Network Forensics Puzzle Contest submition
Alan Tu
August 15, 2009

Executive Summary

On 13 August, at 05:58, Ann Dercover transmitted the secret recipe to an unauthorized user with AOL screen name Sec558user1.

Details

Evidence was extracted from authorized network monitoring of Ann's computer, IP address 192.168.1.158. At 05:57 on 13 August, Ann engaged in an illicit conversation with another user with AOL screen name Sec558user1. The transcript follows:

2009-08-13 05:57:37 Ann: Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)

2009-08-13 05:58:12 Sec558user1: thanks dude

2009-08-13 05:58:26 Sec558user1: can't wait to sell it on ebay

2009-08-13 05:58:33 Ann: see you in hawaii!

At 05:58:04, Ann sent the secret recipe directly to Sec558user1's computer, which was connected to Anarchy-R-Us's local network with IP address 192.168.1.159.

File name: recipe.docx
File size: 12,008 bytes
File MD5 hash: 8350582774e1d4dbe1d61d64c89e0ea1

The contents of the file are:

Recipe for Disaster:
1 serving

Ingredients
4 cups sugar
2 cups water

In a medium saucepan, bring the water to a boil. Add sugar.
Stir gently over low heat until sugar is fully dissolved.
Remove  the saucepan from heat.  Allow to cool completely. Pour into gas tank. Repeat as necessary.

Appendix: Technical Steps

Note: Wireshark/Tshark version 1.2.0 was used for this exercise.

1.  Download the PCAP from http://jhamcorp.com/contest_01/evidence.pcap.

2.  MD5 hash.
md5sum evidence.pcap
Evidence MD5 hash: d187d77e18c84f6d72f5845edca833f5 *evidence.pcap

3.  We note that starting in frame 23, the suspect's computer 192.168.1.158 is exchanging data with an AOL server. The IM traffic is likely AOL.

4.  Dump the XML while telling tshark to decode the packets as AIM traffic.
tshark -r evidence.pcap -R "tcp.port == 51128" -d tcp.port==443,aim -T pdml > aim.pdml
Evidence MD5 hash: 521ac14e6fdb7fd6698f418616ba970e *aim.pdml

5.  By inspection of the parsed XML, we note that Ann's conversation partner has the AOL screen name "Sec558user1".

6.  We write contest1.pl to extract Ann's conversation.
Contest1.pl MD5 hash: d7135be33f1074a2e0ddb62c02e37ff2

contest1.pl > transcript.txt
Evidence MD5 hash: b031f54da95457e8e7b13ad2268d0779
Results:

25 Aug 13, 2009 05:57:37.066461000 192.168.1.158:51128 > 64.12.24.50:443
Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)

167 Aug 13, 2009 05:58:12.730162000 64.12.24.50:443 > 192.168.1.158:51128
<HTML><BODY><FONT FACE=\"Arial\" SIZE=2 COLOR=#000000>thanks dude</FONT></BODY></HTML>

184 Aug 13, 2009 05:58:26.641088000 64.12.24.50:443 > 192.168.1.158:51128
<HTML><BODY><FONT FACE=\"Arial\" SIZE=2 COLOR=#000000>can't wait to sell it on ebay</FONT></BODY></HTML>

212 Aug 13, 2009 05:58:33.968361000 192.168.1.158:51128 > 64.12.24.50:443
see you in hawaii!

7.  We note that starting at frame 30, IP 192.168.1.159 is talking with another AOL server on port 443. This appears to be encrypted traffic ([17 03 01] is TLS 1.0 data, according to RFC 2246.) Nothing we can do about that.

8.  We note a data transfer when 192.168.1.159 connected to the suspect's computer 192.168.1.158 on port 5190.

9.  We note the following from the PDML file

         <field name="" show="Value ID: Internal IP (0x0003)" size="2" pos="134" value="0003"/>
         <field name="" show="Length: 4" size="2" pos="136" value="0004"/>
         <field name="" show="Value: 192.168.1.158" size="4" pos="138" value="c0a8019e"/>

         <field name="" show="Value ID: External Port (0x0005)" size="2" pos="142" value="0005"/>
         <field name="" show="Length: 2" size="2" pos="144" value="0002"/>
         <field name="" show="Value: 5190" size="2" pos="146" value="1446"/>

This confirms the session to 192.168.1.158 port 5190 could be a file transfer.

10. The TCP payload of frame 112 begins with "OFT2." By a Google search, we find that "OFT2" refers to Oscar File Transfer protocol, v2. Oscar is the AIM application protocol.

11. By additional Google searching we locate a description of the OFT protocol here:
http://www.cs.cmu.edu/~jhclark/aim/On%20Sending%20Files%20via%20OSCAR.odt

12. We manually inspect packet 112, payload length of 256, which reveals the following information:
OFT2 header length 256 bytes [01 00]
no encryption or compression to be used
1 file to be transferred
File size 12008 bytes [2e e8]
Filename: recipe.docx

13. We write contest2.pl to extract the file.
Contest2.pl MD5 hash: 9e263df3210e85705881139bfd1ae5d7

contest2.pl > recipe.docx

File length: 12008 bytes
MD5 hash: 8350582774e1d4dbe1d61d64c89e0ea1

14. The first four bytes of recipe.docx is 50 4b 03 04. The components of this Microsoft Office 2007 document can be manually extracted as a ZIP file. The raw document contents can be found in word/document.xml.

15. The contents of the recipe:
Recipe for Disaster:
1 serving

Ingredients
4 cups sugar
2 cups water

In a medium saucepan, bring the water to a boil. Add sugar.
Stir gently over low heat until sugar is fully dissolved.
Remove  the saucepan from heat.  Allow to cool completely. Pour into gas tank. Repeat as necessary.
#! perl -w
# Network Forensics Puzzle Contest
# Alan Tu <alantu@as2.info>
# August 15, 2009

use strict;

my $TSHARK = 'c:\progra~1\wireshark\tshark.exe'; # define tshark executable
die "tshark not found\n" unless -f $TSHARK;

# decode AIM session and output desired fields
my @results = `$TSHARK -r evidence.pcap -R \"tcp.port == 51128\" -d tcp.port==443,aim -T fields -e frame.number -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e aim.messageblock.message`;

# for each packet
for my $packet (@results)
{
   chomp $packet;
   my @fields = split("\t", $packet);
   next unless $fields[6]; # message must not be null
   printf("%d %s %s:%s > %s:%s\n%s\n\n", @fields);
}
#! perl -w
# Network Forensics Puzzle Contest
# Alan Tu <alantu@as2.info>
# August 15, 2009

use strict;
use Digest::MD5;

my $TSHARK = 'c:\progra~1\wireshark\tshark.exe'; # define tshark executable
die "tshark not found\n" unless -f $TSHARK;

# decode session with file transfer payload
my @results = `$TSHARK -r evidence.pcap -R "tcp.len > 0 and tcp.srcport == 5190" -T fields -e tcp.seq -e tcp.len -e data.data`;

# we need to track TCP sequence numbers
# This is error _detection_, not real TCP reassembly.
my($base_seq, undef, undef) = split("\t", $results[0]);
my $expected_seq = $base_seq;
my $file = "";

# for each packet
for my $packet (@results)
{
   chomp $packet;
   my($seq, $tcp_len, $data) = split("\t", $packet);
   die "Out of order packet. Manual intervention required!\n" if $seq != $expected_seq;

   $data =~ s/://g; # remove the colons separating the bytes
   $file .= pack("H*", $data); # build the file
   $expected_seq += $tcp_len;
}
$file = substr($file, 256); # strip the Oscar File Transfer protocol header

printf(STDERR "File length: %d bytes\n", length($file));
printf(STDERR "MD5 hash: %s\n", Digest::MD5::md5_hex($file));
binmode(STDOUT);
print $file;