Name: Amar Yousif 

Description: 
By running tcptrace on the evidence file we can tell that there are two conversations in it; both connect to an smtp server:
toybox$ tcptrace evidence02.pcap
<SNIP>
TCP connection info:
  1: 192.168.1.159:1036 - smtp-mc.mx.aol.com:587 (a2b)   14>   22<  (complete)
  2: 192.168.1.159:1038 - smtp-mc.mx.aol.com:587 (c2d)  221>  233<  (complete)
-----------
Inspired by Kristinn Gudjonsson’s script, pcapcat, I decided not to rely on third party tools; so, I wrote smtpcat which will loop through a pcap file and identify all of the smtp conversations in it. Smtpcat dive deep into the payload and identifies the sender, receiver, date, subject, and optionally the AuthSMTP decoded password. The tool also has the ability to dump the payload of any smtp message as an eml file that can be further opened via outlook express for example. So I ran smtpcat on the payload like so:
toybox$ ./smtpcat -r evidence02.pcap -p
Overwriting files in output directory: smtpcatout
[1] 192.168.1.159:1036 -> 64.12.102.142:587
[1] sneakyg33k@aol.com -> sec558@gmail.com   Sat, 10 Oct 2009 07:35:30 -0600
[1] SUBJ: lunch next week
[1] PASS:558r00lz

[2] 192.168.1.159:1038 -> 64.12.102.142:587
[2] sneakyg33k@aol.com -> mistersecretx@aol.com   Sat, 10 Oct 2009 07:38:10 -0600
[2] SUBJ: rendezvous
[2] PASS:558r00lz

-------------
I then dumped the [2] smtp message into case2.eml like so:
toybox$ ./smtpcat -r evidence02.pcap -d 2 -w case2.eml

--------------
I then used winscp to transfer case2.eml into a windows PC and opened it with outlook express to get the e-mail body and attachments, if any. This gave me the body of the message and the attachment ‘secretrendezvous.docx’
--------------
To answer the last question I had to extract the embedded image off of the docx file; this can be done by more than one way; however, I decided to extract it like so:
toybox$ cp secretrendezvous.docx secretrendezvous.zip
toybox$ unzip secretrendezvous.zip
Archive:  secretrendezvous.zip
  inflating: [Content_Types].xml
  inflating: _rels/.rels
  inflating: word/_rels/document.xml.rels
  inflating: word/document.xml
 extracting: word/media/image1.png  	<--
  inflating: word/theme/theme1.xml
  inflating: word/settings.xml
  inflating: word/webSettings.xml
  inflating: word/styles.xml
  inflating: docProps/core.xml
  inflating: word/numbering.xml
  inflating: word/fontTable.xml
  inflating: docProps/app.xml
---
toybox$ cd word/media/
toybox:~/word/media$ ls -alh
<SNIPPED>
-rw-r--r-- 1 <SNIPPED> <SNIPPED> 190K 1980-01-01 00:00 image1.png <-- our embedded image

--------------
Then I used md5sum to get the requested hashes.

/solution