Network Forensics Puzzle Contest

Congratulations to all of our rock star investigators who solved the Network Forensics Puzzle Contest! We received over 100 submissions, many of which were truly excellent. Figuring out a winner was challenging, but in the end, one submission stood out over all.

We asked you for the most elegant solution. It was possible to solve the puzzle with common tools such as Wireshark, and many people did. However, modern investigations often involve many gigabytes– if not terabytes– of packet data. In the real world, pointing and clicking doesn’t scale. Moreover, when you’re working with large amounts of data, processing time is extremely valuable. Small, fast tools are key.

What we considered “elegant” was the construction of some automated process for solving the puzzle which was easy to use, easy to understand, very portable, and would easily be able to scale to much larger and more difficult problems.

Five people were named Semifinalists because they created an automated process (ie scripting) to facilitate future investigations. Seven Finalists took this to a level beyond and created novel solutions involving considerable amounts of scripting. Please take a look at each of their solutions as WE learned something from every one.

The WINNER of the first Network Forensics Puzzle Contest is Kristinn Gudjonsson. Kristinn wrote two very elegant Perl tools: pcapcat and oftcat.

pcapcat # This script reads a PCAP file and prints out all the connections in the file and gives the user the option of dumping the content of the TCP stream

Kristinn’s pcapcat utility shows you a list of all the TCP streams in a packet capture, and also allows you to select any given stream and dump out the contents of the stream. It also supports the use of BPF filters with the -f flag so that you can narrow your search to specific streams. It’s a small, sharp tool that’s easy to use.

oftcat # This script reads an OFT package, which is a package created by AIM when sending files over the network (using the oscar file transfer protocol). The script reads the packet, prints out some information about it and saves the captured file

Kristinn’s “oftcat” utility is smart enough to figure out the file name based on the OFT protocol and carve out the files transferred. It totally scales, and we especially appreciated his attention to protocol detail.

Here’s Kristinn’s solution writeup and a nice post on his blog where he adds some more detail.

Answers

1. What is the name of Ann’s IM buddy?
sec558user1

2. What was the first comment in the captured IM conversation?
Here’s the secret recipe… I just downloaded it from the file server. Just copy to a thumb drive and you’re good to go >:-)

3. What is the name of the file Ann transferred?
recipe.docx

4. What is the magic number of the file you want to extract (first four bytes)?
0x504B0304 (Note: one byte = 8 bits = 2 hex digits!)

5. What was the MD5sum of the file?
8350582774e1d4dbe1d61d64c89e0ea1

6. What is the secret recipe?
Recipe for Disaster:
1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.

Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:

1. What is the name of Ann’s IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?

Here is your evidence file:

http://philosecurity.org/558/contest_01/evidence.pcap
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. All responses should be submitted as plain text files.

Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.

Email submissions to contest@philosecurity.org. Deadline is 9/10/09. Good luck!!