Friday, September 11, 2009

SANS network forensics contest

Sent in my submission for the SANS network forensics contest and since its past the entry deadline, I decided to post my answer.
My forensics machine of choice is a Lenovo Thinkpad T60 running Ubuntu 9.04. It has an Intel Duo Core processor with 3GB RAM. Samples of tools I have installed to facilitate network forensic analysis are: ngrep, Splunk, Wireshark, Netifera, Tcpxtract, Foremost, GHex, ssldump, etc.
I downloaded the pcap file and calculated the hash to confirm that I had the complete evidence file.

commandrine@bridge:~$ md5sum evidence.pcap
d187d77e18c84f6d72f5845edca833f5 evidence.pcap

Typically I would use ngrep to do keyword searches against large pcap files. An alternative would be running Tshark to convert the contents of large pcap files to text before using search tools like Splunk to identify clues/evidence. The Anarchy-R-Us staff mentioned that the suspect machine was only on the network for a short duration thus the rational for using Wireshark to filter out packets to and from IP to narrow the scope instead of a more sophisticated filtering mechanism. The filter I use within Wireshark is "ip.addr==".
Manually combing through the 68 displayed packets, I witness the username "sec558user1" and the first IM message "Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)".
Multiple packets with the text "Cool FileXfer" and the filename "recipe.docx" are discovered. Searching Google for the keywords "Cool FileXfer" reveals that AIM is the IM medium being used. I use the "Follow TCP Stream" feature in Wireshark to reveal the raw data related to the file transfer of "recipe.docx". The magic bytes associated with .docx files are "50 4B 03 04" or its ASCII equivalent of "PK..". I saw all the raw data from the TCP stream and save it into a file called "" which is coincidently also associated with the magic bytes "PK..".

Next I run "Foremost" against this file to extract out the transferred file. A zip file is extracted to the folder "sansevidence".

commandrine@bridge:~$ foremost -i -o sansevidence/

Expanding the archive, I drill down to the folder "word", I find a file called "document.xml".

Opening the file in OpenOffice, the file reveals the following information.

Recipe for Disaster:
1 serving
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar.
Stir gently over low heat until sugar is fully dissolved.
Remove the saucepan from heat. Allow to cool completely.
Pour into gas tank. Repeat as necessary.

Calculated the MD5 checksum of the evidence file.

commandrine@bridge:~/word$ md5sum document.xml
90ce695222b157c7148d83e19ea549f6 document.xml

Alternatively, I am also able to manually carve out the archive without using "Foremost". I open up the file "" (containing the raw data saved from Wireshark) using Ghex. I delete the ASCII values before the first instance of the ASCII values "Pk.." and delete the chunk starting with "OFT2" at the end of the file.

Once the extra bytes are removed, save the file and it can be opened using any archive management software to reveal the stolen recipe.


  1. Another solution would be to download NetworkMiner 0.89 (released Sep 05 2009) from SourceForge.

    It will give you the recipee.docx as well as the IM chat messages since the OSCAR messaging protocol as well as OSCAR File Transfer (OFT) protocol is implemented in the 0.89 version of NetworkMiner. But I guess that would be a too easy solution ;)

  2. I've heard of NetworkMiner. I know that it is a powerful and comprehensive network forensic suite but I'm avoiding Windows-centric tools. It is also more challenging and educational to acquire the evidence manually.