Friday, February 5, 2010

Network forensics puzzle #4

Puzzle #4 is out. I've been pre-occupied and exhausted by work thus the delay in posting my answers for puzzle #3.
The answers for the first 2 answers were straight forward enough.
1) 00:25:00:fe:07:c4
2) AppleTV/2.4

The search terms (ie. questions 3 and 8) were a bit tedious to find manually by combing through Wireshark but easier in NetworkMiner. Alternatively, searching using "ngrep" on Ubuntu was pretty painless. The 2 movies that Ann clicked on are also listed in NetworkMiner.
3) h, ha, hac, hack
4) Hackers
6) Sneakers
8) iknowyourewatchingme

Answers to questions 5 and 7 courtesy of NetworkMiner.
7) $9.99


  1. You can grab the User-Agent string with NetworkMiner as well if you'd like. Just expand the "Host Details" node for Ann's computer.

  2. I know. I just opted not to take a screenshot of the "User-Agent" string in NetworkMiner. I'm thinking of writing a script or tool to dump IP addresses and their corresponding MAC addresses from Pcap files.