A few months ago, I submitted an answer to the SANS Network Forensics Puzzle Contest. I have been waiting for them to post the results before I posted my submission to the blog. They have recently released the winners, so I thought I would post my answer now. I didn’t win the contest (they were looking for custom scripts), but I am listed as one of the people who answered correctly. Even though the contest has ended, if you haven’t done it, its a very good challenge…worth doing.

Here is the challenge per their site:

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.

Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:

1. What is the name of Ann’s IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?

Here is your evidence file:

http://philosecurity.org/558/contest_01/evidence.pcap
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. All responses should be submitted as plain text files.

Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.

And here is my Answer:

Answers to the forensics challenge:

1. Sec558user1
2. “Here’s the secret recipe… I just downloaded it from the file server. Just copy to a thumb drive and you’re good to go >:-)”
3. recipe.docx
4. 50 4B 03 04
5. 8350582774e1d4dbe1d61d64c89e0ea1
6.     Recipe for Disaster:
1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved.
Remove  the  saucepan from heat.  Allow to cool completely. Pour into gas tank. Repeat as necessary.

Steps I took to complete this challenge:

I opened the pcap file with Wireshark. At frame 23, we see a packet from an already established conversation from Ann’s computer to an IM server.
At frame 25, we see the first plan text message sent to user “Sec558user1” from Ann’s IP containing the text: “Here’s the secret recipe… I just downloaded it from the file server.
Just copy to a thumb drive and you’re good to go >:-)” In a new conversation (frame 109), we see at frame 112, the strings “OFT2” and “Cool Filexfer.”
These strings are indicative of the common protocols used to transfer files among chat clients.
In the same frame we also see the file name of the transferred file: “recipe.docx.”
I used the “Follow TCP Stream” feature in Wireshark to display the payload data from the conversation.
I then isolated just one part of the conversation by choosing 192.168.1.158:5109 -> 192.168.1.159:1272.
I chose to view as raw data and saved the output as recipe.docx.

In order to carve the actual file from the output raw data, I researched the file signatures for docx files (www.garykessler.net/library/file_sigs.html) to find the file header and footer.
The file header for docx filetypes is “50 4B 03 04 14 00 06 00.” I opened the recipe.docx file with XVI32 and searched for that string.
After locating it, I deleted all bytes before the “50 4B…” Then I searched for the footer which was “50 4B + 17 characters + 00 00 00.”
It happened to be at the end of the file, so no trimming had to be done to the end of the file.
I saved the file over the existing recipe.docx file, and performed an md5sum on it resulting in a hash value of “8350582774e1d4dbe1d61d64c89e0ea1.”
Finally, I opened the file with word to reveal the secret recipe.