Just wanted to put out a little hint for Puzzle #6: Ann’s Aurora. Over half the entries so far have had questions #6b and #9 wrong (with everything else right)! Carving files can be tricky, and here are some tips.
- The answers to #6b and #9 are the SAME. Yes! If you get two different answers, go back and double check your work. They should match up.
- You can’t just run a file carving tool like foremost on the entire pcap and expect to carve out the file correctly. This is because foremost will identify the file type by its magic number, but it doesn’t remove the packet headers and reassemble the data. If you use foremost on the whole packet capture to carve out the files, the files you carve out will actually contain bits and pieces of TCP protocol data, etc. (Those of you who came up with MD5sums of “00bf222f746c43589307839e16f91520” and “d0af8e4f2c22f2d01b3da890a3e57ce4”– these are WRONG! Try again.)
- To manually carve out the files, you will need to reassemble the TCP stream in the correct order, separate out ONE side of the conversation, extract the raw packet data, and then carve the PE file out of that. It’s not as hard as it sounds– you can do this with Wireshark pretty easily.
All right, I’ve probably said too much 🙂 Hope that helps you track down Ann’s sneaky activities. Have fun!