Comments on: Contest #2 Deadline Extended to 11/22/09

By: jonathan

jonathan — Sun, 29 Nov 2009 19:31:07 +0000

@Kristinn: There has been a bit of discussion about this on the SANS GCFA list lately, mostly around the question of “do we need push-button forensics?”

My view is that we already have pushbutton forensics: the bulk of the workload is being performed by EnCase and FTK analysts pointing and clicking. We simply don’t have enough deep forensic skill in the industry to satisfy the demand.

This is not necessarily a bad thing, if folks like yourself and Erik continue to develop your free tools to solve more and more problems that we face, enabling more and more analysts to do pushbutton forensics in a correct and accurate way.

Not everyone needs to know how cars work to drive one, so long as the car is well built and can get you from point A to point B reliably, consistently and predictably. We just need engineers to build them well and make them easy to use.

By: Kristinn

Kristinn — Sun, 29 Nov 2009 18:34:36 +0000

@Erik: Don’t get me wrong, I really like NetworkMiner and use it quite often, especially when I do not have a large dataset (or pre-filter the existing one to make it smaller) and I’m not perfectly sure what I’m looking for. And in real life you are often presented with a case where you do not know exactly what you are looking at (looking for something “evil”), and then a GUI that visually represents the data can be very valuable. However, like I said previously in some cases we know exactly what we are looking for, and in those cases scripts are often a quicker way to get the information needed, especially when presented with large network captures. And sometimes you are forced to do the work on a networked server (perhaps the only one that is capable of capturing all the network traffic needed) which does not have a GUI, and sometimes it is better to finish the analysis there instead of transferring the network capture back to your workstation (and in some cases that is not even possible). In those cases scripts are very useful and perhaps even essential to the investigation. So in real-life we need both the GUI and the scripts since fortunately our work involves wide variety of cases

All I was saying is that for a challenge like this, I don’t think that the goal is to show that you can point-and-click on a GUI to find out the answer (unless you are the one that is developing the point-and-click GUI). The goal in my opinion is to show that you understand the network traffic and you are capable of interpreting it yourself, not to let tools do all the work for you, and then of course since scripting is encouraged it doesn’t hurt to actually script some of the work to make future work easier

By: Jeff

Jeff — Sat, 28 Nov 2009 05:23:08 +0000

I’ve got to say, all the solutions linked so far are great. It seems there’s lots of different, yet consistently elegant approaches. I don’t envy the judges having to choose the best!

And thanks for the link Eric

By: Franck G.

Franck G. — Fri, 27 Nov 2009 22:45:45 +0000

Feel free to review mine here: http://malphx.free.fr/dotclear/index.php?post/2009/11/24/Network-forensics-contest-Puzzle2%3A-my-solution

By: Eric

Eric — Fri, 27 Nov 2009 21:46:50 +0000

One thing that I find missing in these challenges is large amounts of data to sift through. Typically I’m not going to just have an 80kb pcap file to use, but a couple hundred MBs or more. I did my writeup on my blog here, and another script called smtpcat, image that.

http://chatteronthewire.blogspot.com/2009/11/network-forensic-challenge-2-update.html

By: Erik

Erik — Fri, 27 Nov 2009 16:34:22 +0000

Nice to see you guys discuss my tool NetworkMiner!

I actually implemented the SMTP parser and “Message” tab in NetworkMiner specifically for this puzzle.

@Kristinn: NetworkMiner is primarily not designed to solve simple puzzles like the ones on this site; the tool is crafted with the intention of being used in real forensic cases. I also don’t see why running a tool without GUI would be more helpful, I usually find it very rewarding (and time saving) to be able to look at the extracted data in a GUI to quickly identify the relevant communication. I do, however, agree that doing pre-filtering with other tools (like tshark) is useful when large files (>1GB) need to be analyzed… but I would say that it is not often that you know exactly what to look for, which is why being able to visually see a representation of the traffic in a GUI crucial.

But I’m biased of course

By: aldeid

aldeid — Thu, 26 Nov 2009 21:23:01 +0000

I would also enjoy publishing my solutions for puzzle #2. Feel free to review it here: http://www.aldeid.com/index.php/Network-forensics:Cas-pratique-2

By: Kristinn

Kristinn — Thu, 26 Nov 2009 08:41:17 +0000

Well, in this particular challenge we could have used a simple GUI tool like Network Miner to easily obtain the answers, but this challenge doesn’t involve around the capability to point and click on a simple application to obtain the answers (at least not in my opinion).

This competition is more about understanding the network capture by yourself, so you need to dig deeper and understand how this works, and in a competition like this where scripting is really encouraged… to write a script that automates the process for future uses.

Although tools like Network Miner are incredibly useful and can find answers to a challenge like this quite easily I think that in the real world, scripts like those that are developed for this challenge can be more useful in some cases, such as when you have a real life capture that is immensely larger than this one, and where we are only looking for some rogue SMTP traffic. There a simple script that does the trick can be much more powerful, especially since it might not need to be run on your workstation with a GUI, but instead could be run on a server without the need of a GUI. You could script around it to make it automatically search through a was amount of information instead of manually inspecting the results in network miner…. but this is just my two cents…

And in the spirit of sharing solutions, here is mine: http://blog.kiddaland.net/2009/11/second-network-forensics-contest/

By: Marc

Marc — Tue, 24 Nov 2009 02:09:26 +0000

Yeah, or you guys could have used a tool called network miner, got all the information.

(note i did the work and found this precious tool after)

http://sourceforge.net/projects/networkminer/

By: Jeff

Jeff — Tue, 24 Nov 2009 01:49:37 +0000

D’oh! Name collision!

Yours is really nice! I debated pcap input handling, but found that pcapcat (from tgefirst challenge) did a great job, so I decided against it. It’s interesting to see your approach, thanks for sharing!

Sec558. Respek. LOL.