Comments for Network Forensics Puzzle Contest http://forensicscontest.com Sat, 22 Oct 2011 00:14:20 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Comment on Puzzle #5: Ms. Moneymany’s Mysterious Malware by Ingeniowerks Security » Ms. Moneymany’s Mysterious Malware http://forensicscontest.com/2010/04/01/ms-moneymanys-mysterious-malware/comment-page-1#comment-2223 Ingeniowerks Security » Ms. Moneymany’s Mysterious Malware Sat, 22 Oct 2011 00:14:20 +0000 http://forensicscontest.com/?p=524#comment-2223 [...] Analysis Challenge to Strengthen Your Skills. The challenge is actually a modified version of the Ms. Moneymany’s Mysterious Malware puzzle with additional malware analysis questions. So, here we [...] [...] Analysis Challenge to Strengthen Your Skills. The challenge is actually a modified version of the Ms. Moneymany’s Mysterious Malware puzzle with additional malware analysis questions. So, here we [...]

]]> Comment on Puzzle #8 by Puzzle #8 Winners » Network Forensics Puzzle Contest http://forensicscontest.com/2011/04/27/puzzle-8/comment-page-1#comment-2124 Puzzle #8 Winners » Network Forensics Puzzle Contest Wed, 07 Sep 2011 20:28:39 +0000 http://forensicscontest.com/?p=734#comment-2124 [...] of protocols and meticulous attention to detail. Thank you to everyone who submitted an entry for Puzzle #8, and a special congratulations to the relatively small number of folks who submitted correct [...] [...] of protocols and meticulous attention to detail. Thank you to everyone who submitted an entry for Puzzle #8, and a special congratulations to the relatively small number of folks who submitted correct [...]

]]> Comment on Puzzle #8 Answers by Thanassis http://forensicscontest.com/2011/08/02/contest-8-answers/comment-page-1#comment-2117 Thanassis Sat, 03 Sep 2011 19:24:12 +0000 http://forensicscontest.com/?p=880#comment-2117 Have you announced the winners of this puzzle? Have you announced the winners of this puzzle?

]]> Comment on Puzzle #8 Answers by NeonFlash http://forensicscontest.com/2011/08/02/contest-8-answers/comment-page-1#comment-2114 NeonFlash Fri, 02 Sep 2011 11:54:33 +0000 http://forensicscontest.com/?p=880#comment-2114 For question 4: Am I using the correct display filter? wlan.wep.iv && wlan.fc.retry == 0 && wlan.bssid == 00:23:69:61:00:d0 It shows me the output as: 57009 frames Below is the reason for using each of those display filters: wlan.wep.iv -> displays the frames with IVs wlan.fc.retry == 0 -> don't display retransmitted frames. IV value is the same for retransmitted frames or when the R flag is set wlan.bssid == 00:23:69:61:00:d0 -> Joe's WAP BSSID Regards, NeonFlash For question 4:

Am I using the correct display filter?

wlan.wep.iv && wlan.fc.retry == 0 && wlan.bssid == 00:23:69:61:00:d0

It shows me the output as: 57009 frames

Below is the reason for using each of those display filters:

wlan.wep.iv -> displays the frames with IVs
wlan.fc.retry == 0 -> don’t display retransmitted frames. IV value is the same for retransmitted frames or when the R flag is set
wlan.bssid == 00:23:69:61:00:d0 -> Joe’s WAP BSSID

Regards,
NeonFlash

]]> Comment on Puzzle #8 Answers by ste7an http://forensicscontest.com/2011/08/02/contest-8-answers/comment-page-1#comment-2113 ste7an Thu, 01 Sep 2011 12:39:41 +0000 http://forensicscontest.com/?p=880#comment-2113 When will the winners of contest 8 be announced? When will the winners of contest 8 be announced?

]]> Comment on Puzzle #9 Answers by NeonFlash http://forensicscontest.com/2011/08/16/puzzle-9-answers/comment-page-1#comment-2112 NeonFlash Thu, 01 Sep 2011 09:26:37 +0000 http://forensicscontest.com/?p=936#comment-2112 Thanks sherri! :) That was a crystal clear explanation. I got the answer: GET /schedule.html HTTP/1.1 HTTP/1.1 200 OK ..... Content-Encoding: gzip Content-Type: text/html; charset=utf-8 Global AppSec Latin America 2011 Conference October 6-7, 2011 Regards, NeonFlash Thanks sherri! :)

That was a crystal clear explanation.

I got the answer:

GET /schedule.html HTTP/1.1

HTTP/1.1 200 OK
…..
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8

Global AppSec Latin America 2011 Conference
October 6-7, 2011

Regards,
NeonFlash

]]> Comment on Puzzle #9 Answers by sherri http://forensicscontest.com/2011/08/16/puzzle-9-answers/comment-page-1#comment-2111 sherri Thu, 01 Sep 2011 06:30:30 +0000 http://forensicscontest.com/?p=936#comment-2111 @NeonFlash: The HTML embedded in the packet capture from the site lists the dates Oct 6-7, 2011. The site has changed since the time of capture; but everything you need is in the capture itself. Note that the page is COMPRESSED in the pcap (I believe as a gzip file; Scott, please correct me if I am wrong). That means you can't find it through a string search or simple by looking for HTML-formatted text. You must actually carve out the compressed HTML and decompress it in order to view the content at the time of capture. @NeonFlash: The HTML embedded in the packet capture from the site lists the dates Oct 6-7, 2011. The site has changed since the time of capture; but everything you need is in the capture itself. Note that the page is COMPRESSED in the pcap (I believe as a gzip file; Scott, please correct me if I am wrong). That means you can’t find it through a string search or simple by looking for HTML-formatted text. You must actually carve out the compressed HTML and decompress it in order to view the content at the time of capture.

]]> Comment on Puzzle #9 Answers by NeonFlash http://forensicscontest.com/2011/08/16/puzzle-9-answers/comment-page-1#comment-2110 NeonFlash Thu, 01 Sep 2011 06:14:28 +0000 http://forensicscontest.com/?p=936#comment-2110 @scott: Thanks for the pointers. I checked the "Speaking Schedules" section on his site. October 25, 2011, at the "Hackers Halted" conference in Miami, Florida. That's the closest date to what is mentioned in the answer given above: Oct 6-7, 2011. @scott: Thanks for the pointers.

I checked the “Speaking Schedules” section on his site. October 25, 2011, at the “Hackers Halted” conference in Miami, Florida. That’s the closest date to what is mentioned in the answer given above: Oct 6-7, 2011.

]]> Comment on Puzzle #9 Answers by scott http://forensicscontest.com/2011/08/16/puzzle-9-answers/comment-page-1#comment-2108 scott Wed, 31 Aug 2011 15:47:06 +0000 http://forensicscontest.com/?p=936#comment-2108 @jay to move on to round 6 from round 5, you need to open the round 6 Truecrypt container with the password provided in the answers post. Once inside you will see another Truecrypt container. Opening that container is the last challenge in the contest. To open it you will need to use the cipher provided separately to find the password. Best, Scott @jay to move on to round 6 from round 5, you need to open the round 6 Truecrypt container with the password provided in the answers post. Once inside you will see another Truecrypt container. Opening that container is the last challenge in the contest. To open it you will need to use the cipher provided separately to find the password.

Best,
Scott

]]> Comment on Puzzle #9 Answers by scott http://forensicscontest.com/2011/08/16/puzzle-9-answers/comment-page-1#comment-2107 scott Wed, 31 Aug 2011 15:40:43 +0000 http://forensicscontest.com/?p=936#comment-2107 @NeonFlash you were very close to solving this puzzle! Look closer for sub pages from hxxp://www.schneier.com/. Bruce Schneier will be speaking at a conference later this year! Cheers, Scott @NeonFlash you were very close to solving this puzzle! Look closer for sub pages from hxxp://www.schneier.com/. Bruce Schneier will be speaking at a conference later this year!

Cheers,
Scott

]]>