Puzzle #1 Solution: Ann’s Bad AIM


Kristinn Gudjonsson
(Wins a free SANS OnDemand class- worth up to $3500)


Aaron Allen
Alan Tu
Amar Yousif
Erik Hjelmvik
Franck Guénichot
Jeff Jarmoc
Joshua Soles
(Win a Fiendish Japanese Pocket Puzzle)


Drew Pekkarinen
Yongki Won
John Moore
Phil Ames
Samy Kamkar

Correct Answers:

Aaron Allen
Alan Lee
Alan Tu
Amar Yousif
Andre Sencioles Vitorio Oliveira
Andrew Lopacki
Atif Mushtaq
Balazs Attila-Mihaly
Bryan Casper
Bryan Dyson
Carrie Schaper
Chet Kress
Chris Biettchert
Chris Centore
Cristiano Maruti
David Clements
David S. Langlands
Drew Pekkarinen
Eric Davis
Eric Kollmann
Erik Hjelmvik
Francesco Picasso
Franck Guénichot
Frank Peeters
Gabriel Menezes Nunes
Jack Crook
Jayson George
Jeff Jarmoc
Jim Olding
Joe McMullin
John Abella
John Moore
Jon Wohlberg
Joshua Soles
Kees Leune
Konstantinos PETROU
Kristinn Gudjonsson
Lars Olav Gigstad
Leigh Vincent
Leon Oosterwijk
Maximilian Herkender
Nicolas Vilatte
Niko Eftymiou
Phil Ames
Philippe Oechslin
Rafe Pilling
Robert Rittenhouse
Rosario Russo
Russell Reynolds
Ryan Wessels
Samy Kamkar
Seven Lowe
Shane Kennedy
Tareq Saade
Toby Simmons
tomnjeryof NOWCOM
Yongki Won
Yuzy Matsuura

Congratulations to all of our rock star investigators who solved the Network Forensics Puzzle Contest! We received over 100 submissions, many of which were truly excellent. Figuring out a winner was challenging, but in the end, one submission stood out over all.

We asked you for the most elegant solution. It was possible to solve the puzzle with common tools such as Wireshark, and many people did. However, modern investigations often involve many gigabytes– if not terabytes– of packet data. In the real world, pointing and clicking doesn’t scale. Moreover, when you’re working with large amounts of data, processing time is extremely valuable. Small, fast tools are key.

What we considered “elegant” was the construction of some automated process for solving the puzzle which was easy to use, easy to understand, very portable, and would easily be able to scale to much larger and more difficult problems.

Five people were named Semifinalists because they created an automated process (ie scripting) to facilitate future investigations. Seven Finalists took this to a level beyond and created novel solutions involving considerable amounts of scripting. Please take a look at each of their solutions as WE learned something from every one.

The WINNER of the first Network Forensics Puzzle Contest is Kristinn Gudjonsson. Kristinn wrote two very elegant Perl tools: pcapcat and oftcat.

pcapcat # This script reads a PCAP file and prints out all the connections in the file and gives the user the option of dumping the content of the TCP stream

Kristinn’s pcapcat utility shows you a list of all the TCP streams in a packet capture, and also allows you to select any given stream and dump out the contents of the stream. It also supports the use of BPF filters with the -f flag so that you can narrow your search to specific streams. It’s a small, sharp tool that’s easy to use.

oftcat # This script reads an OFT package, which is a package created by AIM when sending files over the network (using the oscar file transfer protocol). The script reads the packet, prints out some information about it and saves the captured file

Kristinn’s “oftcat” utility is smart enough to figure out the file name based on the OFT protocol and carve out the files transferred. It totally scales, and we especially appreciated his attention to protocol detail.

Here’s Kristinn’s solution writeup and a nice post on his blog where he adds some more detail.


1. What is the name of Ann’s IM buddy?

2. What was the first comment in the captured IM conversation?
Here’s the secret recipe… I just downloaded it from the file server. Just copy to a thumb drive and you’re good to go >:-)

3. What is the name of the file Ann transferred?

4. What is the magic number of the file you want to extract (first four bytes)?
0x504B0304 (Note: one byte = 8 bits = 2 hex digits!)

5. What was the MD5sum of the file?

6. What is the secret recipe?
Recipe for Disaster:
1 serving
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.


  1. Can we expect to see other challenges like this? Even if it isn’t to win a prize or free training…

  2. sherri

    September 29, 2009 at 8:50 am

    Yes, definitely! Sign up on our RSS feed to hear about future contests as soon as they’re announced.

Leave a Reply

Your email address will not be published.