Puzzle #1: Ann’s Bad AIM

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.

Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, ( sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:

1. What is the name of Ann’s IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?

Here is your evidence file:

MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. All responses should be submitted as plain text files.

Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.

Email submissions to [email protected]. Deadline is 9/10/09. Good luck!!


  1. Some other questions? Where were they to meet? Who did Ann love. The answers are in there as well, you need something other than pcaps to find it though. Nothing complhex. Eventually you will say ahh, ascii,

  2. What’s up with frames # 15 and #16 being out of sequence? 15 is clearly the ACK to 16 (acking # 13), based both on sequence and TCP timestamp opt header, but the packet order capture is off. Is this an artifact of capturing on a switched network – frames buffered before forwarding on the receive port – or is it something more sinister?

    I especially like the AIM client on Sec558user’s PC downloading the advert starting in frame 227 – nice touch of realism.

  3. @shewfig:

    It’s an unfortunate fact of life for us: packets don’t always flow by our sensors in the order in which they were sent — or even the order in which they were received by their endpoints! 🙁

    In this case you’re probably right: buffering on a “switched network” (actually a VMware virtual network) caused them to show up out of order. But understand that this happens all the time across the long haul. Latencies vary by path, and packets get to have their very own paths sometimes, hence the whole point of packet-switched networks.

    Thank goodness we don’t often have to reassemble them manually. 🙂


  4. Shewfig “I especially like the AIM client on Sec558user’s PC downloading the advert starting in frame 227 – nice touch of realism”
    Could you post that for me? I missed that I think.

  5. Is there a location to view the solutions to the question after the winner has been announced ? I will really like to know if anyone is willing to share their solution. I am pretty new to the network forensic in general.

    Thanks !


Leave a Reply

Your email address will not be published.