Network Forensics – Traffic Analysis (1)

After some time researching I found some interesting network forensic challenges that I will like to discuss with you.

The main purpose is to bring back and update my network analysis skills. There are different ways to reach the solution however as my background is Incident Response I always try to get results fast and with the less amount of resistance in the way.

List of tools I am using,

  • My adorable Santoku Linux distribution
  • Wireshark, included in Santoku Linux
  • ghex, hexadecimal editor
  • md5sum


You are the security analyst in your organization and you are presented with the following scenario.

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.

Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, ( sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including,

1. What is the name of Ann’s IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?

Good, Good! lets crack on! Please, remember that I am mainly interested in Incident Response so for me results in the less amount of time is what it is important. As mentioned before you will still find people around who got the solution in a very elegant way, for me is ultimately about speed, automation and results.

1. Open the pcap file with Wireshark


Please, notice that the way the pcap file is presented is due to my Wireshark configuration which is not Wireshark’s default configuration.

To add columns please go to Edit -> Preferences -> Columns, here you can add additional data such as Source Port and Destination Port.

2. Find Ann’s IP address, 192.168.158 in the list of packets presented by Wireshark and follow the tcp session

The solution presented in other posts will look at protocol analysis first however I do not care about the protocol over TCP and I go and follow the session to see the data that is revealed.


3. Surprise! what can you see in the session? How many questions can  you answer so far?


  • What is the name of Ann’s IM buddy?, Sec558user1
  • What was the first comment in the captured IM conversation?,Here’s the secret recipe… I just downloaded it from the file server. Just copy to a thumb drive and you’re good to go >:-)
  • What is the name of the file Ann transferred? recipe.docx

Now, we get to the funny part of the challenge. You need to know and understand some forensics to understand the concept behind magic number and some  of the tools you may potentially use in this part. I just kept it simple.

We need now to understand the protocol use over TCP which looking at the scenarion description is the famous AOL AIM protocol. In the context of file transfer AIM uses the OSCAR protocol for instant messaging and looking at the especification of this protocol the client needs to connect to port 5190 for file transfers.

4.Find the packets with destination port 5190 and follow the TCP stream.

This will allow us to capture the packets from our dear insider threat Ann to her external buddy.


The session captured contains the file that was exfiltrated, our job is to carve that file from the packets. The fastest way I found to to this is to look at the magic numbers for a docx file. There are other methods using tcpxtract which is a tool similar to foremost or scalpel however I found that the tool is not accurate enough extracting the file. If you find how to do it, leave me a comment…

According to this site the magic number for the header of a docx file is the following, 50 4B 03 04 14 00 06 00 and we also need to look at the footage as we need to understand where the file starts and ends in the packets captured. The footage magic number is 50 4B 05 06 plus 18 additional bytes.

5.Carve the file from the packets extracted.

We open the file previously saved in our hexadecimal editor, in this case I am using ghex. Once opened we look for the header value 50 4B 03 04 14 00 06 00 and we cut all the previous file to  that value which represents the start of the file.


Now we need to find the end of the file and we repeat the same search but this time with the value 50 4B 05 06 plus 18 additional bytes.


We save the file with .docx extension and we calculate the MD5 which is the one presented above. If we open the document in word we will also see the message. Important to take the hash value at the end of the exercise to enforce the chain of custody and demonstrate that the file has not been altered if it needs to be presented as evidence in court.


This is the end of the first exercise I am dedicating to Network Forensics and file carving in pcap files.

There are multiple ways to get a solution however as I explained before this was the fastest way I found to answer the questions. What it is important about the exercise is to get familiarized with the different tools, understand the theory behind and experiment with them for future scenarios.


One Comment Add yours

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s