18 Comments

  1. I learned a lot by reading the results from the first contest, and loved every second of it. Unfortunately, I don’t know how I’m going to be able to wait an extra week to see the results of contest #2. 🙁

  2. The site doesn’t really make it clear (to me) if your looking for the answers and how you got them or if your looking for the answers and code that will automate the process of getting those answers?

    I used/use tools that are already widely available and much more powerful then anything I could code. Does this mean I have no chance of winning any of the puzzles?

    Even if the cases is that I will not win if I use others tools I would like to say thanks and tell you how much fun I have doing the puzzles.

  3. I’m interested to see what the organizer’s say about Winter’s question.

    Given that the contest announcement says that “The most elegant solution wins” I don’t think there’s a hard requirement for a tool to be written. However, there’s some pretty good indicators that tool development is strongly encouraged. The announcement is peppered with phrases like, “We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery.” and statements about tools being included in the Network Forensics Toolkit, and possibly in course material. Of course there’s also ‘Scripting is always encouraged.’ Also, if you look at the first contest – all the finalists submitted tools/scripts/automated solutions.

    I’d personally (though I’m not an organizer, just a fan/participant) love to see elegant solutions with existing off-the-shelf tools, but I think there’s probably a bit of a bias toward new tools, or at the very least, use of freely available open source tools. To me, part of the ‘elegance’ they’re looking for is an automated, easily repeatable (possibly across tens or hundreds of samples) process. Most of the existing tools I’ve looked at just don’t scale like that. I like to think of the challenge as a small part of a much larger scenario, and craft my entries accordingly. For example, in a more realistic scenario, we’re unlikely to know Ann’s IP and will probably have to sift through vastly more data to find what we’re after. If you can do that with existing tools, awesome!

    In any case, I think there’s a lot to be learned from the contest, even if you just do it all manually. Given that there’s only one prize, and countless entries, I think most folks do it for the fun, challenge, and educational value and the prizes are really just a bonus.

  4. sherri

    November 21, 2009 at 2:22 pm

    Winter,

    Everyone who gets all the answers right has solved the puzzle, and your name will be listed on the web site in the solutions announcement.

    With respect to winning the prize, we concur with Jeff’s statements. We are looking for submissions which advance the state of the network forensics in some way. The contest is open-ended to leave room for your creativity. We fully expect to receive submission which surprise us or push the envelope in ways that we wouldn’t have thought of– that is part of the fun. If you use existing tools to accomplish something new, fantastic! If you write your own tools, well done.

    As Jeff said, we especially encourage solutions which are “automated, easily repeatable (possibly across tens or hundreds of samples)”. We also really appreciate solutions which are easy to use, and which make network forensics more accessible to people.

    Above all, it’s nice to just play around with the packet captures and have fun!

  5. I know I am rushing things here, but this my first participation and I think I am a little itchy. Can anyone tell when we expect to know the results of the contest.

  6. sherri

    November 22, 2009 at 6:20 pm

    Ahmed: We will release the answers tomorrow. The winner will be announced as soon as we have finished thoroughly reviewing and testing all of the submissions. Given that there have been over a hundred submissions so far, and that we’re doing all the grading in our spare time, it will probably take us 2-3 weeks to announce the winner. We know that many people have put a lot of hard work into this, and we will endeavor to get you an answer as quickly as possible while still thoroughly testing each person’s work.

    In the meantime, we will be releasing Puzzle #3 soon to distract you 🙂

  7. Since the entry deadine is now past, I thought I’d share my entry for anyone who’s interested to take a look at. Enjoy!

    http://www.offenseindepth.com/smtpcat/puzzle2.txt

  8. @ Jeff: It seems that we think alike…. the tool I wrote to aid me in solving the puzzle is also called smtpcat 🙂

    Here it goes: http://www.yousicurity.com/2009/11/smtpcat.html

  9. D’oh! Name collision!

    Yours is really nice! I debated pcap input handling, but found that pcapcat (from tgefirst challenge) did a great job, so I decided against it. It’s interesting to see your approach, thanks for sharing!

    Sec558. Respek. LOL.

  10. Yeah, or you guys could have used a tool called network miner, got all the information.

    (note i did the work and found this precious tool after) 🙂

    http://sourceforge.net/projects/networkminer/

  11. Well, in this particular challenge we could have used a simple GUI tool like Network Miner to easily obtain the answers, but this challenge doesn’t involve around the capability to point and click on a simple application to obtain the answers (at least not in my opinion).

    This competition is more about understanding the network capture by yourself, so you need to dig deeper and understand how this works, and in a competition like this where scripting is really encouraged… to write a script that automates the process for future uses.

    Although tools like Network Miner are incredibly useful and can find answers to a challenge like this quite easily I think that in the real world, scripts like those that are developed for this challenge can be more useful in some cases, such as when you have a real life capture that is immensely larger than this one, and where we are only looking for some rogue SMTP traffic. There a simple script that does the trick can be much more powerful, especially since it might not need to be run on your workstation with a GUI, but instead could be run on a server without the need of a GUI. You could script around it to make it automatically search through a was amount of information instead of manually inspecting the results in network miner…. but this is just my two cents…

    And in the spirit of sharing solutions, here is mine: http://blog.kiddaland.net/2009/11/second-network-forensics-contest/

  12. I would also enjoy publishing my solutions for puzzle #2. Feel free to review it here: http://www.aldeid.com/index.php/Network-forensics:Cas-pratique-2

  13. Nice to see you guys discuss my tool NetworkMiner!

    I actually implemented the SMTP parser and “Message” tab in NetworkMiner specifically for this puzzle.

    @Kristinn: NetworkMiner is primarily not designed to solve simple puzzles like the ones on this site; the tool is crafted with the intention of being used in real forensic cases. I also don’t see why running a tool without GUI would be more helpful, I usually find it very rewarding (and time saving) to be able to look at the extracted data in a GUI to quickly identify the relevant communication. I do, however, agree that doing pre-filtering with other tools (like tshark) is useful when large files (>1GB) need to be analyzed… but I would say that it is not often that you know exactly what to look for, which is why being able to visually see a representation of the traffic in a GUI crucial.

    But I’m biased of course 😉

  14. One thing that I find missing in these challenges is large amounts of data to sift through. Typically I’m not going to just have an 80kb pcap file to use, but a couple hundred MBs or more. I did my writeup on my blog here, and another script called smtpcat, image that.

    http://chatteronthewire.blogspot.com/2009/11/network-forensic-challenge-2-update.html

  15. I’ve got to say, all the solutions linked so far are great. It seems there’s lots of different, yet consistently elegant approaches. I don’t envy the judges having to choose the best!

    And thanks for the link Eric 🙂

  16. @Erik: Don’t get me wrong, I really like NetworkMiner and use it quite often, especially when I do not have a large dataset (or pre-filter the existing one to make it smaller) and I’m not perfectly sure what I’m looking for. And in real life you are often presented with a case where you do not know exactly what you are looking at (looking for something “evil”), and then a GUI that visually represents the data can be very valuable. However, like I said previously in some cases we know exactly what we are looking for, and in those cases scripts are often a quicker way to get the information needed, especially when presented with large network captures. And sometimes you are forced to do the work on a networked server (perhaps the only one that is capable of capturing all the network traffic needed) which does not have a GUI, and sometimes it is better to finish the analysis there instead of transferring the network capture back to your workstation (and in some cases that is not even possible). In those cases scripts are very useful and perhaps even essential to the investigation. So in real-life we need both the GUI and the scripts since fortunately our work involves wide variety of cases 😉

    All I was saying is that for a challenge like this, I don’t think that the goal is to show that you can point-and-click on a GUI to find out the answer (unless you are the one that is developing the point-and-click GUI). The goal in my opinion is to show that you understand the network traffic and you are capable of interpreting it yourself, not to let tools do all the work for you, and then of course since scripting is encouraged it doesn’t hurt to actually script some of the work to make future work easier 😉

  17. @Kristinn: There has been a bit of discussion about this on the SANS GCFA list lately, mostly around the question of “do we need push-button forensics?”

    My view is that we already have pushbutton forensics: the bulk of the workload is being performed by EnCase and FTK analysts pointing and clicking. We simply don’t have enough deep forensic skill in the industry to satisfy the demand.

    This is not necessarily a bad thing, if folks like yourself and Erik continue to develop your free tools to solve more and more problems that we face, enabling more and more analysts to do pushbutton forensics in a correct and accurate way.

    Not everyone needs to know how cars work to drive one, so long as the car is well built and can get you from point A to point B reliably, consistently and predictably. We just need engineers to build them well and make them easy to use.

Leave a Reply

Your email address will not be published.