__philosecurity Network Forensics Puzzle Contest__
* Submitter: Erik Hjelmvik
* Submission date: September 5, 2009

1. What is the name of Ann's IM buddy?
Sec558user1

2. What was the first comment in the captured IM conversation?
Here's the secret recipe... I just downloaded it from the file server.
Just copy to
a thumb drive and you're good to go >:-)

3. What is the name of the file Ann transferred?
recipe.docx

4. What is the magic number of the file you want to extract (first four bytes)?
0x504b0304

5. What was the MD5sum of the file?
8350582774e1d4dbe1d61d64c89e0ea1

6. What is the secret recipe?
Recipe for Disaster:
1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir
gently over low heat
until sugar is fully dissolved. Remove the  saucepan from heat.  Allow to cool
completely. Pour into gas tank. Repeat as necessary.


Submission details:
I simply started NetworkMiner 0.89, opened evidence.pcap and got
served with both the
recipe.docx file and IM chat messages (under the "Files" and "Parameters" tabs).

But before I could do so I actually needed to implement support for the OSCAR
messaging protocol as well as the OSCAR file transfer protocol in
NetworkMiner, which
is a network forensic analysis tool developed by me.

The OSCAR file transfer (OFT) protocol was incredibly simple to
implement (well, I
did actually skip some stuff like the very odd checksum calculations
in the protocol
for example). I didn't find any good protocol description document for
the OFT protocol,
but I did find a nice open source project called shaim, that had a
fairly well written
OFT implementation:
http://www.shaim.net/trac/oscarlib/

Shaim's OscarLib was a very useful reference when I wrote the OFT
parsing code in
NetworkMiner.

The OSCAR protocol (used for instant messaging) was on the other hand a lot more
complicated! Luckily I found a comprehensive documentation of the protocol at:
http://dev.aol.com/aim/oscar/

Considering the size of the OSCAR protocol spec. I decided to skip a LOT of the
stuff and focus on the juicy parts. The OSCAR functionality implemented in
NetworkMiner 0.89 is the parsing of messages from the client sent to the server
(CHANNEL_MSG_TOHOST) and messages from the server to the client
(CHANNEL_MSG_TOCLIENT).
I also implemented parsing of nickname data (NICK_INFO_TAGS). There is
a lot of other
cool stuff in the OSCAR protocol, that I might add to NetworkMiner in
the future.
These features include:
* Buddy icons
* Timestamp from when the user logged on
* Date when the user created his/her IM account
* Real IP address of the IM user
* Country of the UM user
* Login cookie

Anyway, feel free to download the latest version of the open source application
NetworkMiner (v 0.89) from SourceForge:
http://networkminer.sourceforge.net/

/erik hjelmvik