Network Forensics Puzzle Contest

Published: 2009-08-20. Last Updated: 2009-09-28 16:22:33 UTC
by Joel Esler (Version: 2)
14 comment(s)

One of the friends of the Internet Storm Center, Johnathan Ham, put out a nice Network Forensics Puzzle Contest.  Check it out below.

The answers can be sent to the email listed below.  (Don't sent them into the Internet Storm Center.  It's not our contest!)

Good luck!

*Prizewinner to be announced at Sec558 "Network Forensics" in San Diego, 9/16-9/18.

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company's prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company's secret recipe.

Security staff have been monitoring Ann's activity for some time, but haven't found anything suspicious-- until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann's computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

"We have a packet capture of the activity," said security staff, "but we can't figure out what's going on. Can you help?"

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:

1. What is the name of Ann's IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?

Here is your evidence file:

http://jhamcorp.com/contest_01/evidence.pcap
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged.  All responses should be submitted as plain text files.

Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.

Email submissions to contest@jhamcorp.com. Deadline for submissions is 9/10. Good luck!!

UPDATE:  We usually don't update these older diaries, however, since so many submissions/email has been sent about this, I thought I'd update it.  The results are in, and posted here. http://forensicscontest.com/

 

-- Joel Esler | http://www.joelesler.net | http://twitter.com/joelesler

Keywords:
14 comment(s)

Comments

That was very entertaining. I didn't write any code for it but I learned how to extract the file out of the pcap and also answer all of the questions.

Are there more of these that vary in difficulty that one can use for learning?
Yummy, I made this recipe and it was worth it.
LOL
Yes - I like that recipe. Part 5 is the only thing I didn't do -- too lazy. And didn't script it - I might someday tho.
wireshark rocks.
I am going through this exercise, and could use some help (using wireshark). I was able to find the following so far...

sec558 user1

Here's the secret recipe I just downloaded it from the file server.

Just copy to a thumb drive and you're good to go > :-)

thanks dude
can't wait to sell it on ebay
see you in hawaii

Cool filexfer

recipe.docx

Could someone post what they did to extract the file from the pcap, etc so that I (and others could benefit)?
Yes, this was very entertaining. I didn't have to script anything either, but I might just for fun.

I'm surprised to see some of the answers actually posted up here tho. :-\

I *looked* at goldminer for the carving but wasn't happy. I ended up carving the file out directly from wireshark.
eek!
correction... network miner ... not gold miner. Don't ask me what I was thinking.
eek!
correction... network miner ... not gold miner. Don't ask me what I was thinking.
Hi Guys,

This is the first time I've done this, so just went downt to first princples.

The only answer I'm not entirely sure on is the IM name,as I'm not familiar with aim/im traffic but my answers are:-

1)Sec558user1
2)Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)
3)Recipie.docx
4)50 4B 03 04
5)8350582774e1d4dbe1d61d64c89e0ea1
6)Recipie for Disaster (sugar and water in the gas tank!

I got this with Wireshark and xvi32 (hex editor).

Doing this manually, you can see using wireshark where the IM conversation is, so that bit is easy. Just look through the packets until you see the first bit of english and then follow the tcp stream for the whole conversation.

In that stream you will see the filename recipe.docx a word 07 file. A quick bit of googling or opening up a genuine word 07 file in a hex editor will give you the first 4 bytes, which is also helpful when identifying the file in the next stream.

further into the evidence there is another unencrypted TCP stream which is sneds a "Filexfer" message. Without much knowledge of this protocol, this appears to work like this (please anyone with more knowledge correct me!)
Sender sends Filename
Receiver receives Filename
Sender sends binary data for file.
Receiver acknowledges.

So now the easy bit. Using Wireshark save the stream as raw data filtering out as much of the padding conversation as you can.
I managed to get it down to just the filename packet and the binary file data.
Hit save As, make sure your "raw" radio button is selected and then open up the file in your hex editor.
Remove the padding until you get to the first 4 bytes you should have identified earlier. Then save, open up in word and Roberts your fathers brother.



Here is some more stuff to consider, since the file is docx (word 2007 XML format), the file cannot be opened via word 2003, unless you use a compatibility plugin.

However, if you do a hex search for the bytes in question, you can delete the header block and save the entire stream as a ZIP file, then use WINZIP (or favorite zip file processor) to extract everything, which returns as follows:

customXml (directory)
docprops (directory)
word (directory)
[Content_Types].xml
_rels (directory)

In the word directory, I found:

document.xml (this is what you're looking for):

Here is what is in document.xml:

Recipe for Disaster:

1 serving

Ingredients:

4 cups sugar

2 cups water

In a medium saucepan, bring the water to a boil. Add sugar.

Stir gently over low heat until sugar is fully dissolved.

Remove the saucepan from heat. Allow to cool completely.

Pour into gas tank. Repeat as necessary

In order to view XML files (word 2007), I installed Microsoft Word Viewer (available from Microsoft's web site) (nice add on, really).

I hope this helps people who are getting started in this area.

Diary Archives