Ann’s AppleTV

Ann and Mr. X have set up their new base of operations. While waiting for the extradition paperwork to go through, you and your team of investigators covertly monitor her activity. Recently, Ann got a brand new AppleTV, and configured it with the static IP address Here is the packet capture with her latest activity.

You are the forensic investigator. Your mission is to find out what Ann searched for, build a profile of her interests, and recover evidence including:

1. What is the MAC address of Ann’s AppleTV?
2. What User-Agent string did Ann’s AppleTV use in HTTP requests?
3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)?
4. What was the title of the first movie Ann clicked on?
5. What was the full URL to the movie trailer (defined by “preview-url”)?
6. What was the title of the second movie Ann clicked on?
7. What was the price to buy it (defined by “price-display”)?
8. What was the last full term Ann searched for?

Prize: Ann’s AppleTV (of course!)

Deadline is 2/01/10 (11:59:59PM UTC-11) (In other words, if it’s still 2/01/10 anywhere in the world, you can submit your entry.)

Please use the Official Submission form to submit your answers. Here is your evidence file:
MD5 (evidence03.pcap) = f8a01fbe84ef960d7cbd793e0c52a6c9

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under a GPL license. (If it has been released under another free-software license, email us to confirm eligibility.) All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will NOT be reviewed.

Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified. Also, please understand that the contest materials are copyrighted and that we’re offering them publicly for the community to enjoy. You are welcome to publish full solutions after the deadline, but please use proper attributions and link back. If you are interested in using the contest materials for other purposes, just ask first.

Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.

Deadline is 2/01/10 (11:59:59PM UTC-11). Here’s the Official Submission form. Good luck!!

Copyright 2009, Lake Missoula Group, LLC. All rights reserved.


  1. Could you leave the MD5 or SHA1 hash of the pcap files ­čÖé

  2. sherri

    December 29, 2009 at 12:54 pm

    Hi Jairam,

    The MD5sum of the pcap file is in the post above, and here it is again for your reference:

    MD5 (evidence03.pcap) = f8a01fbe84ef960d7cbd793e0c52a6c9


  3. The deadline date, is the the first of february or the 2th of january?

  4. Even better, you should sign the files with PGP. Simply publishing the hash over an unsecure protocol like HTTP doesn’t buy you anything.

    Use “gpg –detach-sig ” and publish the .sig file for maximum integrity.

  5. Hi team, now that puzzle #3 contest is closed, I think all of us would really appreciate if you could publish the answers (not the winner yet, just the answers) in order to know if we have a chance… Many thanks in advance.

  6. sherri

    February 2, 2010 at 10:41 pm

    Hello S├â┬ębastien,

    Thanks for the nudge! Answers are up.


  7. Good work Monsieur S├â┬ębastien….. Here’s my work below…. May the best man win ­čÖé

  8. Anyone know how to do things like this?

  9. How about publishing the winners?

Leave a Reply

Your email address will not be published. Required fields are marked *