Name: Jeff Jarmoc 

Description: 
First, we take a look at the file to see what sessions it contains.  There's many tools for this, I use the excellent pcapcat tool that was written by Kristinn Gudjonsson for his winning entry in challenge #1 (http://forensicscontest.com/contest01/Finalists/Kristinn_Guojonsson/pcapcat)

jeff@hackbook:~# ./pcapcat -r evidence02.pcap
[1] TCP 192.168.1.159:1036 -> 64.12.102.142:587
[2] TCP 192.168.1.159:1038 -> 64.12.102.142:587

We see two full sessions involving server port 587.  There may be other fragmented sessions, but this is a good place to start.  Port 587 is used for SMTP submission (per RFC 2476 - http://www.ietf.org/rfc/rfc2476.txt)  We can already suspect that these may be communications from Ann to her co-conspirator via email, so let's take a look at their contents.

We dump the session data to two files;
jeff@hackbook:~# ./pcapcat -r evidence02.pcap -d 1 -w outfile1
jeff@hackbook:~# ./pcapcat -r evidence02.pcap -d 2 -w outfile2

And look at the first few lines to confirm it's SMTP;
jeff@hackbook:~# head outfile1
220 cia-mc06.mx.aol.com ESMTP mail_cia-mc06.1; Sat, 10 Oct 2009 15:35:16 -0400
EHLO annlaptop
250-cia-mc06.mx.aol.com host-69-140-19-190.static.comcast.net
250-AUTH=LOGIN PLAIN XAOL-UAS-MB
250-AUTH LOGIN PLAIN XAOL-UAS-MB
250-STARTTLS
250-CHUNKING
250-BINARYMIME
250-X-AOL-FWD-BY-REF
250-X-AOL-DIV_TAG

Outfile2 is pretty much the same, so it's ommitted here to save space.

The ESMTP EHLO command gives us a clue that theses are emails submitted from Ann's Laptop.  It's odd that AOL's mail server would be on a Comcast network.  I'd guess it's a remnant of someone's lab used while generating the challenge pcaps (and we now have their IP! heh)

Anyhow, after confirming these files are ESMTP sessions, we can look more closely at them.  There's many methods to do this, and with just two sessions command line tools would probably be sufficient, but I wrote a ruby script called smtpcat to automate the process for larger jobs.

First, we'll view smtpcat's usage to get an idea of the options available, then we start simply and dump the contents messages transferred during both sessions.

jeff@hackbook:~#./smtpcat.rb -?
Usage: smtpcat.rb [option] filename(s)
- Version 1.0 - 11/20/2009 - Jeff Jarmoc
	
Specific options:
    -h, -?, --help                   Display this screen
    -c, --commands CMD1,CMD2,CMD3    SMTP commands to Display
    -d, --decode CMD1,CMD2,CMD3      SMTP commands to Base64 Decode
    -n, --nomsg                      Hide Message Body
    -o, --outdir [DIR]               Output file attachments and show MD5
                                       optionally to DIR, Current dir by default

jeff@hackbook:~#./smtpcat.rb outfile1 outfile2
**** Processing SMTP stream from outfile1
-----Displaying Message Body
Received:	Sat Oct 10 08:35:30 -0500 2009
From:    	sneakyg33k@aol.com
To:      	sec558@gmail.com
Subject: 	lunch next week

Sorry-- I can't do lunch next week after all. Heading out of town. Another time! -Ann
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2853" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Sorry-- I can't do lunch next week after all. 
Heading out of town. Another time! -Ann</FONT></DIV></BODY></HTML>

**** Processing SMTP stream from outfile2
-----Displayings Message Body
Received:	Sat Oct 10 08:38:10 -0500 2009
From:    	sneakyg33k@aol.com
To:      	mistersecretx@aol.com
Subject: 	rendezvous

Hi sweetheart! Bring your fake passport and a bathing suit. Address attached. love, Ann
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2853" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi sweetheart! Bring your fake passport and a 
bathing suit. Address attached. love, Ann</FONT></DIV></BODY></HTML>

Attachment: secretrendezvous.docx
jeff@hackbook:~#
 

And we've found two messages!  We can also confirm that the sender and receiver in the ESMTP session match the message headers;

jeff@hackbook:~#./smtpcat.rb -nc MAIL,RCPT outfile1 outfile2
**** Processing SMTP stream from outfile1
--== Displaying Command: MAIL
C->S MAIL FROM: <sneakyg33k@aol.com>
C<-S 250 OK

--== Displaying Command: RCPT
C->S RCPT TO: <sec558@gmail.com>
C<-S 250 OK

**** Processing SMTP stream from outfile2
--== Displaying Command: MAIL
C->S MAIL FROM: <sneakyg33k@aol.com>
C<-S 250 OK

--== Displaying Command: RCPT
C->S RCPT TO: <mistersecretx@aol.com>
C<-S 250 OK

jeff@hackbook:~#

... and they do!  outfile2 is clearly the interesting message.  From the message text, outfile2 is the interesting session.  In it, Ann appears to be arranging a rendezvous with mistersecretx@aol.com.  Apparently the location is in the attachment, so let's save it and take a look.

jeff@hackbook:~#./smtpcat.rb -no /tmp/ outfile2
**** Processing SMTP stream from outfile2
+ Wrote: /tmp/secretrendezvous.docx
+ Size:  207438 bytes
+ MD5:   9e423e11db88f01bbff81172839e1923 

jeff@hackbook:~#

Opening the file, we see a map to their meeting location.  A fountain in a plaza in Playa del Carmen, Mexico.  We next extract the image from the file to calculate it's md5sum after viewing to confirm it's the embedded map.  No need for fancy tools here.

jeff@hackbook:~#unzip /tmp/secretrendezvous.docx 
Archive:  /tmp/secretrendezvous.docx
  inflating: [Content_Types].xml     
  inflating: _rels/.rels             
  inflating: word/_rels/document.xml.rels  
  inflating: word/document.xml       
 extracting: word/media/image1.png   
  inflating: word/theme/theme1.xml   
  inflating: word/settings.xml       
  inflating: word/webSettings.xml    
  inflating: word/styles.xml         
  inflating: docProps/core.xml       
  inflating: word/numbering.xml      
  inflating: word/fontTable.xml      
  inflating: docProps/app.xml        
jeff@hackbook:~#md5 word/media/image1.png
MD5 (word/media/image1.png) = aadeace50997b1ba24b09ac2ef1940b7
jeff@hackbook:~#
  
But before we call this complete, let's go back to the SMTP session and see what else we can extract from it.  Since the SMTP session was on port 384, used for client message submission, we can assume it was authenticated.  Let's take a look;

jeff@hackbook:~#./smtpcat.rb -nc AUTH outfile2
**** Processing SMTP stream from outfile2
--== Displaying Command: AUTH
C->S AUTH LOGIN
C<-S 334 VXNlcm5hbWU6
C->S c25lYWt5ZzMza0Bhb2wuY29t
C<-S 334 UGFzc3dvcmQ6
C->S NTU4cjAwbHo=
C<-S 235 AUTHENTICATION SUCCESSFUL

jeff@hackbook:~#

But it's encoded.  It looks like Base64, so let's try decoding it.  We'll display it both raw and decoded for clarity's sake.

eff-jarmocs-macbook:Desktop jeff$ ./smtpcat.rb -nc AUTH -d AUTH outfile2
**** Processing SMTP stream from outfile2
--== Displaying Command: AUTH
C->S AUTH LOGIN
C<-S 334 VXNlcm5hbWU6
C->S c25lYWt5ZzMza0Bhb2wuY29t
C<-S 334 UGFzc3dvcmQ6
C->S NTU4cjAwbHo=
C<-S 235 AUTHENTICATION SUCCESSFUL

--== Decoding Command: AUTH
C->S AUTH LOGIN
C<-S 334 Username:
C->S sneakyg33k@aol.com
C<-S 334 Password:
C->S 558r00lz
C<-S 235 AUTHENTICATION SUCCESSFUL

jeff@hackbook:~#

And there we go, we've found the credentials used to submit this message.

Of course, we could have done this all in one step as follows;
./smtpcat.rb -c MAIL,RCPT -d AUTH -o /tmp/ outfile1 outfile2
But I wanted to illustrate some of the options available in smtpcat.

So, to answer the questions posed in the challenge;
1. What is Ann’s email address?
 sneakyg33k@aol.com
2. What is Ann’s email password?
 558r00lz
3. What is Ann’s secret lover’s email address?
 mistersecretx@aol.com
4. What two items did Ann tell her secret lover to bring?
 fake passport and a bathing suit
5. What is the NAME of the attachment Ann sent to her secret lover?
 secretrendezvous.docx
6. What is the MD5sum of the attachment Ann sent to her secret lover?
 9e423e11db88f01bbff81172839e1923 
7. In what CITY and COUNTRY is their rendez-vous point?
 Playa del Carmen, Mexico
8. What is the MD5sum of the image embedded in the document?
 aadeace50997b1ba24b09ac2ef1940b7