Puzzle #3 Winners

At last, the long-awaited Puzzle #3 winners! Thank you all for your terrific submissions, and your patience as we tested each one carefully. Congratulations to everyone who sent in the correct answers.

As always, we were tremendously impressed by the quality of the entries. We received a wide variety of creative, original submissions, including file carving tools, network-layer tools, HTTP, XML and Plist analysis tools, graphical tools, command-line tools, and more. It was very hard to narrow down a winner, and there were several production-quality tools which will now be covered in future SANS “Network Forensics” curriculum. Please check out all the Finalist submissions!

The winner is… Matt Sabourin, for his elegant tool, “findappletv.py“. Matt’s tool is simple to use. It parses a pcap and creates a report for each potential AppleTV client, containing “Search Terms Sent by Client,” “Movie Items Viewed by Client,” “Overview of Recognized Requests,” and more. It also creates an overview report for all clients. Each of these reports can easily be included in the appendix of a professional forensics report. We could definitely envision using this in a real forensics case to quickly summarize AppleTV usage information. Congratulations, Matt! Your AppleTV is on it’s way.

We’d also like to call attention to several other submissions (in no particular order):

Amar Yousif created two excellent tools: applejuice and gzippedNOT. Amar’s “gzippedNOT” parses gzipped content out of HTTP responses. This tool will be AWESOME for squid proxy analysis as well. 🙂 “Applejuice” dumps out the list of search queries for each AppleTV IP address. “Applejuice” also wins the Best Name Award!

Richard Springs built two great tools: transmute.rb and scarabsieve.rb. Scarabsieve parses through any Webscarab-logged traffic, carves it all out, dumps it into a directory, and prints MD5 and SHA1 hashes for each carved file. This script alone is very useful for any WebScarab user. Richard also wrote “transmute.rb” to convert any pcap into the WebScarab log format so that scarabsieve can parse it. Wow! Nice work.

Sébastien Damaye built a tool called “pyHttpXtract.py” to extract all the files in the packet capture and list out the search requests. This tool even goes a step above and automatically creates a graphical web interface which you can scroll through to view all the files. He also submitted a companion tool, webObjects.py, which pulls AppleTV searches out of the packet capture and prints them out. Sébastien included a *fantastic* writeup which everybody should read. We were really impressed.

Franck Guénichot lived up to his reputation as network forensics hacker extraordinare with his excellent tool, “httpdumper.” This tool displays HTTP conversations, filters and dumps the contents (automatically decompressing gzipped content). Franck also submitted two handy tools, macfinder.rb, and plist.rb. Franck’s writeup is very thorough– definitely check it out for a great walk-through of the solutions.

Tom Samstag wrote a really cool tool, httpAnalyzer, which creates a graphical web interface that lets you browse through HTTP traffic. It includes MD5 and SHA1 hashes of each file contained in the packet capture. The interface is very user-friendly! Tom’s httpAnalyzer is easily extensible, and we hope we’ll see it again in future contests.(Note: When you load the page, httpAnalyzer makes a request to jQuery.com, apparently in order to get up-to-date jQuery Javascript library. If you are using it for forensics work, you’ll want to block outbound traffic.) Tom also wrote a very handy tool called “trafficAnalyzer.sh,” which analyzes a pcap and reports basic info such as a packet count, MAC addresses and IP addresses.

Lou Arminio built a Plist parser to analyze Apple plist files, as well as an HTTP analyzer called “httpparse”. On top of that, he created a great tool called pcaputil which analyzes TCP flows and carves files out of selected TCP flows and creates MD5sums. These are three handy little tools. Nice work!

Michael_Nijs built upon an open-source pcap analysis tool, read_pcap.py, adding the option to parse GET and POST requests and display the values of any parameter in the URL. We appreciated that he leveraged existing code and built a useful extension.

Alan Tu wrote a script, http_analysis.pl, which leverages tshark’s powerful HTTP dissection capability, outputs handy information to a file, and can also produce filtered pcaps. Alan also wrote an HTTP response extractor, http_rx.pl, and polished his TCP stream analysis tool, stream.pl. Check them out!

Wesley McGrew wrote an excellent tool, “atvsnarf.py,” which carves out plist files and creates a CSV file with useful information about AppleTV traffic from a pcap. The tool is very easy to use, and a great foundation for detailed forensic analysis. His writeup is outstanding, too– read about how he identified six request types from the pcap file, and incorporated these into atvsnarf.py’s output.

These tools are great! Thank you all for making your work available to the community. We hope you’ll continue to maintain and extend your code.

Many thanks to everyone who participated. We hope to see you guys in future contests.


Matt Sabourin
(Wins Ann’s Apple TV!)


Alan Tu
Amar Yousif
Franck Guénichot
Lou Arminio
Michael Nijs
Richard Springs
Sébastien Damaye
Tom Samstag
Wesley McGrew


Alan Reed
Davis Stovall
Eric Kollmann
Erik Barker
Felix AIME
Jeremy Impson
Joe Creasey
Juha Lampinen
Stefan Pettersson

Correct Answers:

Ahmed Adel Mohamed
Alan Reed
Alan Tu
Amar Yousif
Andrew Brandt
Andrew Scharlott
Chen Jung Weng
Chris Steenkamp
Daniel Dickerman
Eric Kollmann
Erik Barker
Félix AIME
Franck Guénichot
Halil Ozgur BAKTIR
James O. Holley
Jeremy D. Impson
Joe Creasey
Jon Cook
Juha Lampinen
Karthikeyan C Kasiviswanathan
Lou Arminio
Marc Quibell
Masashi Fujiwara
Matt Sabourin
Michael Nijs
Mohammad Zeyad Kebreteh
Nicholas Albright
Peter Chong
Richard Springs
Russ Klanke
Sebastien DAMAYE
Sébastien Duquette
Tareq Saade
Tim Naami
Tom Samstag
Wesley McGrew
Winter Faulk

Share and Enjoy:
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Twitter
  • Google Bookmarks
  • Slashdot
  • Suggest to Techmeme via Twitter
  • Technorati


  1. Hi everybody, I’m of course enjoying this news. Special thanx for you forensicscontest team for your review and the time you have token for assessing our submissions, that has been a lot of work. Congratulations to all of you winner, finalists, semi-finalists and good answers. Could it be possible to know the number of candidates (all incl., even bad answers) please. Thank you in advance.

  2. Congrats to Matt, my fellow finalists, and all that submitted correct answers!

  3. Wow, there’s some seriously awesome tools this time around!

  4. Matt Sabourin

    March 4, 2010 at 7:51 pm

    I agree with Jeff, the solutions submitted for this puzzle are awesome. I’m flattered to be selected as the winner. I also want to thank Sherri and Jonathon for all of the effort the put into running the contests; it can’t be easy.

    I look forward to competing in future contests.

  5. Congratulations Matt. Nice work and well played 🙂

    I am impressed with all the other submissions as well; it’s getting tougher to compete with such smart brains, but it’s also a lot of fun if you can find the time to do it.

    Sherri, what’s the prize for the Best Name Award? 😉

  6. Congrats to all who were recognized here! Anyone who’s willing to invest their own time to work on something so challenging has demonstrated that they are serious about the field of forensics and their desire to be a part of it. Thanks a bunch Sherri and Johnathan for running the contests! I hope you’re receiving some useful tools in return for your efforts.

  7. Congrats Matt !
    And Nice Work for the finalists.

    Thanks to Sherri and Jonathan, please continue to give us more and more challenging puzzle.

  8. If you don’t mind, could you also post how many submissions there were? I am curious just how big the pool of submissions is for a contest. Not looking for names, just numbers.

  9. Hi, could you also post puzzle #4’s answers? Thx

Leave a Reply

Your email address will not be published.