Name: Erik Hjelmvik Description: __Network Forensics Puzzle Contest #2: "Ann Skips Bail"__ Submitter: Erik Hjelmvik The puzzle #2 could fairly easy be solved using Wireshark. But extracting information with Wireshark does unfortunately not scale very well as the pcap files grows larger (due to the manual labour required). I therefore decided to build a proper SMTP parser into my tool NetworkMiner. With the SMTP parsing code in place in NetworkMiner just follow these steps to solve the puzzle: 1. Get NetworkMiner from http://networkminer.sourceforge.net/ 2. Start NetworkMiner (a Windows computer with .NET framework 2.0 is recommended) 3. Open the evidence02.pcap file through "File > Open" or by drag-and-dropping the pcap onto NetworkMiner. 4. Select the "Messages" tab to see email addresses and email contents. 5. Select the "Files" tab to see the attachment "secretrendezvous.docx", which can be opened by right-clicking the file in the list. 6. Select the "Credentials" tab to see Ann's email password. The SMTP parser was in fact not the only new functionality in NetworkMiner that I implemented as a direct result of the puzzle #2 contest; I also created the "Messages" tab to ease the task of inspecting multiple email messages. I decided to make the Messages tab generic enough to display any sort of message, so contents of IRC as well as instant messaging with the OSCAR protocol can also be inspected in this tab. So feel free to try this new version of NetworkMiner with the pcap from the previous forensics puzzle as well! Lazy users might complain about NetworkMiner not displaying the HTML formatted emails in the GUI. Implementing such functionality would be quite simple, but could open up to vulnerabilities in NetworkMiner itself as it tries to decode malicious HTML content. I therefore decided to take the same approach to HTML formatted email contents as I do to any HTML page transferred over HTTP, i.e. I write the file to disk and add a new item to the list under the "Files" tab. This way the user can select if and how he wishes to view the extracted HTML content. One of the most complicated parts of the SMTP protocol was to get the MIME multipart parsing to behave properly. Luckily I was able to reuse code I've written previously to parse HTTP POSTs that use MIME multipart (for example when uploading a file through a HTML form). Being a Windows nerd I generally prefer using Windows rather than *nix. However, the cmd.exe literally sucks compared to the Linux BASH shell. For this reason I prefer using Cygwin to do stuff like computing MD5 sums. $ md5sum secretrendezvous.docx 9e423e11db88f01bbff81172839e1923 *secretrendezvous.docx $ unzip secretrendezvous.docx Archive: secretrendezvous.docx inflating: [Content_Types].xml inflating: _rels/.rels inflating: word/_rels/document.xml.rels inflating: word/document.xml extracting: word/media/image1.png inflating: word/theme/theme1.xml inflating: word/settings.xml inflating: word/webSettings.xml inflating: word/styles.xml inflating: docProps/core.xml inflating: word/numbering.xml inflating: word/fontTable.xml inflating: docProps/app.xml $ md5sum word/media/image1.png aadeace50997b1ba24b09ac2ef1940b7 *word/media/image1.png That's it, thanks for a great contest! /erik