This post is a continuation of the previos post Network Forensics – Traffic Analysis (1).
Scenario, Ann skips bail
After being released on bail, Ann Dercover disappears! Fortunately, investigators were carefully monitoring her network activity before she skipped town.
“We believe Ann may have communicated with her secret lover, Mr. X, before she left,” says the police chief. “The packet capture may contain clues to her whereabouts.”
You are the forensic investigator. Your mission is to figure out what Ann emailed, where she went, and recover evidence including:
1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?
1. Open the pcap file with wireshark
2. Find Ann´s email address
Looking at the challenge wording we know that the SMTP protocol is being used to communicate however I want to take an additional step and show you some capabilities in Wireshark that will be of benefit in future scenarios.
If we go to Statistics and Protocol Hierarchy we can see a summary of all protocols used in the communication.
From the summary we can see that the protocol used over the transport layer 4 (TCP) and therefore protocol used by the user to communicate is SMTP. Now we filter by SMTP to get the conversation we need to analyze.
We right click in the first packet we see in the capture and we follow the TCP stream.
From the windows opened we can immediately see some details of that conversation and the answer to the first question.
Ann’s email address is <firstname.lastname@example.org>
3. What is Ann’s email password?
In the previous screen we can also see the authentication process. In this particular scenario SMTP is encoding the data in BASE64 therefore we need to decode the information in this step as it has not been transferred in plaint text.
I used the base64 command in linux to decode the string,
4. Find Ann’s secret lover email address and other details
Then again you have different ways to get to the answer however the fastest and probably the more intelligible is to go to statistics and conversations in wireshark.
Filtering by TCP you will see the 2 current SMTP conversations that took place. The first one contains the details extracted in previous steps. In the second conversation we will get the details to answer the next questions. If you remember from the previous scenario Ann was exfiltrating data and communicating with someone who’s email address is <email@example.com>. The question here is what is the email addres of Ann’s lover? this one is contained in the second communication she had through SMTP with him. To get these details we click on the second conversation and we follow the TCP stream again. In this session we can see other authentication and login process followed by a communication from Ann’s email address to her lover whose email address is <firstname.lastname@example.org>.
In the same screen we can find the details for the next questions, What two items did Ann tell her secret lover to bring?
The answer as we can see in the session is, Hi sweetheart! Bring your fake passport and a bathing suit. Address =
attached. love, Ann
The other question we can answer is, What is the NAME of the attachment Ann sent to her secret lover? scrolling down we can see the name of the file attached to the email. filename=”secretrendezvous.docx”
5. File carving from the pcap file
In this step is when things get interesting. Until now it has been all about having some knowledge of Wireshark and networking. Now we need to carve the file attached and contained in the pcap capture. The challenge here is that communication is not in plaint text and therefore looking for magic numbers in the capture will not work this time as everything is encoded in base64.
In order to carve the file from this pcap we need to get the file ready first. We save the file we were working previously as secretrendezvous.docx. The next thing we need to do is to open the file with a hexadecimal editor such as Ghex.
Now that we have our file we need to start cutting the file until we get to the file that is the attachment. Let’s start by finding the beginning of our file. The beginning of the file is immediately after the name of the attachment and the value is UEsDBBQ….everything up to the beginning of that value needs to be cut from the file. Another approach is to use file carving based on the hexadecimal value of the carriage return which is 0D 0A 0D 0A. I will not explain the theory behind the concept but basically the carriage return will be the limit of our file. Once we find these limits we can carve out the file.
Notice how before the start of the file we can find these exact values.
Everything before including these values needs to be removed from the file to get the beginning of the file we are trying to carved. The next step is to find the end of the file, we can search manually on the hex editor or simply look for the string 0A 0D again.
Once we have saved the file as a docx we only need to decode the base64 content to base64 string. To do this I copy and pasted the content on the following online tool,
and it provided me with the decoded file which contains the answers we have been looking for.
What is the MD5sum of the attachment Ann sent to her secret lover?
In what CITY and COUNTRY is their rendez-vous point?
Playa del Carmen, Mexico
What is the MD5sum of the image embedded in the document?
And with this last hash we finish the second challenge focus on network forensics. In the next days, I will update the post with an additional summary of the case and faster alternatives to all the manual work we have gone through in this article.If you have any issues just let me know and I will try to help.