Name: Alan Tu Description: Network Forensics Contest 2 Narrative Alan Tu November 8, 2009 First we verify the evidence. md5sum evidence02.pcap cfac149a49175ac8e89d5b5b5d69bad3 *evidence02.pcap This matches the provided hash. Next we survey the packets using tshark. The -n switch turns off name resolution. tshark -r evidence.pcap -n Upon manual inspection, we note this packet: 45 80.103237 192.168.1.159 -> 192.168.1.255 BROWSER Host Announcement ANN-LAPTOP, Workstation, Server, NT Workstation This tells us that IP address 192.168.1.159 is advertising it has the hostname ANN-LAPTOP. We note this because Ann is the name of our suspect. We note the following earlier ARP response: 3 3.495261 00:21:70:4d:4f:ae -> 00:50:56:c0:00:02 ARP 192.168.1.159 is at 00:21:70:4d:4f:ae This tells us Ann's laptop is using MAC address 00:21:70:4d:4f:ae. Looking up this MAC address in the OUI lookup tool at http://www.wireshark.org/tools/oui-lookup.html we note that this MAC address range is assigned to Dell. So Ann's laptop has a Dell NIC, and it most likely is a Dell laptop. But note that MAC addresses can be spoofed. We note the following three packets: 49 82.313441 192.168.1.159 -> 10.1.1.20 DNS Standard query A smtp.aol.com 53 82.707578 192.168.1.159 -> 64.12.102.142 TCP 1036 > 587 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 113 242.795283 192.168.1.159 -> 64.12.102.142 TCP 1038 > 587 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 tcp.stream is a new field available with tshark 1.2.0 or later. tshark can track all the TCP flows in a PCAP file, making it easier to display-filter on a flow of interest. We are interested in the TCP streams starting with frames 53 and 113. tshark -r evidence02.pcap -T fields -e tcp.stream -R "frame.number == 53" 2 tshark -r evidence02.pcap -T fields -e tcp.stream -R "frame.number == 113" 3 We could use tcpflow to extract the flows, but because we will be working with binary data, we would like a warning if there are missing TCP segments. tcpflow would quietly ignore this. We write a Perl script stream.pl. stream.pl requires tshark v1.2.0 or later and a standard Perl install. stream.pl can reassemble TCP streams and can cope with out-of-order, missing (prints a note to STDERR), overlapping and duplicate TCP segments. Before we run stream.pl, we modify the variables $TSHARK and $WIRESHARK_DISABLED_PROTOS for our environment with the paths to the tshark executable and the disabled_protos file. (The latter need not exist but will be backed up and restored if it does exist.) The simple invocation of stream.pl takes a PCAP file as argument: stream.pl evidence02.pcap tcp.stream TIME IP PORT IP PORT APP_PROTOCOL 2 Oct 10, 2009 13:35:31.101734000 64.12.102.142 587 192.168.1.159 1036 smtp 3 Oct 10, 2009 13:38:11.190740000 64.12.102.142 587 192.168.1.159 1038 smtp tshark identified two TCP streams. Note that the IPs and ports come from the packet where tshark identified the higher-order application protocol, which sometimes can be a server to client packet. Let's extract the two streams. The corresponding application dissector must be disabled to allow the script to see the raw bytes in the TCP segment via the data.data field. The -s option accepts a value for tcp.stream. stream.pl -s 2 evidence02.pcap Disabling dissector smtp Writing file 64.12.102.142.587-192.168.1.159.1036, length 507 bytes, MD5 hash 43c57d1a4bb14b330fe5c973618e8938 Writing file 192.168.1.159.1036-64.12.102.142.587, length 1495 bytes, MD5 hash c700aac5c99b10f8be0e1260f796a7b0 Since we're dealing with e-mail, The client to server flow is more interesting. Let's look at 192.168.1.159.1036-64.12.102.142.587 EHLO annlaptop AUTH LOGIN c25lYWt5ZzMza0Bhb2wuY29t NTU4cjAwbHo= MAIL FROM: RCPT TO: DATA Message-ID: <000901ca49ae$89d698c0$9f01a8c0@annlaptop> From: "Ann Dercover" To: Subject: lunch next week Date: Sat, 10 Oct 2009 07:35:30 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0006_01CA497C.3E4B6020" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 This is a multi-part message in MIME format. ------=_NextPart_000_0006_01CA497C.3E4B6020 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sorry-- I can't do lunch next week after all. Heading out of town. = Another time! -Ann ... Interesting. Let's examine the other e-mail. stream.pl -s 3 evidence02.pcap Disabling dissector smtp Writing file 64.12.102.142.587-192.168.1.159.1038, length 507 bytes, MD5 hash 98a41e82f219074ec056152fbadb5017 Writing file 192.168.1.159.1038-64.12.102.142.587, length 285778 bytes, MD5 hash 7d5e406ca6de7b0a8df65bc1d66ec12f Here's part of the e-mail transaction: EHLO annlaptop AUTH LOGIN c25lYWt5ZzMza0Bhb2wuY29t NTU4cjAwbHo= MAIL FROM: RCPT TO: DATA Message-ID: <001101ca49ae$e93e45b0$9f01a8c0@annlaptop> From: "Ann Dercover" To: Subject: rendezvous Date: Sat, 10 Oct 2009 07:38:10 -0600 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_000D_01CA497C.9DEC1E70" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 This is a multi-part message in MIME format. ------=_NextPart_000_000D_01CA497C.9DEC1E70 Content-Type: multipart/alternative; boundary="----=_NextPart_001_000E_01CA497C.9DEC1E70" ------=_NextPart_001_000E_01CA497C.9DEC1E70 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi sweetheart! Bring your fake passport and a bathing suit. Address = attached. love, Ann ... ------=_NextPart_000_000D_01CA497C.9DEC1E70 Content-Type: application/octet-stream; name="secretrendezvous.docx" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="secretrendezvous.docx" ... This is clearly incriminating! The SMTP "login" authentication method simply Base64 encodes the username and password. Let's build a simple but versatile script, base64d.pl, that decodes a command line argument or a file. To decode the username and password: base64d.pl c25lYWt5ZzMza0Bhb2wuY29t sneakyg33k@aol.com base64d.pl NTU4cjAwbHo= 558r00lz We then manually cut the Base64-encoded attachment out of the 192.168.1.159.1038-64.12.102.142.587 file. We know the MIME boundary is ------=_NextPart_000_000D_01CA497C.9DEC1E70 so can easily find the beginning and end of the attachment. We save the Base64 in its own file, a.b64. We then need to decode this. base64d.pl -d -f a.b64 > secretrendezvous.docx Length: 207438 MD5: 9e423e11db88f01bbff81172839e1923 The -f option tells the script the argument a.b64 is a file and not Base64. The -d option tells the script to print the length and MD5 hash of the decoded output to STDERR. The actual output is sent to STDOUT so should be redirected. This is a Microsoft Office 2007 document which says Meet me at the fountain near the rendezvous point. Address below. I'm bringing all the cash. [...] This file format is actually a ZIP file. So we can copy secretrendezvous.docx to a ZIP file and then unzip it. Under word\media is an image file, image1.png. Let's hash it. md5sum image1.png aadeace50997b1ba24b09ac2ef1940b7 *image1.png This is a picture of the city of Playa del Carmen, Mexico.