Network Forensics Puzzle #3 Solution

Chaosreader quickly parsed the evidence03.pcap file into a set of sessions. Expand (unzip) the .gz files to read the XML files (necessary to learn what is defined by “preview-url” and “price-display”). In an empty folder, run:

C:\perl\bin\perl.exe chaosreader -v ..\evidence03.pcap

1. What is the MAC address of Ann’s AppleTV?
00:25:00:fe:07:c4
2. What User-Agent string did Ann’s AppleTV use in HTTP requests?
AppleTV/2.4
3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)?
h
ha
hac
hack
4. What was the title of the first movie Ann clicked on?
Hackers
5. What was the full URL to the movie trailer (defined by “preview-url”)?


6. What was the title of the second movie Ann clicked on?
Sneakers
7. What was the price to buy it (defined by “price-display”)?
$9.99
8. What was the last full term Ann searched for?
iknowyourewatchingme

MAC address of router:
00:23:69:ad:57:7b

Note: NetworkMiner parsed the pcap file, but results were not particularly easy to use.

Advertisements

Comments are closed.