SANS Forensics Puzzle #2 - Ann Skips Bail

SANS Forensics Puzzle #2

Disclaimer: This is not intended to be elegant... only addressing the "mechanics" of answering the questions in a strait forward manner.

Step 0... acquire the sample

1. What is Ann’s email address?

Answer: sneakyg33k@aol.com

How: By reviewing the PCAP one can see that there is a ESMTP conversation
taking place in stream 2 (Display Filter tcp.stream eq 2). Selecting packet 53
with Follow TCP Stream it is plain obvious what Ann's email address is.

2. What is Ann’s email password?

Answer: NTU4cjAwbHo= (558r00lz)

The mail server (still looking at tcp.stream eq 2) has indicated to the client that it supports PLAIN SMTP
authentication which means that the credentials are base64 encoded plain text.
(Ref: http://www.technoids.org/saslmech.html)

Simple command line Perl script to decode encoded strings:

use MIME::Base64;

print "Enter Base64 encoded string and press enter: ";

$encoded = ;
chomp $encoded;
$decoded = MIME::Base64::decode($encoded);

print "The Base64 encoded string [ $encoded ] translates to [ $decoded ]\r\n";

3. What is Ann’s secret lover’s email address?

Answer: mistersecretx@aol.com

How: The recipent in TCP stream 2 does not relate well to a secret lover so looking at the next
couple of streams we see something more rousing. The content found in tcp.stream eq 3 is more fitting with a secret lovers message. The SMTP dialog shows that RCPT TO is mistersecretx@aol.com.

4. What two items did Ann tell her secret lover to bring?

Answer: fake passport and a bathing suit

How: These are found by reading the plain text email message in tcp.stream eq 3.

5. What is the NAME of the attachment Ann sent to her secret lover?

Answer: secretrendezvous.docx

How: Looking at the plain text conversations in tcp.stream eq 3 there appears a multi-part message:

------=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: application/octet-stream;
.name="secretrendezvous.docx"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
.filename="secretrendezvous.docx"

6. What is the MD5sum of the attachment Ann sent to her secret lover?

Answer: 9e423e11db88f01bbff81172839e1923 *secretrendezvous.docx

How: First one has to extract the Base64 encoded text from the stream. This output saved as "attachment-encoded.txt" can easily be decoded using freely available decoders (http://www.fourmilab.ch/webtools/base64/) and the output redirected to stdout ($ ./base64 -d attachment-encoded.txt secretrendezvous.docx). Generate the checksum value against the resultant file:

C:\tmp\challenge02>md5sum secretrendezvous.docx
9e423e11db88f01bbff81172839e1923 *secretrendezvous.docx

7. In what CITY and COUNTRY is their rendez-vous point?

Answer: Playa del Carmen, Mexico

How: Open the Word 2007 document and view the contents.

8. What is the MD5sum of the image embedded in the document?

Answer: aadeace50997b1ba24b09ac2ef1940b7 *image1.png

How: To extract the image rename the file to a .zip extension. Extract the zip archive and locate the image1.png file.
Generate the checksum value against the images file:

C:\tmp\challenge02\secretrendezvous\word\media>md5sum image1.png
aadeace50997b1ba24b09ac2ef1940b7 *image1.png

RegRipper on OS X

I'm a multi-platform guy but these day's I'm doing most of my personal work on a Mac. I found that while reading Windows Forensic Analysis 2E that it was time to get RegRipper running on my new Mac. It's quite simple really, go to http://www.regripper.net/ download the latest version (rr_20080909.zip as of this post).

1. After unzipping and copying the files to someplace sane, make sure you have the required Win32Registry module installed (Update: Install the missing Perl module using CPAN).

cpan> install Parse::Win32Registry

2. Next, edit rip.pl and change the path of Perl to match your installation. In my case it's /usr/bin/perl. RegRipper is set to c:\perl\bin\perl.exe as the author seems to prefer Windows as his development platform.

3. Finally, set the appropriate path for all the RegRipper plugins. Edit the rip.pl and define the variable my $plugindir to suit your installation. Why rip.pl and not rr.pl? Well since we are on a Mac which doesn't support Win32::GUI Perl modules we are left with rip.pl as the tool for registry parsing.

Once the above steps are done, type rip.pl and get cracking on those hives!

Introduction

Welcome to my blog! Who needs another blog on network security/forensics topic? What is the point of all of this anyway? My goals here are twofold, by writing about this topic I learn more and hopefully you will too. Second, in my work I come across useful tools and techniques for specific tasks. There will be many references to cmdline utilities on various platforms. The emphasis of this blog will be to present these in a format which will allow the reader to experiment and add them to their own toolbox. I welcome any feedback/comments/suggestions/corrections.

Network Forensics encompasses elements of traditional forensic investigation, network security monitoring (NSM) and incident response. It answers questions such as, is that event normal? Should those systems be talking on that protocol? How much data was transferred? By answering questions such as thess the analyst can begin to respond in a efficient and organized manner. Many books have been written on building defensible networks and monitoring them. Here we will explore various implementations and find how the tools work.

In the end this is just another experiment - we'll see how long I can keep this up!

Test Post

Almost ready - Working out formatting issues and getting acustomed to Blogger's layout tools.