exfiltrated files

• File sizes and timestamps

• Sensitive data contained in each file

• Hash values of extracted files

Impact Assessment

• Data sensitivity classification

• Affected systems/users

• Regulatory compliance concerns

• Recommended remediation actions