Name: Richard Springs 
Answer 1: 002500fe07c4
Answer 2: AppleTV/2.4
Answer 3a: h
Answer 3b: ha
Answer 3c: hac
Answer 3d: hack
Answer 4: Hackers
Answer 5: http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v
Answer 6: Sneakers
Answer 7: $9.99
Answer 8: iknowyourewatchingme

Description: 
#### PREPARATION

mkdir analysis
cd analysis/
# copy transmute.rb and ./scarabsieve.rb to analysis/
chmod +x ./*.rb
wget http://forensicscontest.com/contest03/evidence03.pcap
md5sum ./evidence03.pcap




#### NOTES

Previous baseline analysis using iTunes and Wireshark reveals the following information:
1.  search queries are using the parameter "q=".
2.  movies that are clicked on will call the viewMovie document.
3.  movies that are clicked on will subsequently "ping" metrics.apple.com using the viewMovie parameter that can be correlated.  The pageName parameter reveals the movie name.
4.  examining plist xml documents in the capture reveals the key titled "title" yields many results, however "unmodified-title" yields only 2 results.




#### ANSWERS

1. What is the MAC address of Ann’s AppleTV? [ ./transmute.rb -f ./evidence03.pcap -e -i 192.168.1.10 ]
002500fe07c4


2. What User-Agent string did Ann’s AppleTV use in HTTP requests? [ ./scarabsieve.rb -d ./conversations/ -h user-agent ]
AppleTV/2.4


3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)? [ ./scarabsieve.rb -d ./conversations/ -p q= ]
h
ha
hac
hack


4. What was the title of the first movie Ann clicked on? [ ./scarabsieve.rb -d ./conversations/ -r OR ./scarabsieve.rb -d ./conversations/ -x unmodified-title ]
Hackers


5. What was the full URL to the movie trailer (defined by -Y΄preview-url‘)? [ ./scarabsieve.rb -d ./conversations/ -x preview-url ]
http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v


6. What was the title of the second movie Ann clicked on? [ ./scarabsieve.rb -d ./conversations/ -r   OR   ./scarabsieve.rb -d ./conversations/ -x unmodified-title ]
Sneakers


7. What was the price to buy it (defined by ΄price-display‘)? [ ./scarabsieve.rb -d ./conversations/ -x price-display ]
$9.99


8. What was the last full term Ann searched for? [ ./scarabsieve.rb -d ./conversations/ -p q= ]
iknowyourewatchingme




#### COMMAND SUMMARY
./transmute.rb -f ./evidence03.pcap -e -i 192.168.1.10
./scarabsieve.rb -d ./conversations/ -h user-agent
./scarabsieve.rb -d ./conversations/ -p q=   
./scarabsieve.rb -d ./conversations/ -r	  OR   ./scarabsieve.rb -d ./conversations/ -x unmodified-title
./scarabsieve.rb -d ./conversations/ -x preview-url
./scarabsieve.rb -d ./conversations/ -x price-display