Hint for Ann’s AppleTV

Just wanted to send a hint out for those of you who are out to win Ann’s AppleTV.

We’ve received lots of submissions with the correct answer, but to win the AppleTV, you’ll need to go a step beyond manual extraction with Wireshark or Network Miner. Imagine if you had a huge packet capture containing LOTS of AppleTV traffic. There’s no way you could extract that manually!

Can you build a tool that will automatically list each of the movies that a user previewed? Or all of the terms that Ann searched for? Carve out files transferred and their MD5sums? Even perhaps reconstruct what Ann saw on the AppleTV based on the traffic content?

To win the AppleTV, you’ll need to be creative and take things to a level beyond just manual extraction. (By the way, we suspect that the underlying traffic for the AppleTV is the same format as iTunes traffic.)

Submissions are due by the end of 2/1/10 (next Monday night). Good luck!!

11 Comments

  1. It’s great to see this hint giving us direction on what you’re looking for. There’s not much time left in the contest for those of us working on tools to make adjustments, though. Any chance of an extension?

  2. Sherri,

    Unfortunately not all of us can code and not all of us have a budget to buy commercial software to do this work for us. Before attempting this contest I had reviewed Wireshark in operation but had not actually used it. I loaded it on my own computer for the first time just for this contest.

    It took less than 15 seconds for me to answer the first question using a manual process. A bit longer to answer the second. I believe I answered all of the questions correctly but it was truly a manual process. Sort of like using Google hacking to solve a problem (which is something I do quite a bit) excpet in this case my GOOGLE was Wireshark and my Internet was the packet capture.

    I also use manual processes to perform other similar forensics for my job. Like configuring a filter and observing firewall traffic for a client PC to determine why a web page fails to load (nonstandard port). Or using “netstat” to observe Internet connections of a stealth virus using a rootkit to mask itself.

    While I agree that having automated tools helps, not everyone can create this type of solution.

  3. sherri

    February 1, 2010 at 11:30 pm

    Hi Tim,

    You’re certainly right, and manual investigation is definitely a valid way to solve the contest. That’s why we publish the names of everyone who got the correct answers, regardless of how it was accomplished.

    We are trying to encourage development of new and varied tools, so the subset of folks who are interested in that type of investigation compete for the prize. We do hope that the puzzle is fun for people who analyze the evidence manually as well, and we design the contests specifically so that they can be solved without automation.

    best,
    Sherri

  4. sherri

    February 1, 2010 at 11:51 pm

    Lou – No extension on this contest, but I do expect we’ll have an iTunes traffic analysis contest in the future, so keep the same ideas in mind 🙂

    best,
    Sherri

  5. Sherri:

    This is the first of the forensics puzzles I’ve participated in and I had a lot of fun with it. Thanks for running these contests.

    I’m really looking forward to seeing the others’ solutions for this one.

    Wesley

  6. sherri

    February 2, 2010 at 10:40 pm

    Thanks Wes! Glad to see your entry 🙂

  7. So would a custom command-line tool that could only extract AppleTV search queries be considered more or less elegant than using Wireshark’s Display Filter ability to reduce the packet list according to a pattern that matches the common subset of all search queries?

    The former is rather limited in function (it’s a script-kiddie tool), while the latter requires the user to know a lot about both Wireshark and HTTP protocol (it’s an expert tool).

    Presumably you’re looking for tools that provide more functionality than a kiddie script, but don’t require complete mastery of all levels of network protocols.

  8. sherri

    February 4, 2010 at 6:11 pm

    Hi Jeremy,

    >Presumably you’re looking for tools that provide more functionality than a kiddie script,
    >but don’t require complete mastery of all levels of network protocols.

    That’s the goal, yes. Ideally, we’re looking for tools that just about anyone can run and use to get useful information, but which also allow experts to fine-tune their options.

    Wireshark is great, especially for smaller investigations, but in network forensics we often have clients hand us hundreds of gigabytes or even several terabytes of data. In order to keep up with the pace of storage, we need to automate.

  9. Agreed with Sherri; and I also think that a tool with an output that can be grep-ed goes along way when it comes to handling investigations with large scale packet capture.

  10. When do you plan on announcing the winner?

  11. sherri

    February 10, 2010 at 3:01 am

    Hi Tim,

    We expect it will be late next week. This week we’re working hard at building and testing the SNIFT kit images for the 50 Lenovo Ideapads which will be given to students at “Network Forensics” in Orlando. As soon as that’s done we’ll finish up grading the terrific contest entries. I know folks are eager to find out who won, and we’ll have an answer for you guys as soon as we can.

    In the meantime, Puzzle #4 is a fun little distraction…. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *