SANS Forensics Puzzle #3 - Ann’s AppleTV

SANS Network Forensic Puzzle #3

The contest strives for participants to create new tools to solve the challenge.  Rather than create yet another specialized tool, I took this an an opportunity to hone my tshark skills.  Never heard of tshark?  It's the terminal (i.e.) command line companion of Wireshark.  As a side note, this article contains some crazy awking and bash foo... just how I like it.  In the end, I searched high and low for something simple to extract PLIST key/values with and faced the question of learning python or just giving in to manually extracting the value from the "XML".  I chose the latter.

1. What is the MAC address of Ann’s AppleTV?

$ tshark -R eth.src -Tfields -e eth.src -r evidence03.pcap  | sort -u
for i in `tshark -R eth.src -Tfields -e eth.src -r evidence03.pcap  | sort -u`; do echo -n "$i OUI Vendor: "; VALUE=`echo $i | awk -F":" '{print $1 ":" $2 ":"  $3}'`; grep -i $VALUE oui.txt | awk '{print $2}';done

Output:
-------
00:23:69:ad:57:7b OUI Vendor: Cisco-Link
00:25:00:fe:07:c4 OUI Vendor: Apple

What's going on here?  If you are new to tshark, I recommend spending time with the man page.  In the above command the Read filter is pulling ethernet src frames and extracting the etherenet src field from evidence03.pcap.

The output is then sorted/uniqed and the first three octets are matched with a reference text file (wget standards.ieee.org/regauth/oui/oui.txt) containing all known manufacturers OUI.

The output shows the manufacturer of all the devices on the network - not just the AppleTV.

2. What User-Agent string did Ann’s AppleTV use in HTTP requests?

$ tshark -R http.user_agent -Tfields -e http.user_agent  -r evidence03.pcap  | sort -u

Output:
-------
AppleTV/2.4

3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)?

$ tshark -R "http.request.uri contains search" -Tfields -e http.request.uri  -r evidence03.pcap | awk -F"=" '{print $NF}'

Output:
-------
h
ha
hac
hack
s
sn
sne
sneb
snea
sneak
i
ik
ikn
ikno
iknow
iknowy
iknowyo
iknowyou
iknowyour
iknowyoure
iknowyourew
iknowyourewa
iknowyourewat
iknowyourewatc
iknowyourewatch
iknowyourewatchi
iknowyourewatchin
iknowyourewatching
iknowyourewatchingm
iknowyourewatchingme

Wow... that was neat.  The tshark command goes way beyond the first search term but what what is going on here?  It looks like iTunes sends each keystroke across the wire to search in real time.  Reminds me of a keystroke logger.

4. What was the title of the first movie Ann clicked on?

$ tshark -R "http.request.uri contains viewMovie" -Tfields -e http.request.uri  -r evidence03.pcap

/WebObjects/MZStore.woa/wa/viewMovie?id=333441649&s=143441
/b/ss/applesuperglobal/1/G.6--NS?pageName=Movie%20Page-US-Hackers-Iain%20Softley-333441649&pccr=true&h5=appleitmsnatv%2Cappleitmsustv&ch=Movie%20Page&g=http%3A%2F%2Fax.itunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewMovie%3Fid%3D333441649%26s%3D143441
/WebObjects/MZStore.woa/wa/viewMovie?id=283963264&s=143441
/b/ss/applesuperglobal/1/G.6--NS?pageName=Movie%20Page-US-Sneakers-Phil%20Alden%20Robinson-283963264&pccr=true&h5=appleitmsnatv%2Cappleitmsustv&ch=Movie%20Page&g=http%3A%2F%2Fax.itunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewMovie%3Fid%3D283963264%26s%3D143441

This tshark filter will display four URI's from the sample PCAP.  The first two are related to the first movie that Ann clicked on (Hackers) - The second to relate to the second movie (Sneakers).

5. What was the full URL to the movie trailer (defined by “preview-url”)?

The filter "xml.cdata contains preview-url" points to frame 312 which contains reassembled segments from frames 309, 310, and 312.

Preview URL: http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v

Preview required!

6. What was the title of the second movie Ann clicked on?

(See answer to question 4.) Sneakers...

7. What was the price to buy it (defined by “price-display”)?

Wireshark lacks the ablitlity to programatically process PLIST files so I had to cheat on this answer and use a display filter "xml.cdata contains price-display" to find the two instances for each of the two movies.

Answer: $9.99

8. What was the last full term Ann searched for?

This is found in the answer to question 3. (iknowyourewatchingme)