Puzzle #6 Winners

Ann’s Aurora was one of our hardest contests yet. To get all the answers right, you had to carve out two Windows executable files, dissect Vick Timmes’ HTTP traffic, analyze malware, build a timeline and pinpoint connection open and close times to within a tenth of a second. Thanks to everyone who submitted an entry for Puzzle #6, “Ann’s Aurora,” and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of “Ann’s Aurora” is (*drumroll*)…. Wesley McGrew, for his fantastic new forensics tool, pcapline. Pcapline automatically parses a packet capture and generates an HTML report. Through your web browser, you can view a summary of all flows and drill down into each one. Pcapline automatically carves out all the files– not just the tiny GIFs embedded inside a single packet, but Windows executable files broken up throughout the packet capture. Wesley also included MD5sums in the report output.

Best of all, it’s simple to use– you just type “pcapline.py” and the evidence file name, and pcapline does the rest. Wesley has put a copy of the pcapline report output here:


Erik Hjelmvik, our Silver medalist, released a new version of Network Miner (.92) for Contest #6. We know a lot of you already know and love Network Miner, because in previous contests about half of the entries relied on Erik’s tool! For this contest, Erik noticed that Network Miner was not properly detecting the HTML transfers at the beginning of the pcap file, because the TCP handshake was missing. He added functionality so that Network Miner more intelligently figures out which host is the server, and which is the client, when the TCP handshake is missing. Thanks, Erik, for a shiny new release of your fantastic tool.

Leendert Pieter van Drimmelen built three utilities for this contest: stream_ts.py, which automatically displays TCP connection established/closed times; analyse_syn_packets.py, which calculates how often an IP or TCP field changes (it also accepts tshark filters); and pextract.c, which extracts PE files from packet captures or incoming traffic. Pextract also accepts BPF filters and tries to find executables that are XOR obfuscated. These are three small, sharp utilities which are good to have in your toolkit.

Eric Kollmann wrote three handy tools: mzcarver.exe (PE carving utility), contest6.pl (provides info about conversations), and contest6.exe (produces info about individual packets. You can limit by TCP flag and use BPFs). Nice work, Eric!

Jeff Wichman and Ruben Recabarren both created fantastic writeups, which you can read to get two detailed (and very different) methods for solving the contest. Iulian Anton also had a thorough narrative and created a couple of Perl utilities to assist with solving the contest. Candice Quates went “down the rabbit hole of javascript and exploit analysis,” and created trimexe.c, which extracts PE files from exported streams.

Thanks to the SANS Institute and the generosity of their vendor sponsors, the winners and finalists get to choose from the following list of prizes (winner picks first):

  • Lenovo Ideapad Netbooks (2 Netbooks – 1 netbook per winner )
    Apple iPad – Sponsored by NetWitness Corporation
  • Flip Video Recorder – Sponsored by MANDIANT Inc.
  • F-Response TACTICAL (1 licensed copy) – Sponsored by F-Response
  • Forensic Toolkit 3 (1 licensed copy) – Sponsored by AccessData Corp.
  • Digital Forensics Magazine Subscriptions: Free print subscription for 12 months for the winner, and 2 digital online subscriptions for Finalists. The winner will also receive the backlist issues (i.e. 1-3). – Sponsored by Digital Forensics Magazine
  • 2011 Digital Forensics/IR Summit Passes (3 passes – 1 pass per top three winners)

Many thanks to everyone who made this contest possible, including Rob Lee, Jeremy Scott, Jeff Murri, Brian Corcoran, Ryan Corvetti, Dennis Kirby, and the wonderful SANS A/V crew.

Thanks most of all to everyone out there who participated. See you next time! 🙂


Wesley McGrew


Erik Hjelmvik
Leendert Pieter van Drimmelen
Eric Kollmann
Jeff Wichman
Ruben Recabarren
Iulian Anton
Candice Quates


Francesco Acchiappati
Mark Hillick
Richard Shawn O’Connell
Ashish, Garima, Vikrant
Jon Larimer

Correct Answers:

Andy Patrick
Brian Sommers
Candice Quates
Carlos Pérez López
David Rodriguez
Eric Kollmann
Erik Hjelmvik
Francesco Acchiappati
Hsiang-Jen Shih
Iulian Anton
Jeremy Scott
Jon Larimer
Kazunori Kojima
Leendert Pieter van Drimmelen
Mark Hillick
Masashi Fujiwara
Peter Chong
Rakesh Mukundan
Richard Shawn O’Connell
Ruben Recabarren
Seth Leone & Ryan Sommers
Takuro Uetori
Wesley McGrew
Winter Faulk
Yogesh Khatri
Zoher Anis
Share and Enjoy:
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Twitter
  • Google Bookmarks
  • Slashdot
  • Suggest to Techmeme via Twitter
  • Technorati


  1. This was the first time i submitted my solution to the contest, even if i played the previews ones just for the purpose of having fun and learn new stuff.

    I’m really happy that my solution is appearing in the list of semifinalists.

    I’ll do my best to improve my skill and knowledge for the future contests.

    i was following the conference yesterday evening (last night GMT) and i hope there will be a way to attend contest 7 also for those who won’t be able to be live at defcon to grap a DVD with the packet capture 🙂

  2. Just curious!
    Has anyone been able to reconstruct Ann’s meterpreter commands sequence ?

  3. I don’t think that the post exploitation activity was included in the pcap file, and as far as i know the meterpreter was using an SSL connection so i don’t think it was possible to determine the commands by analyzing the pcap file

  4. I worked on this after the deadline to submit – great to see all these new tools emerge from a contest like this. I managed correct answers on everything except for the questions that involved carving and hashing, so it’s back to the drawing board to come up with the right solutions – thanks for these challenges, they’re really fun to work on!

Leave a Reply

Your email address will not be published.