We were blown away by the quality of your submissions for Puzzle #2. There were many excellent, automated, well-documented solutions, including production-quality tools. Congratulations to everyone who submitted the correct answers, and a special thanks to all of you who pushed forward network forensics technology, either by writing your own tools or by improving those which already exist.
You sent in nearly 150 unique entries. After testing each entry for usability and functionality, we narrowed it down to 79 correct solutions, 15 Semifinalists, and 8 Finalists. After much debate we declared TWO (yes, two) winners, with different and complementary approaches:
Franck Guénichot and Jeremy Rossi
Both Franck and Jeremy will receive a Lenovo Ideapad S10-2, similar to the netbooks that will be distributed in SANS Sec558 classes.
Franck wrote two tools:
– smtpdump (home made ruby script to extract some smtp info from a pcap file)
– docxtract (home made ruby script to extract files from a docx package)
Franck’s smtpdump is an easy-to-use tool for analyzing SMTP traffic in pcap files. It can export emails and attachments, automatically generate MD5sums, and display SMTP-related information. You can narrow your search down to a specific flow, or extract information from the entire packet capture. The docxtract script extracts files from a Microsoft .docx file, and can take the MD5sum of each extracted item. We especially appreciated that both of Franck’s tools were very well documented and user-friendly.
Jeremy wrote a fantastically simple tool called findsmtpinfo.py. As he describes, the “script creates a report of the SMTP information, stores any emails in msg format, stores any attachments from the emails, decompresses them if they are a compressed format (zip, docx), checks MD5 hashes of all files including the msg files (and generates MD5 hash of output report).” The result? An easy-to-follow report with complete paths to the extracted files and corresponding MD5sums. The report itself is detailed enough to be used as an attachment to a real-world forensics report.
Franck and Jeremy’s tools, smtpdump and findsmtpinfo.py, complement each other well. They can be used individually or together as part of a real-world investigation. Smtpdump facilitates inspection and makes it easy to drill down on the SMTP traffic of interest. Once you have identified specific flows of interest, you can use findsmtpinfo.py to automatically generate a report and quickly extract all of the SMTP-related information, emails, attachments, etc.
Don’t miss the excellent tools and narratives by the eight Finalists. We’d like to specifically call attention to Erik Hjelmvik’s latest version of Network Miner, which he submitted as his entry. Erik extended Network Miner to include an SMTP parser and “Messages” tab. His GUI tool is both effective and very easy to use.
Amar Yousif (smtpcat), Jeff Jarmoc (smtpcat.rb), Kristinn Gudjonsson (smtp_anex), Richard Springs (carnivorous.rb) and Serge Gorbunov (smtpParser.py) each wrote their own excellent SMTP analysis and data extraction tools. Tom Samstag submitted patches for dsniff and mailsnarf which substantially improved their functionality, fixing dsniff’s SMTP authentication decoding and allowing mailsnarf to examine traffic on port 587. Alan Tu wrote a great walk-through using tshark’s new tcp.stream field to identify TCP streams, and created a script based on this to output data from the application layer of selected streams.
As before, what we considered “elegant” was the construction of some automated process for solving the puzzle which was easy to use, easy to understand, portable, and would easily be able to scale to much larger and more difficult problems.
We received a number of solutions which were almost, but not quite, correct. For example, several people submitted MD5sums and left out one or two digits, or submitted email addresses with a “1” instead of an “l”. In forensics, exactness matters, and unfortunately being off-by-one is still not correct. If your name is not on the list of correct answers, please check your submission carefully. We appreciated *every* submission, and encourage you to try again next time!
Fifteen people were named Semifinalists because they contributed to an automated process that would significantly facilitate future investigations. Eight Finalists took this to a level beyond and created polished, novel solutions involving considerable amounts of scripting. Please take a look at each of their solutions as WE learned something from every one.
Thank you all for playing! Puzzle Contest #3 will be coming out soon… 🙂
WINNERS:
|
Finalists:
|
Semifinalists:
Adam James
Ahmed Adel Mohamed
Alexandre Teixeira
Andrew Neitsch
Arvind Doraiswamy
|
Elizabeth Greene
Eric Davis
Eric Kollmann
Jeff Bryner
Jim Clausing
|
John Scillieri
Lou Arminio
Preston Wiley
Sebastien Damaye
Troy Schlueter
|
|
Correct Answers:
Adam James
Ahmed Adel Mohamed
Alan Tu
Alessandro Frossi
Alexandre Teixeira
Ali Mersin
Andrew Laman
Andrew Neitsch
Andrew Rabie
Andrew Scharlott
Arvind Doraiswamy
Carrie Schaper
C.D.A.
Chet Kress
Chris Anderson
Chris Steenkamp
Christiaan Beek
Daniel Dickerman
David Clements
David Gilmore
Derek Lidbom
Elizabeth Greene
Eric Davis
Eric Kollmann
Erik Hjelmvik
Franck Guénichot
|
Halil Ozgur BAKTIR
Jairam Ramesh
Jason Powell
Jason Setzer
Jason Stanley
Jay Radcliffe
Jeff Bryner
Jeff Jarmoc
Jeff Lafferty
Jeremy Rossi
Jim Clausing
Jim Goltz
John Scillieri
Jon Cook
Juha Lampinen
Kaio Rafael de Souza Barbosa
Kevin Schultz
Kristinn Gudjonsson
Lance Mueller
Larry McDonald
Lorenzo De Toro III
Lou Arminio
Masashi Fujiwara
Michael Spohn
Michael Thomas
Mike Pilkington
Nick McKerrall
|
Omair Hamid
Osama Elnaggar
Peter Chong
Peter Nguyen
Preston Wiley
Richard Springs
Rob VandenBrink
Rodney Driggers
Russ Klanke
Ryan Linn
Sébastien Damaye
Serge Gorbunov
Seung-hoon Kang
Shane Hartman
Shane Kennedy
Shane Vonarx
steponequit
Steward DeWitt
Tareq Saade
Thom Carlin
Thor Ollila
Timothy Lawton
Tom Samstag
Troy Schlueter
Valter Santos
wiretapp
|
|