Puzzle #2: Ann Skips Bail
Puzzle #2: Ann Skips Bail
OCTOBER 10, 2009 / SHERRI / 7 COMMENTS
After being released on bail, Ann Dercover disappears! Fortunately, investigators were carefully monitoring her network activity before she skipped town.
“We believe Ann may have communicated with her secret lover, Mr. X, before she left,” says the police chief. “The packet capture may contain clues to her whereabouts.”
You are the forensic investigator. Your mission is to figure out what Ann emailed, where she went, and recover evidence including:
1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?
Please use the Official Submission form to submit your answers. Prize TBD. Prize will be a Lenovo IdeaPad S10-2 – just like the free netbooks Sec558 students will get in Orlando.
Here is your evidence file:
http://forensicscontest.com/contest02/evidence02.pcap
MD5 (evidence02.pcap) = cfac149a49175ac8e89d5b5b5d69bad3
The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. You are welcome to build upon the work of others, as long as their work has been released under a GPL license. (If it has been released under another free-software license, email us to confirm eligibility.) All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will NOT be reviewed.
Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.
Deadline is 11/15/09 11/22/09. Here’s the Official Submission form. Good luck!!
Forensic Questions Write-up
▷ http://forensicscontest.com/2009/10/10/puzzle-2-ann-skips-bail
▷ Puzzle #2: Ann Skips Bail
Questions
1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?
Answer
1. What is Ann’s email address?
First, We use wireshark filter by tcp.stream eq 0
53 82.707578 192.168.1.159 64.12.102.142 TCP 62 1036 → 587 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
54 82.817457 64.12.102.142 192.168.1.159 TCP 58 587 → 1036 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460
View TCP Stream
Answer : sneakyg33k@aol.com
2. What is Ann’s email password?
334 VXNlcm5hbWU6
c25lYWt5ZzMza0Bhb2wuY29t
334 UGFzc3dvcmQ6
NTU4cjAwbHo=
Answer : 558r00lz
3. What is Ann’s secret lover’s email address?
Filter : tcp.stream eq 1
Follow TCP stream
Answer : misterscrectx@aol.com
4. What two items did Ann tell her secret lover to bring?
<Mail>
Hi sweetheart! Bring your fake passport and a bathing suit. Address =
attached. love, Ann
Answer : fake passport & bathing suit
5. What is the NAME of the attachment Ann sent to her secret lover?
Answer : secretrendezvoux.docx
6. What is the MD5sum of the attachment Ann sent to her secret lover?
Answer : 9E423E11DB88F01BBFF81172839E1923
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?
I don't more..
'CTF > Puzzel - Network Forensics' 카테고리의 다른 글
| Puzzle #1: Ann’s Bad AIM (0) | 2017.08.11 |
|---|