Puzzle #1 Solution: Ann’s Bad AIM

Congratulations to all of our rock star investigators who solved the Network Forensics Puzzle Contest! We received over 100 submissions, many of which were truly excellent. Figuring out a winner was challenging, but in the end, one submission stood out over all.

We asked you for the most elegant solution. It was possible to solve the puzzle with common tools such as Wireshark, and many people did. However, modern investigations often involve many gigabytes– if not terabytes– of packet data. In the real world, pointing and clicking doesn’t scale. Moreover, when you’re working with large amounts of data, processing time is extremely valuable. Small, fast tools are key.

What we considered “elegant” was the construction of some automated process for solving the puzzle which was easy to use, easy to understand, very portable, and would easily be able to scale to much larger and more difficult problems.

Five people were named Semifinalists because they created an automated process (ie scripting) to facilitate future investigations. Seven Finalists took this to a level beyond and created novel solutions involving considerable amounts of scripting. Please take a look at each of their solutions as WE learned something from every one.

The WINNER of the first Network Forensics Puzzle Contest is Kristinn Gudjonsson. Kristinn wrote two very elegant Perl tools: pcapcat and oftcat.

pcapcat # This script reads a PCAP file and prints out all the connections in the file and gives the user the option of dumping the content of the TCP stream

Kristinn’s pcapcat utility shows you a list of all the TCP streams in a packet capture, and also allows you to select any given stream and dump out the contents of the stream. It also supports the use of BPF filters with the -f flag so that you can narrow your search to specific streams. It’s a small, sharp tool that’s easy to use.

oftcat # This script reads an OFT package, which is a package created by AIM when sending files over the network (using the oscar file transfer protocol). The script reads the packet, prints out some information about it and saves the captured file

Kristinn’s “oftcat” utility is smart enough to figure out the file name based on the OFT protocol and carve out the files transferred. It totally scales, and we especially appreciated his attention to protocol detail.

Here’s Kristinn’s solution writeup and a nice post on his blog where he adds some more detail.

Answers

1. What is the name of Ann’s IM buddy?
sec558user1

2. What was the first comment in the captured IM conversation?
Here’s the secret recipe… I just downloaded it from the file server. Just copy to a thumb drive and you’re good to go >:-)

3. What is the name of the file Ann transferred?
recipe.docx

4. What is the magic number of the file you want to extract (first four bytes)?
0x504B0304 (Note: one byte = 8 bits = 2 hex digits!)

5. What was the MD5sum of the file?
8350582774e1d4dbe1d61d64c89e0ea1

6. What is the secret recipe?
Recipe for Disaster:
1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.