Network Forensics – Round 3: Ann’s Apple TV

by DFIRninja
Categories: Analysis, Network Forensics
Tags: , ,
Comments: 1 Comment

: Network Forensics Round 3! : Ann’s Apple TV

Below is the scenario for round 3 in the network forensic challenge series:

Ann and Mr. X have set up their new base of operations. While waiting for the extradition paperwork to go through, you and your team of investigators covertly monitor her activity. Recently, Ann got a brand new AppleTV, and configured it with the static IP address Here is the packet capture with her latest activity.

You are the forensic investigator. Your mission is to find out what Ann searched for, build a profile of her interests, and recover evidence including:

  1. What is the MAC address of Ann’s AppleTV?
  2. What User-Agent string did Ann’s AppleTV use in HTTP requests?
  3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)?
  4. What was the title of the first movie Ann clicked on?
  5. What was the full URL to the movie trailer (defined by “preview-url”)?
  6. What was the title of the second movie Ann clicked on?
  7. What was the price to buy it (defined by “price-display”)?
  8. What was the last full term Ann searched for?

Again for this challenge I utilized the same tools as the other rounds to accomplish the above tasks. There are always other commercial and open source tools that you could utilize for this challenge, but the below *starred* tools are what I used:

  • *Wireshark*
  • *Sysinternals Strings*
  • *Notepad++*

You can also write different scripts in order to parse out the pertinent information you are seeking out of the packet capture.

After verifying the packet capture (evidence03.pcap) has the correct hash (f8a01fbe84ef960d7cbd793e0c52a6c9), we are ready to start the round. For question 1, we are trying to figure out the MAC address of Ann’s Apple TV. Like many things, there are a few different ways to obtain this. We’ll take a look at a couple. First, go to Statistics –> Endpoints. As you can see below (reference Figure 1), the first endpoint listed is the Apple TV. If you toggle the Name Resolution in the bottle left corner, it will give you a MAC address of 00:25:00:fe:07:c4. You could also look at the data within the first packet. You’ll find a MAC address at layer 2, so just look at the source in the “Ethernet II” line in the details pane, and you’ll find the MAC address of the Apple TV (reference Figure 1.1).

1. mac address
Figure 1
1.1 MAC address
Figure 1.1


Now we need to determine what user-agent string did Ann’s AppleTV use in HTTP requests? Some easy clues to pick up on here is that they specifically say “user-agent in HTTP requests”. That gives me a large clue that I’d want to start out by filtering on HTTP traffic. Simply type in “HTTP” into the filter bar within wireshark. Expand the Hypertext Transfer Protocol section. This will show you the headers of the GET request, giving you the User-Agent string, and the answer to question 2, AppleTV/2.4.

2. User Agent String
Figure 2


We are now after Ann’s first four search terms on the AppleTV (all incremental searches count). Again, there are a few different ways to obtain this answer. Sometimes you just need to scroll down in the packet capture to find patterns, or figure out what the traffic looks like, if you are unfamiliar with this specific type of traffic. The first pattern I found was the destination IP address for all the searches was, and they were all HTTP GET requests. From that, I made the following wireshark filter: ip.dst == and http.request.method == “GET” . After putting that into wireshark, you’ll see the following:

3. incremental searches
Figure 3


You’ll notice that all the searches lead with the string “incrementalSearch”, and then the incremental search terms start shortly thereafter. The first four incremental search terms are “h”, “ha”, “hac”, and “hack” as indicated above, surrounded in red. Another good and easy way would be to run strings against the pcap file, then grep for the incrementalSearch term to find your answer as well. You could also write a script to parse out that information for you.

Moving onto number 4, what was the title of the first movie Ann clicked on? You may have not noticed, but we actually already found the answer to this question with one of the filters we used for another question. If we reuse the wireshark filter: ip.dst == and http.request.method == “GET” you’ll see that the only only entries presented to us other than the incremental searches, are the names of the movies. So here we’ll just answer a few of the remaining questions at once. In packet 320, you’ll see that the answer to question 4 is “Hackers”. The other movie listed, which is the answer to question number 6, is “Sneakers” (found right after Ann searched for the term “sneak”). Here we’ll also find the answer to the final question, what was the last full term Ann searched for? The answer is “iknowyourewatchingme”. Below is a screenshot highlighting all the answers within the pcap. Again, these could be found via grep-ing through strings, or writing a script.

4. answer to 4, 6 and 8
Figure 4 – Answers to questions 4, 6 and 8


Only a couple questions left. Let’s first focus on question 5. What was the full URL to the movie trailer (defined by “preview-url”)? They give you a big hint with this question. Since they tell you it is defined by “preview-url”, you can simply do a ctrl-f for “preview-url” as a string, searching through the packet details. You know that there were 2 movies clicked on, and you found the order of them in the previous answer, Hackers, then Sneakers. Starting from the top of the packet capture, search for that term (preview-url). The first one you come across will be the URL to the first movie, in packet 312, which is http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640×278.h264lc.d2.p.m4v. Then if you hit ctrl-n, you’ll find the next entry (in packet 1186) that contains “preview-url”, which is the answer to question 5, http://a1738.v.phobos.apple.com/us/r1000/011/Video/7f/9d/ce/mzm.gbctwnmq..640×352.h264lc.D2.p.m4v. Below is a screenshot depicting the results for question 5:

5.2 Second URL
Figure 5


Now onto the last question we haven’t answered. What was the price to buy it (the second movie, defined by “price-display”)? Again, they give you a big hint, and you can do pretty much the same thing you did in answering the previous question. From the top of the pcap, ctrl-f for “price-display” as a string within the packet details. The first one you find will be the price to the first movie, and then ctrl-n for the next one, which will be the answer to question 7. The first will be found in packet 312 and the second one in packet 1186, just like the previous answer. The answer to question 7 is $9.99, and the price of the first movie, Hackers, is $4.99.

6. price of movie


Great job! We have completed the challenge. This was a good challenge to look at traffic that you don’t typically look at on a regular basis. I hope you enjoyed the walkthrough. Please ask questions if you have any, and stay tuned for the next round. Below is a link to the challenge:


1 Comment »

  1. I just found your articles! Admittedly I have not read all of them ‘yet’. I live in an area where I have very low bandwidth 5~8MB with moderate latency. Turning off AppleTV’s that are doing nothing still shows bandwidth usage. Unplugging them from power and all bandwidth consumption drops to almost nil.
    So in your investigations can you look at what these things are doing in the background ALL the time. The burst traffic in starting up an ATV will literally crush my internet connection.

    Anyway, I know its not your problem or what you are trying to achieve, I just feel ATV is a terrible design relying on an endless supply of bandwidth that not everyone has. Feels like ATV is that big corp that just pollutes the rivers because they can.

    Your thoughts?

Leave a Reply

Your email address will not be published. Required fields are marked *

Today is Monday