The winners for Puzzle #2 will be announced tonight on PaulDotCom. The show starts at 7:30PM EST. We’ll have all the results posted here shortly thereafter. Talk to you soon!
Page 6 of 6
Puzzle #2 Answers
Thank you all for your contest submissions! We received well over a hundred and we are busily reviewing them. In the meantime, here are the answers:
1. What is Ann’s email address?
Answer 1: [email protected]
2. What is Ann’s email password?
Answer 2: 558r00lz
3. What is Ann’s secret lover’s email address?
Answer 3: [email protected]
4. What two items did Ann tell her secret lover to bring?
Answer 4: A fake passport and a bathing suit
5. What is the NAME of the attachment Ann sent to her secret lover?
Answer 5: secretrendezvous.docx
6. What is the MD5sum of the attachment Ann sent to her secret lover?
Answer 6: 9e423e11db88f01bbff81172839e1923
7. In what CITY and COUNTRY is their rendez-vous point?
Answer 7: Playa del Carmen, Mexico
8. What is the MD5sum of the image embedded in the document?
Answer 8: aadeace50997b1ba24b09ac2ef1940b7
Contest #2 Deadline Extended to 11/22/09
The Contest #2 deadline has been EXTENDED to 11/22/09 (11:59:59PM UTC-11). That’s a whole extra week to polish up your code 🙂 The winner will receive a Lenovo IdeaPad S10-2 – just like the free netbooks Sec558 students will get in Orlando.
Contest #2 Prize: Free Netbook!
We’re pleased to announce the PRIZE for Network Forensics Contest #2:
A Lenovo IdeaPad S10-2 – just like the free netbooks Sec558 students will get in Orlando!
The MOST ELEGANT solution wins. Deadline is 11/15/09 11/22/09. Good luck!!
Puzzle #2: Ann Skips Bail
After being released on bail, Ann Dercover disappears! Fortunately, investigators were carefully monitoring her network activity before she skipped town.
“We believe Ann may have communicated with her secret lover, Mr. X, before she left,” says the police chief. “The packet capture may contain clues to her whereabouts.”
You are the forensic investigator. Your mission is to figure out what Ann emailed, where she went, and recover evidence including:
1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?
Please use the Official Submission form to submit your answers. Prize TBD. Prize will be a Lenovo IdeaPad S10-2 – just like the free netbooks Sec558 students will get in Orlando.
Here is your evidence file:
http://forensicscontest.com/contest02/evidence02.pcap
MD5 (evidence02.pcap) = cfac149a49175ac8e89d5b5b5d69bad3
The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. You are welcome to build upon the work of others, as long as their work has been released under a GPL license. (If it has been released under another free-software license, email us to confirm eligibility.) All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will NOT be reviewed.
Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.
Deadline is 11/15/09 11/22/09. Here’s the Official Submission form. Good luck!!
Puzzle #1 Solution: Ann’s Bad AIM
WINNER:Kristinn Gudjonsson |
Finalists:Aaron Allen |
Semifinalists:Drew Pekkarinen |
Correct Answers:Aaron Allen |
Congratulations to all of our rock star investigators who solved the Network Forensics Puzzle Contest! We received over 100 submissions, many of which were truly excellent. Figuring out a winner was challenging, but in the end, one submission stood out over all.
We asked you for the most elegant solution. It was possible to solve the puzzle with common tools such as Wireshark, and many people did. However, modern investigations often involve many gigabytes– if not terabytes– of packet data. In the real world, pointing and clicking doesn’t scale. Moreover, when you’re working with large amounts of data, processing time is extremely valuable. Small, fast tools are key.
What we considered “elegant” was the construction of some automated process for solving the puzzle which was easy to use, easy to understand, very portable, and would easily be able to scale to much larger and more difficult problems.
Five people were named Semifinalists because they created an automated process (ie scripting) to facilitate future investigations. Seven Finalists took this to a level beyond and created novel solutions involving considerable amounts of scripting. Please take a look at each of their solutions as WE learned something from every one.
The WINNER of the first Network Forensics Puzzle Contest is Kristinn Gudjonsson. Kristinn wrote two very elegant Perl tools: pcapcat and oftcat.
pcapcat # This script reads a PCAP file and prints out all the connections in the file and gives the user the option of dumping the content of the TCP stream
Kristinn’s pcapcat utility shows you a list of all the TCP streams in a packet capture, and also allows you to select any given stream and dump out the contents of the stream. It also supports the use of BPF filters with the -f flag so that you can narrow your search to specific streams. It’s a small, sharp tool that’s easy to use.
oftcat # This script reads an OFT package, which is a package created by AIM when sending files over the network (using the oscar file transfer protocol). The script reads the packet, prints out some information about it and saves the captured file
Kristinn’s “oftcat” utility is smart enough to figure out the file name based on the OFT protocol and carve out the files transferred. It totally scales, and we especially appreciated his attention to protocol detail.
Here’s Kristinn’s solution writeup and a nice post on his blog where he adds some more detail.
Answers
1. What is the name of Ann’s IM buddy?
sec558user1
2. What was the first comment in the captured IM conversation?
Here’s the secret recipe… I just downloaded it from the file server. Just copy to a thumb drive and you’re good to go >:-)
3. What is the name of the file Ann transferred?
recipe.docx
4. What is the magic number of the file you want to extract (first four bytes)?
0x504B0304 (Note: one byte = 8 bits = 2 hex digits!)
5. What was the MD5sum of the file?
8350582774e1d4dbe1d61d64c89e0ea1
6. What is the secret recipe?
Recipe for Disaster:
1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.
Puzzle #1: Ann’s Bad AIM
Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.
Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.
“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”
You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:
1. What is the name of Ann’s IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?
Here is your evidence file:
http://forensicscontest.com/contest01/evidence01.pcap
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5
The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. All responses should be submitted as plain text files.
Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.
Email submissions to [email protected]. Deadline is 9/10/09. Good luck!!