Ann skips bail. Cue forensics puzzle.

nospam@example.com (Tariq) — Fri, 27 Nov 2009 11:20:00 -0700

Found a website and a forensics contest yesterday quite by accident. I was waiting for somebody before going out for the night and I thought this might be a little fun while I waited. Now the contest had closed and the results where available, which I ignored until the end and went straight to Puzzle #2: Ann skips bail.

The puzzle revolves around a packet capture of Ann's network taken by wily investigators before she skipped bail. Police are confident that she communicated with a secret lover prior to her disappearance. And so follows a number of competition questions. It is important to note that the organizers are looking for the most elegant solutions, and you won't see that here. What you will see is how to solve the puzzle very quickly.

1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?

I downloaded the packet dump file from the organiser's site and verified the hash using md5 as I am on a Mac, otherwise md5sum does the job.

I fired up wireshark and opened the packet capture file. There appeared to be a good bit of SMTP traffic. So I did a quick

grep -an "To:.*\|From:*\|Subject:.*" evidence02.pcap

on the packet dump which revealed the following.



From: "Ann Dercover" <sneakyg33k@aol.com>

To: <sec558@gmail.com>

Subject: lunch next week

From: "Ann Dercover" <sneakyg33k@aol.com>

To: <mistersecretx@aol.com>

Subject: rendezvous

Its clear that Ann Dercover's email address is sneakyg33k@aol.com. This is the answer to question 1. We also see she sent two emails. One to mistersecretx@aol.com, could this be Ann's secret lover? I expanded the grep to

grep -aA50 "mistersecretx@aol.com" evidence02.pcap

This gives me 50 lines after and including lines matching mistersecretx@aol.com.



To: <mistersecretx@aol.com>

Subject: rendezvous

Date: Sat, 10 Oct 2009 07:38:10 -0600

MIME-Version: 1.0

Content-Type: multipart/mixed;

	boundary="----=_NextPart_000_000D_01CA497C.9DEC1E70"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180



This is a multi-part message in MIME format.



------=_NextPart_000_000D_01CA497C.9DEC1E70

Content-Type: multipart/alternative;

	boundary="----=_NextPart_001_000E_01CA497C.9DEC1E70"





------=_NextPart_001_000E_01CA497C.9DEC1E70

Content-Type: text/plain;

	charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable



Hi sweetheart! Bring your fake passport and a bathing suit. Address =

attached. love, Ann

------=_NextPart_001_000E_01CA497C.9DEC1E70

Content-Type: text/html;

	charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable



...SNIP...



Hi sweetheart! Bring your fake passport =

and a=20

bathing suit. Address attached. love, Ann



...SNIP...



------=_NextPart_000_000D_01CA497C.9DEC1E70

Content-Type: application/octet-stream;

	name="secretrendezvous.docx"

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

	filename="secretrendezvous.docx"

Wow. So mistersecretx@aol.com IS the email address of Ann's lover. This is the answer to question 3. We also see in her message she instructs them to "bring your fake passport and bathing suit", this is the answer to question 4. Towards the bottom we see an attachment that probably appears later than the lines we grep'd called secretrendezvous.docx which will appear base64 encoding. This is the answer to question 5.

I then returned to wireshark, looking down through the packets I quickly see SMTP traffic with C: DATA fragment which tells us this traffic was broken up into smaller pieces. This is likely to be an email with a large attachment. I right clicked on one of these packets as shown below and clicked on Follow TCP Stream as shown below.

This gives me the following.



220 cia-mc07.mx.aol.com ESMTP mail_cia-mc07.1; Sat, 10 Oct 2009 15:37:56 -0400

EHLO annlaptop

250-cia-mc07.mx.aol.com host-69-140-19-190.static.comcast.net

250-AUTH=LOGIN PLAIN XAOL-UAS-MB 

250-AUTH LOGIN PLAIN XAOL-UAS-MB 

250-STARTTLS

250-CHUNKING

250-BINARYMIME

250-X-AOL-FWD-BY-REF

250-X-AOL-DIV_TAG

250-X-AOL-OUTBOX-COPY

250 HELP

AUTH LOGIN

334 VXNlcm5hbWU6

c25lYWt5ZzMza0Bhb2wuY29t

334 UGFzc3dvcmQ6

NTU4cjAwbHo=

235 AUTHENTICATION SUCCESSFUL

MAIL FROM: <sneakyg33k@aol.com>

250 OK

RCPT TO: <mistersecretx@aol.com>

250 OK

DATA

354 START MAIL INPUT, END WITH "." ON A LINE BY ITSELF

Message-ID: <001101ca49ae$e93e45b0$9f01a8c0@annlaptop>

From: "Ann Dercover" <sneakyg33k@aol.com>

To: <mistersecretx@aol.com>

Subject: rendezvous

Date: Sat, 10 Oct 2009 07:38:10 -0600

MIME-Version: 1.0

Content-Type: multipart/mixed;

.boundary="----=_NextPart_000_000D_01CA497C.9DEC1E70"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180



This is a multi-part message in MIME format.



------=_NextPart_000_000D_01CA497C.9DEC1E70

Content-Type: multipart/alternative;

.boundary="----=_NextPart_001_000E_01CA497C.9DEC1E70"





------=_NextPart_001_000E_01CA497C.9DEC1E70

Content-Type: text/plain;

.charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable



Hi sweetheart! Bring your fake passport and a bathing suit. Address =

attached. love, Ann

------=_NextPart_001_000E_01CA497C.9DEC1E70

Content-Type: text/html;

.charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML><HEAD>

<META http-equiv=3DContent-Type content=3D"text/html; =

charset=3Diso-8859-1">

<META content=3D"MSHTML 6.00.2900.2853" name=3DGENERATOR>

<STYLE></STYLE>

</HEAD>

<BODY bgColor=3D#ffffff>

<DIV><FONT face=3DArial size=3D2>Hi sweetheart! Bring your fake passport =

and a=20

bathing suit. Address attached. love, Ann</FONT></DIV></BODY></HTML>



------=_NextPart_001_000E_01CA497C.9DEC1E70--



------=_NextPart_000_000D_01CA497C.9DEC1E70

Content-Type: application/octet-stream;

.name="secretrendezvous.docx"

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

.filename="secretrendezvous.docx"



UEsDBBQABgAIAAAAIQDleUAGfwEAANcFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0

VMluwjAQvVfqP0S+VsTQQ1VVBA5dji1S6QcYexKsepNttr/vOEBEKQSpwCVSPH7LPI/dHy61yubg

g7SmIL28SzIw3AppqoJ8jd86jyQLkRnBlDVQkBUEMhzc3vTHKwchQ7QJBZnG6J4oDXwKmoXcOjBY

Ka3XLOKvr6hj/JtVQO+73QfKrYlgYicmDjLov0DJZipmr0tcXjtxpiLZ83pfkiqI1Amf1ulBhAcV

9iDMOSU5i9gbnRux56uz8ZQjst4TptKFOzR+RCFVfnvaFdjgPjBMLwVkI+bjO9PonC6sF1RYPtPY

dd5Oc8CnLUvJocEnNucthxDwlLTKm4pm0mz9H/VhZnoCHpGXN9JQnzQR4kpBuLyDNW+bPIY18tYF

imd3tj6kgRUgOngeDnyU0MzP0fwDxIjpX6P5DXNb+/UoRrymQOtv7+wMapqTkiVe5TGbKDhb78/4

N9QnTSxg8nm19HfI24w088et/0cY2zcroQ9MHa2f5cEPAAAA//8DAFBLAwQUAAYACAAAACEAHpEa

t/MAAABOAgAACwAIAl9yZWxzLy5yZWxzIKIEAiigAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIyS20oDQQyG7wXfYch9N9sKItLZ3kihdyLr

A4SZ7AF3Dsyk2r69oyC6UNte5vTny0/Wm4Ob1DunPAavYVnVoNibYEffa3htt4sHUFnIW5qCZw1H

zrBpbm/WLzyRlKE8jDGrouKzhkEkPiJmM7CjXIXIvlS6kBxJCVOPkcwb9Yyrur7H9FcDmpmm2lkN

aWfvQLXHWDZf1g5dNxp+Cmbv2MuJFcgHYW/ZLmIqbEnGco1qKfUsGmwwzyWdkWKsCjbgaaLV9UT/

X4uOhSwJoQmJz/N8dZwDWl4PdNmiecevOx8hWSwWfXv7Q4OzL2g+AQAA//8DAFBLAwQUAAYACAAA

ACEApOAquCABAAA6BAAAHAAIAXdvcmQvX3JlbHMvZG9jdW1lbnQueG1sLnJlbHMgogQBKKAAAQAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACsk01OwzAQhfdI3MHynjgpUBCq0w1C6hbCAdxkkljE

P7KnQG7PKFKbVJSwycbSvCjvfZ7xbLbfpmOfEKJ2VvIsSTkDW7pK20by9+Ll5pGziMpWqnMWJO8h

8m1+fbV5hU4h/RRb7SMjFxslbxH9kxCxbMGomDgPlr7ULhiFVIZGeFV+qAbEKk3XIkw9eH7myXaV

5GFX3XJW9J6S//d2da1LeHblwYDFCxEiAiLdLJKnCg2g5EclIU4uLiM8LImA1BoY84dSDGc2x7Ba

kiFi39EcxyYM9Vx8tmS8PZg9BJrDSHCS5iDWS0LUzmKh9t1kFidpDuJ+SQhtaBfGLhiotBKDmCWe



...SNIP: not publishing the whole thing, its a bit long. See the whole thing?



JZ2ekPwNAAD//wMAUEsBAi0AFAAGAAgAAAAhAOV5QAZ/AQAA1wUAABMAAAAAAAAAAAAAAAAAAAAA

AFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEAHpEat/MAAABOAgAACwAAAAAAAAAA

AAAAAAC4AwAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEApOAquCABAAA6BAAAHAAAAAAAAAAA

AAAAAADcBgAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc1BLAQItABQABgAIAAAAIQA6Q0kI

FQQAAFgKAAARAAAAAAAAAAAAAAAAAD4JAAB3b3JkL2RvY3VtZW50LnhtbFBLAQItAAoAAAAAAAAA

IQBg7VaATPYCAEz2AgAVAAAAAAAAAAAAAAAAAIINAAB3b3JkL21lZGlhL2ltYWdlMS5wbmdQSwEC

LQAUAAYACAAAACEAlrWt4pYGAABQGwAAFQAAAAAAAAAAAAAAAAABBAMAd29yZC90aGVtZS90aGVt

ZTEueG1sUEsBAi0AFAAGAAgAAAAhAIkUT0qVAwAAcQgAABEAAAAAAAAAAAAAAAAAygoDAHdvcmQv

c2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhAErYipK7AAAABAEAABQAAAAAAAAAAAAAAAAAjg4D

AHdvcmQvd2ViU2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhADVKHsm+CgAALFoAAA8AAAAAAAAA

AAAAAAAAew8DAHdvcmQvc3R5bGVzLnhtbFBLAQItABQABgAIAAAAIQCQUuGobwEAANcCAAARAAAA

AAAAAAAAAAAAAGYaAwBkb2NQcm9wcy9jb3JlLnhtbFBLAQItABQABgAIAAAAIQAXVdHWCQQAAMsZ

AAASAAAAAAAAAAAAAAAAAAwdAwB3b3JkL251bWJlcmluZy54bWxQSwECLQAUAAYACAAAACEAu6G5

NXECAACGCAAAEgAAAAAAAAAAAAAAAABFIQMAd29yZC9mb250VGFibGUueG1sUEsBAi0AFAAGAAgA

AAAhAKVR8wbYAQAA2QMAABAAAAAAAAAAAAAAAAAA5iMDAGRvY1Byb3BzL2FwcC54bWxQSwUGAAAA

AA0ADQBEAwAA9CYDAAAA



------=_NextPart_000_000D_01CA497C.9DEC1E70--



.

250 OK

QUIT

221 SERVICE CLOSING CHANNEL

You may or may not realise that parts of the communication are base64 encoded. Lets take a look at some information encoded at the beginning of this communication again.



AUTH LOGIN

334 VXNlcm5hbWU6

c25lYWt5ZzMza0Bhb2wuY29t

334 UGFzc3dvcmQ6

NTU4cjAwbHo=

235 AUTHENTICATION SUCCESSFUL

Here Ann is authenticating with the service. Her responses are shown in red, and as you can see they're a bit cryptic; however, they look like they are encoded in base64. So we run the following two commands.



$ echo "c25lYWt5ZzMza0Bhb2wuY29t" | openssl base64 -d

sneakyg33k@aol.com

$ echo "NTU4cjAwbHo=" | openssl base64 -d

558r00lz

Note: $ is the command prompt, what follows it is the command with output in green.

So we find Ann's email password is 558r00lz. This the answer to question 2.

Next we have a look at the attachment which is base64 encoded. We copy all the blue text above and paste into a file called attachment.b64 and issue the following commands.



$ openssl base64 -d < attachment.b64 > secretrendezvous.docx

$ md5 secretrendezvous.docx

MD5 (secretrendezvous.docx) = 9e423e11db88f01bbff81172839e1923

This decodes the data and outputs to secretrendezvous.docx. We can open the file, verifying it is good and thus the md5 sum of 9e423e11db88f01bbff81172839e1923 is the answer to question 6. When we open the file we see an image like the one below.

This tells us that Ann was off to Playa del Carmen in Mexico. This is the answer to question 7. We only now need to get the md5 sum of the image in the document. This is easy enough as we can just do the following:



$ unzip  secretrendezvous.docx -d attachment

Archive:  out-1.docx

  inflating: attachment/[Content_Types].xml  

  inflating: attachment/_rels/.rels  

  inflating: attachment/word/_rels/document.xml.rels  

  inflating: attachment/word/document.xml  

 extracting: attachment/word/media/image1.png  

  inflating: attachment/word/theme/theme1.xml  

  inflating: attachment/word/settings.xml  

  inflating: attachment/word/webSettings.xml  

  inflating: attachment/word/styles.xml  

  inflating: attachment/docProps/core.xml  

  inflating: attachment/word/numbering.xml  

  inflating: attachment/word/fontTable.xml  

  inflating: attachment/docProps/app.xml

The only image file in there is attachment/word/media/image1.png. Open it up to verify it is the business and then just do



$ md5 attachment/word/media/image1.png  

MD5 (attachment/word/media/image1.png) = aadeace50997b1ba24b09ac2ef1940b7

This is the answer to question 8, and we're finished. That was quick! The answers have been published so you can verify. Now that person has turned up and is dragging me away from my computer so that's all for now.

Analysing the byte entropy of a FAT formatted disk

nospam@example.com (Tariq) — Tue, 27 Jan 2009 21:57:00 -0700

Over at the Honeynet Project they used to run security competitions which were quite a bit of fun. I remembered one in particular which I looked at but hadn't completed. It dealt with the forensic investigation of a floppy disk. I was tinkering with an application to measure byte entropy and thinking of a way that it could be used in a forensic investigation. There is no point using the little application to analyse my terabyte (TB) sized drives so remembering the floppy disk challenge I downloaded the floppy disk image (1.44MB;MD5 = b676147f63923e1f428131d59b1d6a72).
Continue reading "Analysing the byte entropy of a FAT formatted disk"

Gl.ib.ly - Forensics

Ann skips bail. Cue forensics puzzle.

Analysing the byte entropy of a FAT formatted disk