Page 2 of 6

Puzzle #10 Winners!

Network Forensics Puzzle Contest #10 posed a serious challenge, requiring contestants to demonstrate advanced reasoning and meticulous attention to detail, even when reading the scenario. Thank you to everyone who submitted an entry for Puzzle #10, and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of this contest is…Steve B. ! Steve was both the first person to solve the contest AND the person to have the most eloquent solution. He’ll be receiving a prize for being first and the Blackhat Black Card! We’ll be posting a walkthrough and answers in the coming weeks. Steve wrote a great write-up [available here].

Honorable Mentions:

  • Jatiki
  • Zak


DEFCON 2012 Contest: Decryption Keys and Answers

We received several requests from DEFCON attendees asking us to post the decryption keys and answers for the DEFCON 2012 contest. The decryption keys and answers are posted below. We will post the list of winners, and a walk-through of the solutions soon. Thank you for playing!

Decryption Keys
Contest Container: W3lc0m3toNFPC2012@defcon
Round2: Aw3s0m3s4uc3@
Round3: DFC=w00t!
Round4: 4r3g3ttingh4rd
Round5: tHiswi11b3fun#
Round6: Th3R4c3is0n$


Answers to DEFCON 2012 Contest Questions

Round 1 Answer: 99901

Round 2 Answer: Golden Alley

Round 3 Answer: ICdarkwater

Round 4 Answer: 15684-b5.12

Round 5 Answer: 2300

Round 6 Answer: Dogfort

Copywrite 2012, LMG Security. All rights reserved.

Puzzle #10: PaulDotCom Goes Off the Air

Our latest puzzle was created by Eric Fulton, Sherri Davidoff, Jonathan Ham and Scott Fretheim.

“Oh god” is the first thought running through your mind as you crack open the door. An odious wafting of day old vomit, sweat, and stale cigar washes across you as the door moves from cracked to ajar. The room is pitch black, a dirty and exposed hallway light bulb does nothing to cut into the dark abyss of the room. Peering inside you see only shapes, but deep down you know it isn’t going to be pretty.

It’s been three weeks since the PaulDotCom crew went missing. Through extensive research and cyberstalking, millions of PDC fans gathered information relating to their disappearance and hired you to find them. This is John Strand’s safe house, and a quick Google image search was all you needed to know about his seedy life. Who knows what’s in this room? Donning rubber gloves you feel for a light switch with your left hand, both intensely afraid and curious for what you are about to see. Wincing in anticipation you flick the switch with a “click”.

Nothing happens. “Why do I always get the messed up jobs” you whisper to yourself, digging around in your black bag. Corporate espionage isn’t a clean game, but usually the tech jobs involve threatening geeks in suburban houses, not sneaking around what looks to be North Dakotan project housing. Pulling a sleek Pelican flashlight from the bag, you click it on and begin to survey the damage. Starting from the left you identify the location of the puke smell; there’s day old vomit trailing its way down peeling wallpaper toward a box of empty tequila bottles. Smell one located.

Further to the right you spot a human shape on a couch. You freeze with the flashlight beam aimed at the shape. It’s Larry, wrapped in a dirty pink blanket almost too small to cover him, rocking back and forth and muttering something unintelligible. What’s he saying? You suspect it’s key. His fingers are pale as he grips a WRT54G router which appears to have twenty-four overlapping bites taken out of it. Seconds tick by. Nothing happens; he pays no attention to your entry. Smells two and three probably located. Your light continues its sweep as you spot a table hosting two 24” monitors surrounded by miscellaneous cables. Jackpot.

Ignoring the rest of the room you step over martini glasses and other unidentified objects, making a beeline to the desk. The little voice in your head shouts “Damn! Damn! Damn!” There is evidence that someone left only recently. The scene is almost out of a second rate Hollywood movie, being so incredibly obvious:a puddle of spilled cosmopolitan makes apparent the distinct outlines where a laptop and external hard drive once sat.

Disheartened, you rummage though the desk, hopeful of finding a forgotten USB drive or other storage device. No dice. You slide a few sticky quarters off of the desk (it’s not like you’re getting a per-diem) and continue the search– wait. One of the quarters… splits a little. You pick it up and play with it. Viola! A small micro SDHC card lies inside the quarter. Your heart starts beating faster. You have a clue.

As a matter of habit you go through the rest of the room, quietly, as the eerie sound of Larry chanting in the background never stops. Old coffee mugs, a dirty microwave, hundreds of empty frozen food wrappers, and magnetic buckyballs cover the floor like a sort of 21st century urban underbrush…and then you see something peculiar. A stack of hard drives sits in the corner. The top drive looks like someone shot it 7 or 8 times, a strange method for data destruction, but certainly an effective one. Rummaging through the stack of drives you find one at the bottom looking as if it survived the data massacre. Grabbing it, you give one last look around as you walk to the door. The sounds of Larry go from muffled to silent as you shut the door and make your exit.

The Evidence

You are the forensic investigator.The items found in the safe house have been uploaded to this server for your analysis. These include:

  • quarter-SDHC-snippet.dd – A DD image of a the SDHC card found inside the quarter.
  • pcap-from-surviving-hard-drive.pcap – A packet capture that you copied off the surviving hard drive.

Download the 7-zipped evidence file here.

SHA256 sum:

The Adoring Fans’ Questions

Can you solve the puzzle and find out what happened to PaulDotCom? Their adoring legions of fans have asked you to find the answers to the following questions along the way:

1. In his conversation with juniorkeyy, how old does Larry initially say he is?

2. What was the filename of the file that had the following SHA256 sum:


3. What is the SHA256sum of the photo from the “dd” image that shows Larry taking a bite out of a wireless router?

4. What is the SHA256sum of the image that shows zombie Larry taking a
bite out of a cat?

5. What is Larry saying as he rocks back and forth? (No spaces or
capital letters.)

6. Where are Paul and John? Report their GPS coordinates:
a) Latitude
b) Longitude

BONUS. What is the name of the nearest bar?

Submission Form

Please submit your answers using the Official Submission Form.
Deadline is 7/23/12 (11:59:59PM UTC-11) (In other words, if it’s still 7/23/12 anywhere in the world, you can submit your entry.)


The Grand Prize will be a Black Hat “Black Card”! Thanks, Black Hat, for sponsoring such an awesome prize.

There will also be prizes for the first correct submission, as well as the 2nd and 3rd place runner-ups. Stay tuned for more info!

How to Win

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under a an approved Open Source License. All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will NOT be reviewed.

More Details

Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified. Also, please understand that the contest materials are copyrighted and that we’re offering them publicly for the community to enjoy. You are welcome to publish full solutions after the deadline, but please use proper attributions and link back. If you are interested in using the contest materials for other purposes, just ask first.

Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may be used as examples and tools in the Network Forensics course or book. All authors will receive full credit for their work.

To Recap

Evidence File
Sha256sum: 44450915addb8bdbe1766a3fad1c03059393a0f1f01839b19f98f235dc3b97bd

Deadline is 7/23/12 (11:59:59PM UTC-11). Here’s the Official Submission form. Good luck!!

Copyright 2012, Lake Missoula Group, LLC. All rights reserved.

Network Forensics: Uncovering Secrets of Mobile Applications

Join Eric Fulton on Thursday, June 14 at 1:00 PM ET for the BlackHat Webcast, “Network Forensics: Uncovering Secrets of Mobile Applications“. You might even learn something for contest 10…which will be presented live later today on PaulDotCom!

On the Internet, every action leaves a mark—in routers, firewalls, web proxies, and within network traffic itself. When a hacker breaks into a bank, or an insider smuggles secrets to a competitor, evidence of the crime is always left behind. But what about mobile devices? What seemingly innocuous information are they sharing with, and without, your knowledge?

In this webcast, watch as Eric Fulton analyzes mobile network traffic and discover some interesting details about your favorite applications. You will see him locate GPS co-ordinates, identify installed mobile applications, and more.

PaulDotCom, Blackhat USA 2012, Defcon #20

Hello Everyone!
It has been a busy year, and once again we find ourselves nearing Defcon where we run the wildly popular Network Forensics Puzzle Contest. We have some good things in store for the coming months and would like to share.

We are running a NFPC over at PaulDotCom in the coming month. When it’s live we will share the link here. You should also check out PaulDotCom for a heap of great articles and videos.

Blackhat USA 2012
Want to be taught by the people who literally wrote the book on Network Forensics? Register for their highly praised course “NETWORK FORENSICS: BLACK HAT RELEASE” to learn the latest techniques in the field of Network Forensics. You’ll even get the book at 25% off, since it is the course text.

Defcon 20
Going to DEFCON? Join us at for the annual DEFCON Network Forensics Puzzle Contest, and win a shiny new iPad!

Other updates can be found following our twitter (@LMGSecurity or @trisk3t), our LinkedIn Page, or our Facebook Page. Cheers!

Puzzle #8 Winners

Network Forensics Puzzle Contest #8 posed a serious challenge, requiring contestants to demonstrate an advanced knowledge of protocols and meticulous attention to detail. Thank you to everyone who submitted an entry for Puzzle #8, and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of this contest is…Stefan S. Op de Beek ! Stefan wins a Buffalo Wireless Router for his correct answers and UTScapy test script. While the script didn’t work perfectly on my system, it is a great example of leveraging existing frameworks to analyze packet captures. Contestants, answers, and solutions below.

Joerg Gerschuetz
Winter Faulk
Aaron Wamapch
Kazunori Kojima
Adam Jenkins
Steeve Barbeau
Tyler Dean
Ward Perry
J-Michael Roberts
Stefan S. of de Beek

1) Joe’s WAP is beaconing. Based on the contents of the packet capture, what are the SSID and BSSID of his access point?
SSID: Ment0rNet
BSSID: 00:23:69:61:00:d0

2) How long is the packet capture, from beginning to end (in SECONDS – please round to the nearest full second)?
A: 414s

3) How many WEP-encrypted data frames are there total in the packet capture?
$ tshark -r evidence08.pcap -R ‘((wlan.fc.type_subtype == 0x20) && (wlan.fc.protected == 1)) && (wlan.bssid == 00:23:69:61:00:d0)’|wc -l
A: 59274

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in the packet capture relating to Joe’s access point?
$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && wlan.wep.iv’ -T fields -e wlan.wep.iv | sort -u | wc -l
A: 29719

5) What was the MAC address of the station executing the Layer 2 attacks?
A: 1c:4b:d6:69:cd:07

6) How many *unique* IVs were generated (relating to Joe’s access point):
a) By the attacker station?

$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && ( == 1c:4b:d6:69:cd:07) && wlan.wep.iv’ -T fields -e wlan.wep.iv|sort -u|wc -l
A: 14133 (14132 also accepted)

b) By all *other* stations combined?
$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && ( != 1c:4b:d6:69:cd:07) && wlan.wep.iv’ -T fields -e wlan.wep.iv|sort -u|wc -l
B : 15587

7) What was the WEP key of Joe’s WAP?
$ aircrack-ng -b 00:23:69:61:00:d0 evidence08.pcap
A: D0:E5:9E:B9:04

8.) What were the administrative username and password of the targeted wireless access point?
username: admin
passphrase: admin

9) What was the WAP administrative passphrase changed to?
passphrase: hahp0wnedJ00

Puzzle #9: Ann’s Deception (DEFCON 2011)

This year’s DEFCON contest was a huge success, with over 200 teams entering! The contest was split up into six rounds of increasing difficulty. The first team to complete all six rounds won the contest. Now that the contest is over, we’re placing the materials here for folks who would like to play around on their own.

WARNING: This contest contains off-color humor which may not be appropriate for the classroom, children, rodents, etc.

The lead chemist of a high-profile pharmaceutical company was involved in a serious accident, leaving him in a coma days before the release of the company’s highly publicized “133t pill.” The chemist was the only person in possession of the list of ingredients required to produce the wonder drug, and it is not known if he will ever recover. All chemical evidence of the drug has been destroyed, but the company believes that the missing ingredients may have been stored electronically. You have been hired as a forensic investigator, to recover the final ingredient of their 133t pill. Can you find the missing ingredient?

Here’s a link to the encrypted contest volume:


The is an encrypted password-protected Truecrypt volume. Inside are six individual Truecrypt archives which each contain a single round of the contest. You will need to mount each encrypted volume using Truecrypt before you can access its contents. Here is a page which shows you how to mount a Truecrypt volume.

At the start time, DEFCON attendees visited the contest booth to obtain the first decryption passwords, provided below:

The password to unlock is: !#$h1d3&&s33k$#!
The password to unlock round1 is: r0und1g0!!

When a team found the answer to a round, they texted it to Headquarters (HQ). If their answer was correct, staff texted back the key to unlock the next round.

SPOILER ALERT: You can find the keys to each of the encrypted volumes here.

SUPER SPOILER ALERT: For your convenience, we’ve also unlocked all the rounds for those of you who just want to play around with individual round puzzles without having to solve the whole thing in order. You can find the individual round puzzles here:


A few notes:

1. You will not get the correct answer simply by running “strings” on the packet captures. It is more complicated than that.

2. Please do not attempt to brute-force the answer by guessing. We reserve the right to cut you off from submitting answers if you abuse the privilege.

3. There are six contest rounds containing six evidence files. You must analyze the evidence files in order to answer the question(s) which go along with each capture.

Have fun! 🙂

This puzzle was created by Scott Fretheim, Randi Price, Eric Fulton, Sherri Davidoff, and Jonathan Ham (Lake Missoula Group, LLC).

Copyright 2011, Lake Missoula Group, LLC. All rights reserved.

Puzzle # 9 Winners

Over 200 teams entered the Network Forensics Puzzle Contest at DEFCON 19. Five teams were able to finish the challenge during the DEFCON conference. Congratulations to this year’s winning team: “5154c”! It was a really close match. Each of the top three teams came in only 15 minutes apart. We really hope all of you enjoyed competing, and we look forward to seeing you again next year!

Top Ten Finalists at DEFCON 19:

1. 5154c (Winner!)
2. C2 eye
3. Barnhaus Crew
4. ArchMage
6. Team Cheese
7. 8008
8. Team Moosey Fate
9. Chippendales
10. Kyle Bragle

Copyright 2011, Lake Missoula Group, LLC. All rights reserved.

Puzzle #9 Answers

Here are the answers to Puzzle #9: Ann’s Deception (DEFCON 2011):

  1. Round 1 Decryption Key: r0und1g0!!
    In this capture we were looking for the name of the company. This is located inside an email.
    Answer: Factory-Made-Winning-Pharmaceuticals
  2. Round 2 Decryption Key: !n1c3?w0rk
    In this capture we were looking for the date of a speech given by Bruce Schneier. To solve this puzzle you must carve out a packet capture which was sent as an email attachment. Inside that packet capture, you can find the data by looking through the web traffic to see the pages Ann viewed.
    Answer: October 6-7, 2011
  3. Round 3 Decryption Key:?g3tting!t0ugh
    In this capture we were looking for Romulus’s password. This can be found by carving out the VOIP conversation and listening to it.
    Answer: rom127#
  4. Round 4 Decryption Key: m4k1ng?pr0g
    In this packet capture we were looking for the name on the 16th line in a spread sheet. To find the answer, you need to carve out the SMB transfer of the 7zip file containing the credit card file. In order to unlock the 7zip file you will need to use the password YOU found in Round 3.
    Answer: Jason Wilson
  5. Round 5 Decryption Key: 0v3r#h4lf?w4y
    In this packet capture, you need to carve out the SMB file transfer of the ingredients list. To unlock the 7zip file containing the ingredients list, you will need to use the password you found in in Round 4.
    Answer:8.4 oz- Red Bull; Tim
  6. Round 6 Decryption Key: ch33rs!0n3$m0r3
    Round 6 requires you to find the final ingredient of the 133t pill. To unlock the volume, you must use the cipher along with the previous answers from Rounds 1-5. Begin by solving the cipher, and then use the cipher as the password to unlock the Truecrypt volume.
    Cipher Solution: 00gmu1rt#?
    Answer: 2oz Vodka
  7. Copyright 2011, Lake Missoula Group, LLC. All rights reserved.