1. 파일 다운 및 분석
와이어샤크를 사용해 보니 mail를 주고 받은 흔적이 있다.
2. NetworkMiner 툴을 사용해 메세지 내용을 분석해 보자
1) 첫번째 메세지
그렉!
와줘서 너무 기뻐. :) 콘서트 보러 가야지! 로드 스튜어트, 히트곡은 어때? 두 번째 메자닌, 섹션 4, H열, 410 좌석.당신은 드롭 위치와 비밀번호를 알고 있습니다. 끝나고 저녁 먹자!
betty.
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<kml xmlns=\"http://www.opengis.net/kml/2.2\">
<Document>
<name>S3cr3t.kml</name>
<StyleMap id=\"my_pin\">
<Pair>
<key>normal</key>
<styleUrl>#my_pin2</styleUrl>
</Pair>
<Pair>
<key>highlight</key>
<styleUrl>#my_pin2</styleUrl>
</Pair>
</StyleMap>
<Style id=\"my_pin2\">
<IconStyle>
<scale>1.3</scale>
<hotSpot x=\"20\" y=\"2\" xunits=\"pixels\" yunits=\"pixels\"/>
</IconStyle>
<LineStyle>
<color>ff0a1eff</color>
<width>5</width>
</LineStyle>
</Style>
<Style id=\"my_pin2\">
<IconStyle>
<scale>1.1</scale>
<hotSpot x=\"20\" y=\"2\" xunits=\"pixels\" yunits=\"pixels\"/>
</IconStyle>
<LineStyle>
<color>ff0a1eff</color>
<width>5</width>
</LineStyle>
</Style>
<Placemark>
<name>S3cr3t</name>
<styleUrl>#my_pin</styleUrl>
<LineString>
<tessellate>1</tessellate>
<coordinates>
-115.1747400144938,36.11482578684966,0 -115.1747637269919,36.11483598910879,0 -115.1747994308382,36.11485348317316,0 -115.1748472898757,36.1148741240454,0 -115.174907586525,36.11490224531619,0 -115.1750112008098,36.11494375010778,0 -115.1750851012924,36.11495847672633,0 -115.1751285618997,36.11496749600561,0 -115.1751660785692,36.11498145099074,0 -115.1752226519558,36.11500254434612,0 -115.1752479490537,36.11501342170794,0 -115.1752987780009,36.1150309165722,0 -115.1753691913622,36.11504693234327,0 -115.1754273257964,36.1150641591323,0 -115.1754924682316,36.11508542572431,0 -115.1755384817008,36.11510841162742,0 -115.1755780905247,36.11512760692892,0 -115.1756113452346,36.11514737963318,0 -115.1756515529016,36.11517567445724,0 -115.1756920083675,36.11520411210632,0 -115.1757191910485,36.11522913628484,0 -115.1757329930722,36.11525516035373,0 -115.1757401976759,36.11528164414982,0 -115.1757411125062,36.11533553981267,0 -115.1757011434918,36.11538744516076,0 -115.1756611948784,36.11542117509668,0 -115.1756280719543,36.11544989244575,0 -115.1755491286326,36.11547644771558,0 -115.1754709279465,36.11548502039899,0 -115.1754060783449,36.11548407497919,0 -115.1753673338321,36.11548177545153,0 -115.17533521176,36.11547474262213,0 -115.175303219441,36.11545897838661,0 -115.1752584614886,36.11541784909308,0 -115.1752266637086,36.11538924437752,0 -115.1752138666791,36.11536828562575,0 -115.1751881753786,36.1153221794623,0 -115.1751686639423,36.11527586125329,0 -115.1751615746781,36.11521145083849,0 -115.1751675147318,36.11517635583093,0 -115.1751860387852,36.11514893316514,0 -115.1752045494624,36.11511710970512,0 -115.1752229410231,36.11505911158674,0 -115.1752606677658,36.11502541663177,0 -115.1752103790746,36.11506450802326,0 -115.17518551157,36.11509259465247,0 -115.175136023636,36.11513548597415,0 -115.175037711022,36.11518609172777,0 -115.1749769807822,36.11520771386073,0 -115.1749347972569,36.11522358758358,0 -115.1748685688998,36.11523695250927,0 -115.1748266549455,36.11524426729881,0 -115.174796795859,36.11524223344252,0 -115.1747669098578,36.11522336370292,0 -115.1747368236476,36.11516675251501,0 -115.1747303970336,36.11510421194399,0 -115.1747302373412,36.11508320409218,0 -115.1747359846927,36.115061680967,0 -115.1747416405957,36.1150275264639,0 -115.1747531823668,36.11498859538288,0 -115.1747707459356,36.11496168982418,0 -115.1748119629954,36.11492406413988,0 -115.1748415906394,36.11490432075467,0 -115.1748594800728,36.11489836575598,0 -115.1748179483178,36.1149277245518,0 -115.1747943827935,36.1149510524601,0 -115.1747826859936,36.11496900831985,0 -115.1747592398238,36.11500488523147,0 -115.1747475893453,36.11503120206038,0 -115.1747419607062,36.11506957450186,0 -115.174730524833,36.11512101887386,0 -115.1747307124976,36.1151420163174,0 -115.1747136126966,36.11521057760017,0 -115.1747138356258,36.11523995964273,0 -115.1747201055745,36.11528991542889,0 -115.1747380929071,36.11531807349625,0 -115.1747619663719,36.1153501633928,0 -115.1747799589268,36.11537851936557,0 -115.1748041243356,36.11542346705387,0 -115.1748464687038,36.11548448978836,0 -115.1748768299102,36.11552527393615,0 -115.1749313746639,36.11554796723872,0 -115.1749801696544,36.11556686642209,0 -115.1750354401082,36.11558129507337,0 -115.1751097564145,36.11559495026435,0 -115.175159650642,36.11559691572891,0 -115.1752096584725,36.11560329673894,0 -115.1752347911914,36.11560650310023,0 -115.1752858531111,36.11563909841721,0 -115.17531156526,36.11565985731807,0 -115.1753117506209,36.11567735903402,0 -115.1752616502851,36.11575359015258,0 -115.1752308258106,36.11581128637717,0 -115.1752248524422,36.11583323326979,0 -115.1752189592058,36.11586822327111,0 -115.1752193003432,36.1158986762425,0 -115.175200626882,36.11591655208239,0 -115.1751192788174,36.11592725472796,0 -115.1750633365499,36.11592864405472,0 -115.1750075860819,36.11590000027145,0 -115.1749645058732,36.1158755006807,0 -115.1748730615972,36.11583139666931,0 -115.1748428327026,36.11580692080067,0 -115.1747946392211,36.11575361114023,0 -115.1747587477357,36.11572124349623,0 -115.1747231303127,36.11570164907575,0 -115.1746583943872,36.11567923001635,0 -115.1746062269136,36.115710673614,0 -115.1745831923016,36.11572827195841,0 -115.1745603520503,36.11576242919129,0 -115.1745434082999,36.11582949465249,0 -115.1745381153448,36.1159002018233,0 -115.1745613997581,36.11593695561045,0 -115.1746137261521,36.1159731865137,0 -115.1746664221078,36.116001316219,0 -115.1747729246522,36.11604978750616,0 -115.1748630299797,36.11607800056742,0 -115.1749602639004,36.11610651257456,0 -115.1750590253002,36.116131106993,0 -115.1750962547005,36.11613934521481,0 -115.1751901298305,36.11614709122862,0 -115.1751087791738,36.11614786100383,0 -115.1749914539855,36.11614897241656,0 -115.1748575833229,36.11615024974507,0 -115.1747737461694,36.1161552694192,0 -115.1746969648835,36.1161643686276,0 -115.174621127956,36.11618171599082,0 -115.1746153152716,36.11618175882854,0 -115.1745921893874,36.11619859238918,0 -115.1745521147409,36.11627360152058,0 -115.1745526221192,36.11636497399023,0 -115.1746224386823,36.11641965039619,0 -115.1747045995666,36.11644984991332,0 -115.1747757804362,36.11647180147128,0 -115.1748597115355,36.11648991332765,0 -115.1749998237608,36.11652198374102,0 -115.1751552563584,36.11654626574666,0 -115.175193018492,36.1165426102172,0 -115.1751051192127,36.11653239002264,0 -115.1750182846187,36.11652229354455,0 -115.1749385680438,36.11651241540137,0 -115.1748960479574,36.11651172759861,0 -115.174817736312,36.11650199684704,0 -115.1747223669775,36.11649629310881,0 -115.1746810547034,36.11649565511777,0 -115.1746051045873,36.11651532323063,0 -115.1745531754848,36.1165601150077,0 -115.1745130696163,36.11659655740359,0 -115.1744846435504,36.11663721047383,0 -115.1744508082584,36.11669814105826,0 -115.1744455176575,36.11677211458591,0 -115.1744630934765,36.11684700177774,0 -115.1745094001715,36.11691105366092,0 -115.1745615839621,36.11694673933196,0 -115.1746198057187,36.11696627685721,0 -115.1746961750095,36.11697849962556,0 -115.1747674046621,36.11699054420418,0 -115.1748877248902,36.11700521901262,0 -115.1749792438999,36.11700995013871,0 -115.1751280405183,36.11701328776861,0 -115.1752480846272,36.11700199565179,0 -115.1753378300811,36.11698893119303,0 -115.1754153963752,36.1169706140282,0 -115.1755134075586,36.11695296636982,0 -115.1755265790781,36.116949115171,0 -115.1754542929579,36.11694586233404,0 -115.1753503173899,36.11695434067963,0 -115.1752349455791,36.11696206675848,0 -115.1751715082312,36.11696338375477,0 -115.1751025604565,36.1169601169844,0 -115.1749848354403,36.11696306013258,0 -115.1749358310996,36.11696068928642,0 -115.1748509566435,36.11695659696109,0 -115.1747254993764,36.11695893437344,0 -115.1746900999199,36.11696139796434,0 -115.1746432114976,36.11696745420693,0 -115.1745965281191,36.11696927688671,0 -115.1745733907443,36.11697643691591,0 -115.1745445859971,36.11698328367287,0 -115.1745216084907,36.11698625229385,0 -115.1745158675725,36.11698595651601,0 -115.1745676409547,36.11698030519116,0 -115.1746082839976,36.11697822278071,0 -115.1746491107229,36.11697193498184,0 -115.1746784599668,36.11697340922365,0 -115.1747078899647,36.1169706834151,0 -115.1747433815873,36.11696824056791,0 -115.1747849975594,36.11696185395128,0 -115.1748269304573,36.11695967628417,0 -115.1748870806091,36.11694556671635,0 -115.1749538212036,36.11693160653984,0 -115.1750029050697,36.116929583553,0 -115.1750276129024,36.11693072131622,0 -115.175083562384,36.11693330448814,0 -115.1751210554288,36.11693502554542,0 -115.1751461142512,36.11693616717704,0 -115.1751582691994,36.11689333058993,0 -115.1751702570436,36.11683304405784,0 -115.1751699072629,36.11679829184261,0 -115.1751701258031,36.11682001149791,0 -115.1751703881912,36.11684607697189,0 -115.1751773791259,36.11691587094557,0 -115.1751779128041,36.11697238194507,0 -115.1751783233572,36.11701585770258,0 -115.1751788777129,36.11706805208214,0 -115.1751730757792,36.11711120208609,0 -115.1751610216015,36.11715395058646,0 -115.1751613698315,36.11718004775783,0 -115.1751617758267,36.11721049903583,0 -115.175161979335,36.11722789271862,0 -115.1751614858049,36.11718874774159,0 -115.1751548965315,36.11716660789684,0 -115.1751417522452,36.11712239866333,0 -115.1751414459286,36.1170963551233,0 -115.175160005478,36.11707135639593,0 -115.1751911510623,36.11703391966707,0 -115.1751910275755,36.11702086406221,0 -115.1751593693,36.11701054587451,0 -115.1751092846092,36.11701233113042,
내용이 적혀있다.
2) 두번째 메시지는 증거가 아무것도 없다.
3. 첫번째 메시지를 분석해보자
!!!KML 이란
KML은 Google 어스, Google 지도 및 Google 모바일 지도와 같은 어스 브라우저에서 지리 데이터를 표시하는 데 사용되는 파일 형식입니다. KML은 중첩된 요소 및 속성과 함께 태그 기반 구조를 사용하며 XML 표준을 기반으로 합니다. 모든 태그는 대소문자를 구분하며 KML 참조에 나열된 대로 정확하게 표시되어야 합니다. 참조에서는 어떤 태그가 선택사항인지 나타냅니다. 태그는 요소 내에서 참조에 표시되는 순서대로 나타나야 합니다.
KML을 처음 사용하는 경우 KML 파일의 구조와 가장 일반적으로 사용되는 태그에 대해 알아보려면 이 도움말 및 함께 제공되는 샘플 파일(어스 샘플 및 지도 샘플)을 살펴보세요. 첫 번째 섹션에서는 Google 어스 사용자 인터페이스로 만들 수 있는 지점에 대해 설명합니다. 지점에는 위치표시(placemarks), 설명(descriptions), 지면 오버레이(ground overlays), 경로(paths) 및 다각형(polygons) 등이 있습니다. 두 번째 섹션에서는 텍스트 편집기로 KML을 작성해야 하는 지점에 대해 설명합니다. 텍스트 파일이 .kml 또는 .kmz 확장자로 저장되면 어스 브라우저에서 표시할 수 있습니다.
(참고 구글 검색)
*** 뒷 부분내용이 짤린거 확인할수가 있다 그러므로 와이어샤크를 통해 짤린 부분을 가져와 KML 파일로 만든 다음 구글 어스 웹홈페이지를 통해 파일을 확인해 보자
4. frame.number == 7758 명령어를 통해 들어간다.
request부분부터 복사한 내용을 URL 디코딩 해준다
NetworkMiner에서 짤린 뒤 부분을 찾아 뒤내용을 붙여준다.
5. KML 파일 만들어주기
\ 를 전체 지운다. (Ctrl + h)
KML확장자로 파을을 저장한다
6. 구글어스에 들어가 파일을 확인한다.
