Category: Contest

Ann’s AppleTV

Ann and Mr. X have set up their new base of operations. While waiting for the extradition paperwork to go through, you and your team of investigators covertly monitor her activity. Recently, Ann got a brand new AppleTV, and configured it with the static IP address 192.168.1.10. Here is the packet capture with her latest activity.

You are the forensic investigator. Your mission is to find out what Ann searched for, build a profile of her interests, and recover evidence including:

1. What is the MAC address of Ann’s AppleTV?
2. What User-Agent string did Ann’s AppleTV use in HTTP requests?
3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)?
4. What was the title of the first movie Ann clicked on?
5. What was the full URL to the movie trailer (defined by “preview-url”)?
6. What was the title of the second movie Ann clicked on?
7. What was the price to buy it (defined by “price-display”)?
8. What was the last full term Ann searched for?

Prize: Ann’s AppleTV (of course!)

Deadline is 2/01/10 (11:59:59PM UTC-11) (In other words, if it’s still 2/01/10 anywhere in the world, you can submit your entry.)

Please use the Official Submission form to submit your answers. Here is your evidence file:
http://forensicscontest.com/contest03/evidence03.pcap
MD5 (evidence03.pcap) = f8a01fbe84ef960d7cbd793e0c52a6c9

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under a GPL license. (If it has been released under another free-software license, email us to confirm eligibility.) All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will NOT be reviewed.

Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified. Also, please understand that the contest materials are copyrighted and that we’re offering them publicly for the community to enjoy. You are welcome to publish full solutions after the deadline, but please use proper attributions and link back. If you are interested in using the contest materials for other purposes, just ask first.

Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.

Deadline is 2/01/10 (11:59:59PM UTC-11). Here’s the Official Submission form. Good luck!!

Copyright 2009, Lake Missoula Group, LLC. All rights reserved.

Puzzle #2 Winners and Solutions

We were blown away by the quality of your submissions for Puzzle #2. There were many excellent, automated, well-documented solutions, including production-quality tools. Congratulations to everyone who submitted the correct answers, and a special thanks to all of you who pushed forward network forensics technology, either by writing your own tools or by improving those which already exist.

You sent in nearly 150 unique entries. After testing each entry for usability and functionality, we narrowed it down to 79 correct solutions, 15 Semifinalists, and 8 Finalists. After much debate we declared TWO (yes, two) winners, with different and complementary approaches:

Franck Guénichot and Jeremy Rossi

Both Franck and Jeremy will receive a Lenovo Ideapad S10-2, similar to the netbooks that will be distributed in SANS Sec558 classes.

Franck wrote two tools:
smtpdump (home made ruby script to extract some smtp info from a pcap file)
docxtract (home made ruby script to extract files from a docx package)

Franck’s smtpdump is an easy-to-use tool for analyzing SMTP traffic in pcap files. It can export emails and attachments, automatically generate MD5sums, and display SMTP-related information. You can narrow your search down to a specific flow, or extract information from the entire packet capture. The docxtract script extracts files from a Microsoft .docx file, and can take the MD5sum of each extracted item. We especially appreciated that both of Franck’s tools were very well documented and user-friendly.

Jeremy wrote a fantastically simple tool called findsmtpinfo.py. As he describes, the “script creates a report of the SMTP information, stores any emails in msg format, stores any attachments from the emails, decompresses them if they are a compressed format (zip, docx), checks MD5 hashes of all files including the msg files (and generates MD5 hash of output report).” The result? An easy-to-follow report with complete paths to the extracted files and corresponding MD5sums. The report itself is detailed enough to be used as an attachment to a real-world forensics report.

Franck and Jeremy’s tools, smtpdump and findsmtpinfo.py, complement each other well. They can be used individually or together as part of a real-world investigation. Smtpdump facilitates inspection and makes it easy to drill down on the SMTP traffic of interest. Once you have identified specific flows of interest, you can use findsmtpinfo.py to automatically generate a report and quickly extract all of the SMTP-related information, emails, attachments, etc.

Don’t miss the excellent tools and narratives by the eight Finalists. We’d like to specifically call attention to Erik Hjelmvik’s latest version of Network Miner, which he submitted as his entry. Erik extended Network Miner to include an SMTP parser and “Messages” tab. His GUI tool is both effective and very easy to use.

Amar Yousif (smtpcat), Jeff Jarmoc (smtpcat.rb), Kristinn Gudjonsson (smtp_anex), Richard Springs (carnivorous.rb) and Serge Gorbunov (smtpParser.py) each wrote their own excellent SMTP analysis and data extraction tools. Tom Samstag submitted patches for dsniff and mailsnarf which substantially improved their functionality, fixing dsniff’s SMTP authentication decoding and allowing mailsnarf to examine traffic on port 587. Alan Tu wrote a great walk-through using tshark’s new tcp.stream field to identify TCP streams, and created a script based on this to output data from the application layer of selected streams.

As before, what we considered “elegant” was the construction of some automated process for solving the puzzle which was easy to use, easy to understand, portable, and would easily be able to scale to much larger and more difficult problems.

We received a number of solutions which were almost, but not quite, correct. For example, several people submitted MD5sums and left out one or two digits, or submitted email addresses with a “1” instead of an “l”. In forensics, exactness matters, and unfortunately being off-by-one is still not correct. If your name is not on the list of correct answers, please check your submission carefully. We appreciated *every* submission, and encourage you to try again next time!

Fifteen people were named Semifinalists because they contributed to an automated process that would significantly facilitate future investigations. Eight Finalists took this to a level beyond and created polished, novel solutions involving considerable amounts of scripting. Please take a look at each of their solutions as WE learned something from every one.

Thank you all for playing! Puzzle Contest #3 will be coming out soon… 🙂


WINNERS:

Franck Guénichot
Jeremy Rossi
(Win a Lenovo Ideapad S-10, like the ones distributed to SANS Sec558 students)

Finalists:

Alan Tu
Amar Yousif
Erik Hjelmvik
Jeff Jarmoc
Kristinn Gudjonsson
Richard Springs
Serge Gorbunov
Tom Samstag

Semifinalists:

Adam James
Ahmed Adel Mohamed
Alexandre Teixeira
Andrew Neitsch
Arvind Doraiswamy
Elizabeth Greene
Eric Davis
Eric Kollmann
Jeff Bryner
Jim Clausing
John Scillieri
Lou Arminio
Preston Wiley
Sebastien Damaye
Troy Schlueter

Correct Answers:

Adam James
Ahmed Adel Mohamed
Alan Tu
Alessandro Frossi
Alexandre Teixeira
Ali Mersin
Andrew Laman
Andrew Neitsch
Andrew Rabie
Andrew Scharlott
Arvind Doraiswamy
Carrie Schaper
C.D.A.
Chet Kress
Chris Anderson
Chris Steenkamp
Christiaan Beek
Daniel Dickerman
David Clements
David Gilmore
Derek Lidbom
Elizabeth Greene
Eric Davis
Eric Kollmann
Erik Hjelmvik
Franck Guénichot
Halil Ozgur BAKTIR
Jairam Ramesh
Jason Powell
Jason Setzer
Jason Stanley
Jay Radcliffe
Jeff Bryner
Jeff Jarmoc
Jeff Lafferty
Jeremy Rossi
Jim Clausing
Jim Goltz
John Scillieri
Jon Cook
Juha Lampinen
Kaio Rafael de Souza Barbosa
Kevin Schultz
Kristinn Gudjonsson
Lance Mueller
Larry McDonald
Lorenzo De Toro III
Lou Arminio
Masashi Fujiwara
Michael Spohn
Michael Thomas
Mike Pilkington
Nick McKerrall
Omair Hamid
Osama Elnaggar
Peter Chong
Peter Nguyen
Preston Wiley
Richard Springs
Rob VandenBrink
Rodney Driggers
Russ Klanke
Ryan Linn
Sébastien Damaye
Serge Gorbunov
Seung-hoon Kang
Shane Hartman
Shane Kennedy
Shane Vonarx
steponequit
Steward DeWitt
Tareq Saade
Thom Carlin
Thor Ollila
Timothy Lawton
Tom Samstag
Troy Schlueter
Valter Santos
wiretapp

Puzzle #2 Answers

Thank you all for your contest submissions! We received well over a hundred and we are busily reviewing them. In the meantime, here are the answers: image1

1. What is Ann’s email address?
Answer 1: [email protected]

2. What is Ann’s email password?
Answer 2: 558r00lz

3. What is Ann’s secret lover’s email address?
Answer 3: [email protected]

4. What two items did Ann tell her secret lover to bring?
Answer 4: A fake passport and a bathing suit

5. What is the NAME of the attachment Ann sent to her secret lover?
Answer 5: secretrendezvous.docx

6. What is the MD5sum of the attachment Ann sent to her secret lover?
Answer 6: 9e423e11db88f01bbff81172839e1923

7. In what CITY and COUNTRY is their rendez-vous point?
Answer 7: Playa del Carmen, Mexico

8. What is the MD5sum of the image embedded in the document?
Answer 8: aadeace50997b1ba24b09ac2ef1940b7

Puzzle #2: Ann Skips Bail

After being released on bail, Ann Dercover disappears! Fortunately, investigators were carefully monitoring her network activity before she skipped town.

“We believe Ann may have communicated with her secret lover, Mr. X, before she left,” says the police chief. “The packet capture may contain clues to her whereabouts.”

You are the forensic investigator. Your mission is to figure out what Ann emailed, where she went, and recover evidence including:

1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?

Please use the Official Submission form to submit your answers. Prize TBD. Prize will be a Lenovo IdeaPad S10-2 – just like the free netbooks Sec558 students will get in Orlando.

Here is your evidence file:

http://forensicscontest.com/contest02/evidence02.pcap
MD5 (evidence02.pcap) = cfac149a49175ac8e89d5b5b5d69bad3

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. You are welcome to build upon the work of others, as long as their work has been released under a GPL license. (If it has been released under another free-software license, email us to confirm eligibility.) All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will NOT be reviewed.

Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.

Deadline is 11/15/09 11/22/09. Here’s the Official Submission form. Good luck!!

Puzzle #1 Solution: Ann’s Bad AIM

WINNER:

Kristinn Gudjonsson
(Wins a free SANS OnDemand class- worth up to $3500)

Finalists:

Aaron Allen
Alan Tu
Amar Yousif
Erik Hjelmvik
Franck Guénichot
Jeff Jarmoc
Joshua Soles
(Win a Fiendish Japanese Pocket Puzzle)

Semifinalists:

Drew Pekkarinen
Yongki Won
John Moore
Phil Ames
Samy Kamkar

Correct Answers:

Aaron Allen
Alan Lee
Alan Tu
Amar Yousif
Andre Sencioles Vitorio Oliveira
Andrew Lopacki
arthur
Atif Mushtaq
Balazs Attila-Mihaly
Bryan Casper
Bryan Dyson
Carrie Schaper
Chet Kress
chiru
Chris Biettchert
Chris Centore
Cristiano Maruti
David Clements
David S. Langlands
Drew Pekkarinen
Eric Davis
Eric Kollmann
Erik Hjelmvik
Francesco Picasso
Franck Guénichot
Frank Peeters
Gabriel Menezes Nunes
Jack Crook
Jayson George
Jeff Jarmoc
Jim Olding
Joe McMullin
John Abella
John Moore
Jon Wohlberg
Joshua Soles
Kees Leune
Konstantinos PETROU
Kristinn Gudjonsson
kshksh
Lars Olav Gigstad
Leigh Vincent
Leon Oosterwijk
Maximilian Herkender
Myke
Nicolas Vilatte
Niko Eftymiou
Ny-quiL
Phil Ames
Philippe Oechslin
Rafe Pilling
rmkml
Robert Rittenhouse
Rosario Russo
Russell Reynolds
Ryan Wessels
Samy Kamkar
Seven Lowe
Shane Kennedy
Tareq Saade
Toby Simmons
tomnjeryof NOWCOM
Yongki Won
Yuzy Matsuura

Congratulations to all of our rock star investigators who solved the Network Forensics Puzzle Contest! We received over 100 submissions, many of which were truly excellent. Figuring out a winner was challenging, but in the end, one submission stood out over all.

We asked you for the most elegant solution. It was possible to solve the puzzle with common tools such as Wireshark, and many people did. However, modern investigations often involve many gigabytes– if not terabytes– of packet data. In the real world, pointing and clicking doesn’t scale. Moreover, when you’re working with large amounts of data, processing time is extremely valuable. Small, fast tools are key.

What we considered “elegant” was the construction of some automated process for solving the puzzle which was easy to use, easy to understand, very portable, and would easily be able to scale to much larger and more difficult problems.

Five people were named Semifinalists because they created an automated process (ie scripting) to facilitate future investigations. Seven Finalists took this to a level beyond and created novel solutions involving considerable amounts of scripting. Please take a look at each of their solutions as WE learned something from every one.

The WINNER of the first Network Forensics Puzzle Contest is Kristinn Gudjonsson. Kristinn wrote two very elegant Perl tools: pcapcat and oftcat.

pcapcat # This script reads a PCAP file and prints out all the connections in the file and gives the user the option of dumping the content of the TCP stream

Kristinn’s pcapcat utility shows you a list of all the TCP streams in a packet capture, and also allows you to select any given stream and dump out the contents of the stream. It also supports the use of BPF filters with the -f flag so that you can narrow your search to specific streams. It’s a small, sharp tool that’s easy to use.

oftcat # This script reads an OFT package, which is a package created by AIM when sending files over the network (using the oscar file transfer protocol). The script reads the packet, prints out some information about it and saves the captured file

Kristinn’s “oftcat” utility is smart enough to figure out the file name based on the OFT protocol and carve out the files transferred. It totally scales, and we especially appreciated his attention to protocol detail.

Here’s Kristinn’s solution writeup and a nice post on his blog where he adds some more detail.

Answers

1. What is the name of Ann’s IM buddy?
sec558user1

2. What was the first comment in the captured IM conversation?
Here’s the secret recipe… I just downloaded it from the file server. Just copy to a thumb drive and you’re good to go >:-)

3. What is the name of the file Ann transferred?
recipe.docx

4. What is the magic number of the file you want to extract (first four bytes)?
0x504B0304 (Note: one byte = 8 bits = 2 hex digits!)

5. What was the MD5sum of the file?
8350582774e1d4dbe1d61d64c89e0ea1

6. What is the secret recipe?
Recipe for Disaster:
1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.

Puzzle #1: Ann’s Bad AIM

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.

Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:

1. What is the name of Ann’s IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?

Here is your evidence file:

http://forensicscontest.com/contest01/evidence01.pcap
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. All responses should be submitted as plain text files.

Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.

Email submissions to [email protected]. Deadline is 9/10/09. Good luck!!