We expect it will be late next week. This week we’re working hard at building and testing the SNIFT kit images for the 50 Lenovo Ideapads which will be given to students at “Network Forensics” in Orlando. As soon as that’s done we’ll finish up grading the terrific contest entries. I know folks are eager to find out who won, and we’ll have an answer for you guys as soon as we can.

In the meantime, Puzzle #4 is a fun little distraction….

>Presumably you’re looking for tools that provide more functionality than a kiddie script,
>but don’t require complete mastery of all levels of network protocols.

That’s the goal, yes. Ideally, we’re looking for tools that just about anyone can run and use to get useful information, but which also allow experts to fine-tune their options.

Wireshark is great, especially for smaller investigations, but in network forensics we often have clients hand us hundreds of gigabytes or even several terabytes of data. In order to keep up with the pace of storage, we need to automate.

The former is rather limited in function (it’s a script-kiddie tool), while the latter requires the user to know a lot about both Wireshark and HTTP protocol (it’s an expert tool).

Presumably you’re looking for tools that provide more functionality than a kiddie script, but don’t require complete mastery of all levels of network protocols.

This is the first of the forensics puzzles I’ve participated in and I had a lot of fun with it. Thanks for running these contests.

I’m really looking forward to seeing the others’ solutions for this one.

Wesley

best,
Sherri

You’re certainly right, and manual investigation is definitely a valid way to solve the contest. That’s why we publish the names of everyone who got the correct answers, regardless of how it was accomplished.

We are trying to encourage development of new and varied tools, so the subset of folks who are interested in that type of investigation compete for the prize. We do hope that the puzzle is fun for people who analyze the evidence manually as well, and we design the contests specifically so that they can be solved without automation.

best,
Sherri

Unfortunately not all of us can code and not all of us have a budget to buy commercial software to do this work for us. Before attempting this contest I had reviewed Wireshark in operation but had not actually used it. I loaded it on my own computer for the first time just for this contest.

It took less than 15 seconds for me to answer the first question using a manual process. A bit longer to answer the second. I believe I answered all of the questions correctly but it was truly a manual process. Sort of like using Google hacking to solve a problem (which is something I do quite a bit) excpet in this case my GOOGLE was Wireshark and my Internet was the packet capture.

I also use manual processes to perform other similar forensics for my job. Like configuring a filter and observing firewall traffic for a client PC to determine why a web page fails to load (nonstandard port). Or using “netstat” to observe Internet connections of a stealth virus using a rootkit to mask itself.

While I agree that having automated tools helps, not everyone can create this type of solution.