(Sorry, I uploaded this with an old user account, let's try it again)
This is just a quick guide for any of you that care to try it out.
The basic use case for this guide is for those organizations that do not / cannot gather pcaps for web traffic and do not have a tool like netwitness that allow them to actually view images that users are looking at.
Generally, analysts would use this technique when they wanted to know what images a particular IP is viewing (yes, think pr0n investigation here) and the analyst wanted to gather an pour through those images in bulk.
Overall, I will create a report in arcsight that will pull the url of all of the images a certain IP has accessed. The report will list the url of them all in csv format. I will feed the list into httrack and it will grab me a copy of them all and throw them into a directory on my box and I can browse them as thumbnails or filmstrip or whatever you like through windows.
Creating the report:
You want the report to grab you images that a certain IP is looking at. Try using something like the filter shown below to build your report query:
As you can see the conditions here will grab web requests where the request is for a jpg, gif, or png and the filesize is over 20000 bytes (this is done so that you don’t get any of the tiny useless images that are on webpages nowadays, this should help get you only images of a reasonable size).
When used in a report it will give you a csv list of all images that a user grabbed that match that filter:
Highlight some or all of the images and do a ‘copy’:
Create a new project in httrack:
Select the ‘Get separated files’ option and paste the urls into the box:
Finish the project and run it:
It will grab a copy of all of the images and put them in the folder you specified. Now you can browse the folder and see what the user was looking at: