From http://forensicscontest.com/ Puzzle #2 – Ann Skips Bail
Answer written October 27, 2009. Not to be published before contest ends November 22, 2009.
Tools used: Wireshark, a Base 64 decoder, Xplico or base64.exe, fsum.exe and Word 2007.
Open the packet capture file (evidence02.pcap) in Wireshark.
Find the SMTP packet with the Info “334 VXNlcm5hbWU6“. This is the prompt for an email address. The response (c25lYWt5ZzMza0Bhb2wuY29t) requires a Base 64 decoder (sneakyg33k@aol.com).
Find the SMTP packet with the Info “334 UGFzc3dvcmQ6“; this is the prompt for a password. The response (NTU4cjAwbHo=) requires a Base 64 decoder (558r00lz).
Selecting part of a multi-part SMTP message within Wireshark causes Wireshark to reassemble the data. This produces the email message and its header, but this will not decode MIME.
Selected the SMTP packet at 140, selected its data in the data window, double-clicked “reassembled DATA in frame: 557” and was able to view the text of the message. (That is, found that it was addressed to mistersecretx@aol.com, “Hi sweetheart” and so forth, learned name of attached file.)
Found MIME data in the data frame; double-clicked to select it. Used File-> Export-> Selected Packet Bytes to an arbitrary file name: wireshark.raw. Used base64.exe to recreate secretrendezvous.docx.
base64 -d wireshark.raw secretrendezvous.docx
An alternate approach to carving out the email messages and their attachments would be to use Xplico Xplico (“the Internet Traffic Decoder”) can display the Internet traffic found in a pcap file. The Carlos Gacimartín VirtualBox.org image of Debian 5.0 with Xplico 0.5.2 installed and running worked fine.
Computed md5sum using fsum
fsum -md5 secretrendezvous.docx
Opened secretrendezvous.docx in Word 2007 and saved a copy as html. This produced image001.png; and I computed the MD5sum of this file.
1. What is Ann’s email address?
sneakyg33k@aol.com
2. What is Ann’s email password?
558r00lz
3. What is Ann’s secret lover’s email address?
mistersecretx@aol.com
4. What two items did Ann tell her secret lover to bring?
fake passport and bathing suit
5. What is the NAME of the attachment Ann sent to her secret lover?
secretrendezvous.docx
6. What is the MD5sum of the attachment Ann sent to her secret lover?
9e423e11db88f01bbff81172839e1923
7. In what CITY and COUNTRY is their rendez-vous point?
Playa del Carmen, Mexico
8. What is the MD5sum of the image embedded in the document?
aadeace50997b1ba24b09ac2ef1940b7
Note: Chaosreader quickly parsed the evidence02.pcap file into a set of sessions, but the results were inaccurate. Chaosreader would be a way to get a quick overview of the sessions.
C:\perl\bin\perl.exe chaosreader -v ..\evidence02.pcap
Aggressive Virus Defense 