Some time ago I mentioned the Network Forensics Puzzle. The contest is now over and since I didn’t win, I’ll publish my submission below – it was after all correct, but not quite what the judges were looking for (congratulation to the winner).
After validating that the MD5 sum for the downloaded file matches the one specified on the website, I first opened it up in NetworkMiner (http://networkminer.sourceforge.net/). I find the overview it gives much easier to understand than the statistics provided by Wireshark. Using it I identified the data stream between Ann's computer and the unidentified laptop.
1. What is the name of Ann’s IM buddy?
Sec558user1 - this is tricky because the IM (which seems to be AOL - but many other IM's behave in a similar fashion) routes chat traffic trough central servers (188.8.131.52 in this case - which belongs to AOL, making it even more probable that AIM was used) to make NAT traversal a non-issue, while file transfers are done trough direct connection to conserve bandwidth.
2. What was the first comment in the captured IM conversation?
Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)
(actually, > is escaped as HTML - ie >)
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
50 4B 03 04 - Which corresponds to PK..., signaling that we are potentially dealing with a ZIP archive here. This is further reinforced by the filename (.docx, which is the new "open" document format from Microsoft - basically, it consists out of a zipped XML - similarly to the OpenOffice.org format)
5. What was the MD5sum of the file?
This is again tricky, because ZIP (like many other formats) admit arbitrary data after the logical end of the file. So, using a hex editor, we first carve the the part starting at PK in the 192.168.1.158 -> 192.168.1.159 (be careful not to include the traffic in the reverse direction). Then we need to convince ourselves that the end of the file has been correctly identified at the byte level. To do this we could study the ZIP specification (http://www.pkware.com/index.php?option=com_content&task=view&id=64&Itemid=107) or use a more empirical level: using a hex editor (HxD for example - http://mh-nexus.de/en/hxd/) eliminate the last byte of the file and "test" the integrity of the file (using the Test option from 7-zip for example - http://www.7-zip.org/ - but one could use almost any de-archiving program, since almost all of them offer a "Test" option). The test will fail. Now add back the last byte (which is 0x00) and perform the test again. It will succeeded. This means with a big probability that we correctly identified the actual (logical) end of the file.
6. What is the secret recipe?
The most recent version of OpenOffice.org (3.1.x) can open the docx format, so the following can be retrieved on any platform, regardless of whether MS Office 2007 is installed (an alternative solution would be to use the free MS Word 2007 viewer or the import filters available for older versions of MS Office).
The contents (sans the formatting):
Recipe for Disaster:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.