1.What is the name of Ann's IM buddy?
2.What was the first comment in the captured IM conversation?
3.What is the name of the file Ann transferred?
4.What is the magic number of the file you want to extract (first four bytes)?
5.What was the MD5sum of the file?
6.What is the secret recipe?
----------------------------
First, we filter by suspect IP to make pcap file manageable like so:
# tshark -R 'ip.addr eq 192.168.1.158' -r evidence.pcap -w newev.pcap
---
Now we run the utility ‘strings’ on the new pcap file we got from above, newve.pcap, like so: 
# strings newev.pcap | less
<SNIP> 
Sec558user1	<--- Answer 1
<SNIP>
----
# strings newev.pcap | head -n 5
<SNIP>
Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go &gt;:-)	<--- Answer 2
<SNIP>
---
OSCAR File Transfer protocol is being used here, we can tell by the sigs (OFT2 and Cool FileXfer) and by the fact that the chat conversation is being proxy-ed by an AOL IP; so, we look for the file name right after the magic words 'OFT2' & 'Cool FileXfer', see AOL OFT2 references at the bottom of this page:  
# strings newev.pcap | grep -A 2 'OFT2'
OFT2
Cool FileXfer
recipe.docx	<--- Answer 3
<SNIP>
---
Magic number for any DOCX is \x50\x4b\x03\x04. This can be inferred by checking a few DOCXs or by simply googling it:
\x50\x4b\x03\x04	<--- Answer 4
---
Carve the file like so:

1) Zero in on the OFT2 conversations only, by ‘ngrep’ing for the sig ‘Cool FileXfer’ and the sig ‘OFT2’ and src port 5190 (AOL OFT2 Port); then get the src IP and dest IP and port from the output like so:
#ngrep -I newev.pcap 'OFT2.*Cool FileXfer' src port 5190 | grep 'T '
T 192.168.1.158:5190 -> 192.168.1.159:1272 [AP]

2) Knowing the info from above, next we zero in on only the OFT2 conversation like so:
#tshark -R '(ip.addr eq 192.168.1.159 and ip.addr eq 192.168.1.158) and (tcp.port eq 1272 and tcp.port eq 5190)' -r newev.pcap -w OFT2CONV.pcap

3) Use tcpflow to grab the payload data for the sender --> receiver part of the conversation only like so: 
#tcpflow -r OFT2CONV.pcap 'src port 5190'

This will generate a binary file with a long file name that starts with the sender IP in the name; copy that into payload1 for ease of use like so:
#cp 192.168.001.158.05190-192.168.001.159.01272 payload1

4) Convert payload1 into hex so you can edit it, like so:
#xxd -ps payload1 > hex1

5) Edit hex1 with vi and remove everything from start of file until the first DOCX magic ‘504b0304’ and then save/write. Remember your vi fu: 'dd' to delete a line and 'x' to delete a single character, you'll need to do both as you see fit.
6) Convert hex1, after you edit it, back into binary like so:
#xxd -r -ps hex1 > recipe.docx

7)Get the MD5 hash like so:
#md5sum recipe.docx
8350582774e1d4dbe1d61d64c89e0ea1  recipe.docx <--- Answer 5

8)Use MS Word or Open Office to open the carved out file 'recipe.docx' and read the secret recipe:

Recipe for Disaster:
1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove  the  saucepan from heat.  Allow to cool completely. Pour into gas tank. Repeat as necessary.

	^
	|
	|	
     Answer6

---

****We can automate this process thru the attached Perl script with any pcap file as its input to extract Oscar File Transfer 2 (OFT2) conversations and then carve out the transferred files out of them. This will scale to large pcap files with many packets and many OFT2 conversations. The script will go thru the following steps:

1. Identify all conversations with 'OFT2' and 'Cool FileXfer' in the payload

2. Filter those conversations into separate pcap files.

3. Loop through those conversations to get the file name being transferred and the extension, of course along with the Sender and Receiver IPs; this info will be provided in the output of the script as well.

4. Carve out the files being transferred <--- I wrote PoC for the docx extension only for this challenge, but this can be extended to other file types. The script could be extended to check the extention of the file name and run the carving process based on the magic for that type of file; or the script could incorporate foremost to get this done. But for this contest, I did the DOCX only as a PoC and I did not use Foremost.

5. Output Sender, Receiver, and the Filename being transferred for ALL OFT2 conversations included in the pcap file; this will scale to large pcap files. Also copies of the carved files will be saved under the xferedfiles directory.

	LOL.pl <-- script is attached
	Usage: ./lol.perl [PcapFile]

Output for this case' pcap file will look like so:

toybox#./lol.perl evidence.pcap

OFT2 Conversation number 1
Sender:192.168.1.158    Receiver:192.168.1.159  File:recipe.docx
md5sum:8350582774e1d4dbe1d61d64c89e0ea1  ./xferfiles/recipe.docx

Carved files are stored under the xferfiles directory

toybox#

---

References:

http://coding.feedfury.com/content/174070-packet-captures-for-proxied-file-transfers.html
http://www.oilcan.org/oscar/
http://74.125.47.132/search?q=cache:8P8w-6e9f_IJ:www.cs.cmu.edu/~jhclark/aim/On%2520Sending%2520Files%2520via%2520OSCAR.odt+Jonathan+Clark+Oscar+file&cd=3&hl=en&ct=clnk&gl=us