Author:  Joshua Soles
Email:  jbsoles@gmail.com

A quick look at the pcap tells us that AOL IM traffic is used, which is under the OSCAR protocol.  Since this protocol is well documented, I present my findings...

To solve this puzzle, I developed a Perl Script, which is found in the archive also found in this submission.  It is called IMParse.pl.  It uses open source modules like Net::Pcap::Easy and parses through each OSCAR packet for the relevant information, extracting both the text of the chat and any files transfered.  Instructions for running the program are listed in the first comment lines.  For each given packet capture, the tool extracts any AOL instant messenger text as well as any files sent using OFT2, the Oscar File Transfer protocol.

Sample output is included in the folder called Output in the archive included in this submission.  The IM text is saved in a file ending in the .out extensinon, and the text is listed below.  Note that it also captures the file name being sent and the MD5 hash of that file, as well as the name of Ann's IM buddy...

TO      Sec558user1: Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)
TO      Sec558user1: Attempting to send file recipe.docx (12008 bytes)
DOWNLOAD:       Starting download of file recipe.docx.
DOWNLOAD:       Ending download of file recipe.docx.
DOWNLOAD:       MD5 of recipe.docx is 8350582774e1d4dbe1d61d64c89e0ea1
FROM    Sec558user1: <HTML><BODY><FONT FACE="Arial" SIZE=2 COLOR=#000000>thanks dude</FONT></BODY></HTML>
FROM    Sec558user1: <HTML><BODY><FONT FACE="Arial" SIZE=2 COLOR=#000000>can't wait to sell it on ebay</FONT></BODY></HTML>

The text found in recipe.docx, which is the name of the transfered file...

Recipe for Disaster:
1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove  the  saucepan from heat.  Allow to cool completely. Pour into gas tank. Repeat as necessary. 

The magic number of all docx files follows in hexidecimal, and is actually 8 bytes.  The first 4 bytes of all docx files are the same as .zip archives, and are therefore not particularly helpful...

50 4b 03 14 00 06 00

The ASCII approximation of this pattern is...

PK......

These peices of evidence satisfy each question asked in the challenge.  To review...

1. Sec558user1
2. Here's the secret recipe... I just downloaded it from the file server.  Just copy to a thumb drive and you're good to go &gt;:-)
3. recipe.docx
4. 50 4b 03 14 00 06 00
5. 8350582774e1d4dbe1d61d64c89e0ea1
6. See complete text above.

Thank you for an interesting challenge.