Ann’s Aurora was one of our hardest contests yet. To get all the answers right, you had to carve out two Windows executable files, dissect Vick Timmes’ HTTP traffic, analyze malware, build a timeline and pinpoint connection open and close times to within a tenth of a second. Thanks to everyone who submitted an entry for Puzzle #6, “Ann’s Aurora,” and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of “Ann’s Aurora” is (*drumroll*)…. Wesley McGrew, for his fantastic new forensics tool, pcapline.  Pcapline automatically parses a packet capture and generates an HTML report. Through your web browser, you can view a summary of all flows and drill down into each one. Pcapline automatically carves out all the files– not just the tiny GIFs embedded inside a single packet, but Windows executable files broken up throughout the packet capture. Wesley also included MD5sums in the report output.

Best of all, it’s simple to use– you just type “pcapline.py” and the evidence file name, and pcapline does the rest. Wesley has put a copy of the pcapline report output here:

http://mcgrewsecurity.com/codedump/evidence06.pcap_output/

Erik Hjelmvik, our Silver medalist, released a new version of Network Miner (.92) for Contest #6.  We know a lot of you already know and love Network Miner, because in previous contests  about half of the entries relied on Erik’s tool! For this contest, Erik noticed that Network Miner was not properly detecting the HTML transfers at the beginning of the pcap file, because the TCP handshake was missing. He added functionality so that Network Miner more intelligently figures out which host is the server, and which is the client, when the TCP handshake is missing. Thanks, Erik, for a shiny new release of your fantastic tool.

Leendert Pieter van Drimmelen built three utilities for this contest: stream_ts.py, which automatically displays TCP connection established/closed times; analyse_syn_packets.py, which calculates how often an IP or TCP field changes (it also accepts tshark filters); and pextract.c, which extracts PE files from packet captures or incoming traffic. Pextract also accepts BPF filters and tries to find executables that are XOR obfuscated. These are three small, sharp utilities which are good to have in your toolkit.

Eric Kollmann wrote three handy tools: mzcarver.exe (PE carving utility), contest6.pl (provides info about conversations), and contest6.exe (produces info about individual packets. You can limit by TCP flag and use BPFs). Nice work, Eric!

Jeff Wichman and Ruben Recabarren both created fantastic writeups, which you can read to get two detailed (and very different) methods for solving the contest.  Iulian Anton also had a thorough narrative and created a couple of Perl utilities to assist with solving the contest.  Candice Quates went “down the rabbit hole of javascript and exploit analysis,” and created  trimexe.c, which extracts PE files from exported streams.

Thanks to the SANS Institute and the generosity of their vendor sponsors, the winners and finalists get to choose from the following list of prizes (winner picks first):

• Lenovo Ideapad Netbooks (2 Netbooks – 1 netbook per winner )
  Apple iPad – Sponsored by NetWitness Corporation
• Flip Video Recorder – Sponsored by MANDIANT Inc.
• F-Response TACTICAL (1 licensed copy) – Sponsored by F-Response
• Forensic Toolkit 3 (1 licensed copy) – Sponsored by AccessData Corp.
• Digital Forensics Magazine Subscriptions: Free print subscription for 12 months for the winner, and 2 digital online subscriptions for Finalists. The winner will also receive the backlist issues (i.e. 1-3). – Sponsored by Digital Forensics Magazine
• 2011 Digital Forensics/IR Summit Passes (3 passes – 1 pass per top three winners)

Many thanks to everyone who made this contest possible, including Rob Lee, Jeremy Scott, Jeff Murri, Brian Corcoran, Ryan Corvetti, Dennis Kirby, and the wonderful SANS A/V crew.

Thanks most of all to everyone out there who participated. See you next time!