Network Forensics Puzzle Contest
I came across a posting on the blog of the Internet Storm Center about a little forensics contest. Although the puzzle is not very hard it is fun to investigate. If you are willing to send in your solution, there is also a prize to win. Winners are to be announced at Sec558 Network Forensics in San Diego, 9/16-9/18.
All you have to do is analyse a pcap file containing valuable information and answer the following questions:
- What is the name of Ann's IM buddy?
- What was the first comment in the captured IM conversation?
- What is the name of the file Ann transferred?
- What is the magic number of the file you want to extract (first four bytes)?
- What was the MD5sum of the file?
- What is the secret recipe?
I won't tell you any solutions here, but i tell you what tools i used to analyse the pcap file. So the number one tool when it comes to pcap is in my opinion still tcpdump. It gives you a quick overview about what happened. Use the appropriate filter options to dump the complete packet content.
This will help you to answer the first few questions. You can also use Wireshark. Another nice tool i came across while investigating the file is tcpxtract. This tool extracts files out of a pcap file. With the help of this tool you are able to extract the file that was transferred, and a bunch of other files =)
To further investigate the instant messenger session i used AimSniff. This tool extracts all kinds of instant messenger information from a given pcap. However, in this case it did not reveal anything that was not already discovered using tcpdump, but it substantiates the earlier foundings.
Another nice tool i used was Chaosreader. This tool generates a nice overview about who is communicating with who and what protocols are used. It extracts sessions and creates some small statistics.
Have fun with the challenge.