Contest #6 HINT!

Hi everyone,

Just wanted to put out a little hint for Puzzle #6: Ann’s Aurora. Over half the entries so far have had questions #6b and #9 wrong (with everything else right)! Carving files can be tricky, and here are some tips.

  • The answers to #6b and #9 are the SAME. Yes! If you get two different answers, go back and double check your work. They should match up.
  • You can’t just run a file carving tool like foremost on the entire pcap and expect to carve out the file correctly. This is because foremost will identify the file type by its magic number, but it doesn’t remove the packet headers and reassemble the data. If you use foremost on the whole packet capture to carve out the files, the files you carve out will actually contain bits and pieces of TCP protocol data, etc. (Those of you who came up with MD5sums of “00bf222f746c43589307839e16f91520” and “d0af8e4f2c22f2d01b3da890a3e57ce4”– these are WRONG! Try again.)
  • To manually carve out the files, you will need to reassemble the TCP stream in the correct order, separate out ONE side of the conversation, extract the raw packet data, and then carve the PE file out of that. It’s not as hard as it sounds– you can do this with Wireshark pretty easily.

All right, I’ve probably said too much 🙂 Hope that helps you track down Ann’s sneaky activities. Have fun!

9 Comments

  1. Hi,

    i’m one of those who ran foremost directly against the capture file and got 2 wrong files with exactly the md5sums you mention. 🙁

    I’d like to correct my solution, as i (think) have succesfully extracted the correct files. And yes, they have the same md5sum, so after what you said, i guess now i’m right.

    Do i have to submit again my solution? or is there any way to change it?

    I think i will have to submit it again …

    Thanks for the hint.

  2. sherri

    June 27, 2010 at 10:32 pm

    Hi there,

    Yes, please resubmit. We will look at the latest version of your submission.

    best,
    Sherri

  3. My writeup on contest #6, can’t guarantee it is 100% correct, but, if you’re bored, have at it.

  4. Thanks for posting your writeup Eric and linking it here. It’s nice to be able to compare answers before the official ones are published. I’d like to say your answers are 100% correct. But I can’t say for certain =)

  5. Francesco Acchiappati

    June 30, 2010 at 5:40 am

    Are submissions closed?
    on the rules it says it’s not allowed to share/publish the solution before the deadline.

    are we now allowed to share or we have to wait for an official announce?

  6. Deadline is 6/27/10 (11:59:59PM UTC-11) (In other words, if it’s still 6/27/10 anywhere in the world, you can submit your entry.)

    Up to you if you think you can post your answers.

  7. sherri

    July 7, 2010 at 7:52 pm

    Yep, feel free to share! The contest is closed, and we will be announcing winners tomorrow.

  8. If anyone is interested to listen to it live:

    July 8th 6:30 EST
    https://www.sans.org/webcasts/forensic-challenge-winners-presentation-93648

  9. sherri

    July 8, 2010 at 10:28 am

    Hi guys, we’ll also be publishing the winners and the winning solutions here at forensiccontest.com tonight. Cheers!

    Sherri

Leave a Reply

Your email address will not be published. Required fields are marked *