: Network Forensics – Round 2 :
The second puzzle in the network forensic challenge series. Below is the background on the scenario:
After being released on bail, Ann Dercover disappears! Fortunately, investigators were carefully monitoring her network activity before she skipped town.
“We believe Ann may have communicated with her secret lover, Mr. X, before she left,” says the police chief. “The packet capture may contain clues to her whereabouts.”
You are the forensic investigator. Your mission is to figure out what Ann emailed, where she went, and recover evidence including:
- What is Ann’s email address?
- What is Ann’s email password?
- What is Ann’s secret lover’s email address?
- What two items did Ann tell her secret lover to bring?
- What is the NAME of the attachment Ann sent to her secret lover?
- What is the MD5sum of the attachment Ann sent to her secret lover?
- In what CITY and COUNTRY is their rendez-vous point?
- What is the MD5sum of the image embedded in the document?
There are a plethora of open source tools you can use to complete this challenge. You can also create some of your own if you so desire. Below is a list of a few tools that would help you solve this challenge. The *starred* tools are the ones I used:
- *010 Editor (hex editor)*
- Sysinternals Strings
Lets start out by opening the packet capture (evidence02.pcap) in Wireshark. For question 1, you are looking for Ann’s email address. Since you know you are dealing with email, you’ll want to filter on SMTP traffic. Under the “Statistics” tab, choose the second option down called “Protocol Hierarchy”. There you will find the filter for Simple Mail Transfer Protocol. Right click that option and select “Apply as Filter –> Selected”. This will implement the SMTP filter within Wireshark (Figure 1).
Once filtered, right click on the first stream (packet 56) and select “Follow TCP Stream”. There you will find the first email between Ann and her Secret Lover. There is your answer to question 1 (Ann’s Email: email@example.com). And if you remember back from the first challenge, “sec558user1” was the name of the person Ann was instant messaging. It is probably safe to assume that his email is firstname.lastname@example.org and who she is communicating with in this first email (Figure 2).
It is here in the same stream where you will find the answer to question number 2 as well. Ann needs to login to her email, and you’ll see the start of that in the stream with “Auth Login”. The next red string (c25lYWt5ZzMza0Bhb2wuY29t) is going to be Ann’s email address which is base64 encoded and following that (NTU4cjAwbHo=) is her password which is also base64 encoded. Her password decodes to “558r00lz“. You’ll then see the “Authentication successful” and then the start of the email. Below are the encoded and decoded screenshots of Ann’s email address and password. I used an online tool (base64decode.org) to decode the base64 encoded strings. If you think you are dealing with a sensitive issue where you don’t want things exposed on the internet, there are plenty other options to base64 decode a string (command line, notepad++, etc).
Now we need to figure out Ann’s Secret Lover’s email address. Looking at the packets filtered on the SMTP traffic, you’ll see a new “Auth Login” in packet 120. Right click that and select “Follow TCP Stream”. This is the start of another email we’ll want to look into. You’ll quickly notice in the stream that this email is being sent to email@example.com, which is Ann’s Secret Lover’s email address, and the answer to question number 3. Just a few lines below that, in the same stream, you’ll find the answer to question number 4, which is the body of the email: “Hi sweetheart! Bring your fake passport and a bathing suit. Address = attached. love, Ann” (Figure 4).
If you scroll down a little further in that same stream, you’ll find the answer to question 5, “What is the NAME of the attachment Ann sent to her secret lover?” As you can below (Figure 5), the name of the attachment is “secretrendezvous.docx”.
Now we get to a little bit more tricky part. We first need to carve the attachment out of the packet capture. If you remember back to the first challenge, we have done file carving before, but if you’ve forgotten, below is a refresher. You’ll want to click “save as” on the stream we followed from packet 120 (the stream from the above screenshot (Figure 5)). Save it and call it exactly what it is, secretrendezvous.docx (not that the name of the file really matters, but it’s easier to keep things straight that way). Now that you have that file saved, open it up in your favorite hex editor (I use 010 Editor). Now we need to find the beginning of the file. In the screenshot below (Figure 6), you’ll see that the beginning of the file starts with the ASCII string “UEsDBB” following the name of the file. You’ll want to select everything prior to that string and delete it.
Now you’ll want to scroll all the way to the bottom so we can find the end of the file. You’ll find the end of the file with the ASCII string “YDAAAA”. Remove everything that is below that string from the file. Highlighted below, in Figure 7, is what you will want to remove:
Once you have that saved, you now have your file, secretrendezvous.docx. But you’re not quite done yet. Email attachments are base64 encoded. If you remember back to the first challenge, docx files have a file header of “PK”, and that is missing in this file. That is because we still need to base64 decode it. Open the file with Notepad++. Select the whole file using ctrl-a. Under the Plugins tab at the top, select MIME Tools –> Base64 Decode. Once you’ve done that, you’ll now notice the file header “PK” is now existent. Now open that file using Hashcalc and find the MD5sum. Once done, you’ll find that the MD5sum of the attachment that Ann sent her secret lover (secretrendezvous.docx) is “9e423e11db88f01bbff81172839e1923”. That is your answer to question 6.
For question 7, simply open the file (secretrendezvous.docx). You’ll find within that file that the answer to question 7 is Playa Del Carmen, Mexico.
To answer question 8, all you need to do is right click on the embedded image and click “save as”. Save the picture to its own file and call it whatever you’d like. Once you’ve done that, use Hashcalc to find the answer for question 8. Running the picture through Hashcalc will give you an MD5sum of “aadeace50997b1ba24b09ac2ef1940b7”.
The challenge is now complete. This was again another great beginner/intermediate network forensic challenge. I hope you enjoyed the walkthrough. Please ask questions if you have any and stay tuned for the next round. Below is a link to the challenge: