After downloading the evidence PCAP file, I checked it out in tshark to see what I was dealing with: # tshark -nr evidence03.pcap | less Having never worked with the AppleTV, I was glad to see that I would only be working with HTTP data. First, to find out Ann's MAC address, I used a small bash script I had to do basic traffic analysis. # trafficAnalyzer.sh evidence03.pcap From the output of this tool, I could see Ann's MAC address was 00:25:00:fe:07:c4. For the remainder of the questions, I worked on a Perl program that would generate an HTML summary of all HTTP traffic captured. I believe that while I could have written a one-off tool to extract the information requested in the challenge with no user-interaction, such a tool would be too special-purpose to be useful in the future. The tool that I have written for this challenge is more general-purpose, can be easily extended, and will likely be useful in many future jobs and forensics challenges. My first challenge in writing httpAnalyzer.pl was the state of Net::LibNIDS. The 0.01 version currently in CPAN has a fundamental problem which causes it to return bad data and will eventually cause Perl to segfault. The solution is a one-line fix mentioned in this bug: http://rt.cpan.org/Public/Bug/Display.html?id=52879 and the patch and a Gentoo ebuild can both be found on my website with the rest of my submission materials. The HTML file generated by analyzing the given evidence file gives the IP address, headers, parameters, file contents, sizes and MD5s of all files transferred over HTTP. It also allows downloading a copy of each file transferred, some simple filtering, viewing images inline, querying XML files with jQuery selectors, and the parsing of Apple's PList XML files. Future capabilities that I was unable to finish in time for submission include syntax highlighting of XML/HTML source (I tried to use Chili, a jQuery plugin to do client-side syntax highlighting, but it was too slow), image file details, more advanced filtering, and cross-browser testing (it was only tested to work on Firefox 3.5+) A copy of the analysis file for the evidence capture can be found on my website for reference if you are unable to run the script yourself. Once the analysis HTML is loaded in Firefox, for question 2, expand any transfer from Ann's IP and look at the User-Agent field in the Request tab. From this, you can see that Ann's user agent is "AppleTV/2.4". After looking at what kind of traffic the AppleTV generates, I figured that the best way to isolate searches was to use a filter where uri contains /WebObjects/. From there, the q GET parameter shows that the first for incremental searches are for "h", "ha", "hac", and "hack". After that, a request for a specific movie with id 333441641649 was made and by browsing the PList tab of this transfer, it can be seen that the movie is "Hackers". Alternatively, the Query tab could have been used with a query of "plist > dict > key:contains(title) + string". Further down the PList tab, it can be seen that the preview-url for the trailer is "http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v". Likewise, the movie return by the next request to viewMovie is "Sneakers" and it's easy to find in its PList tab that its price-display value is $9.99 (not a bad price for such an awesome movie, by the way). Finally, by using the same filter that we've been using, it can be seen that the final search term that Ann entered was "iknowyourewatchingme". And indeed we are Ann. Both scripts used, along with the output of each, and Net::LibNIDS patch and ebuild can be found at http://modtwo.com/networkforensics/puzzle3/