{"id":137,"date":"2015-09-11T13:51:31","date_gmt":"2015-09-11T13:51:31","guid":{"rendered":"http:\/\/gencarelle.com\/blog\/?p=137"},"modified":"2015-09-22T18:28:47","modified_gmt":"2015-09-22T18:28:47","slug":"defcon-23-network-forensics-competition","status":"publish","type":"post","link":"https:\/\/gencarelle.com\/blog\/2015\/09\/11\/defcon-23-network-forensics-competition\/","title":{"rendered":"DEFCON 23 Network Forensics Competition"},"content":{"rendered":"<h1 style=\"text-align: center;\">DEFCON 23 Network Forensics Competition<\/h1>\n<p>This year marked the fourth year participating in Network Forensics Competition and the fourth years of placing within the top three teams to finish. Similar to previous years, the competition consisted of six rounds plus one impossible to solve bonus round. Rounds five and six proved to be especially challenging this year due to the complexity of the rounds and two major mistakes that were made when round six was created. Only three teams completed all six rounds in the allotted time.<\/p>\n<p>Our team (Blue Squirrel) consisted of four IBM employees and two from Sqrrl.\u00a0 This was the first year that we\u2019ve partnered with another company.<\/p>\n<p>IBM team members:<br \/>\nDarshan Gencarelle<br \/>\nAndrey Iesiev<br \/>\nRory Bray<br \/>\nYevgen Chernov<\/p>\n<p>Sqrrl team members:<br \/>\nAdam Fuchs<br \/>\nChris McCubbin<\/p>\n<blockquote class=\"twitter-tweet\" width=\"550\">\n<p lang=\"en\" dir=\"ltr\">World\u2019s most notorious hackers reveal their tricks at DEF CON hacking conference. <a href=\"https:\/\/twitter.com\/jeffrossen\">@jeffrossen<\/a> reports now <a href=\"http:\/\/t.co\/Y2QNMgtNaR\">pic.twitter.com\/Y2QNMgtNaR<\/a><\/p>\n<p>&mdash; NBC Nightly News (@NBCNightlyNews) <a href=\"https:\/\/twitter.com\/NBCNightlyNews\/status\/630873219529109505\">August 10, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p class=\"TextBody\" style=\"text-align: center;\" align=\"center\">Final Team Ranking<span class=\"Heading1Char\"><span style=\"font-size: 16.0pt; line-height: 120%;\"><br \/>\n<a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/top-10-teams.png\"><img loading=\"lazy\" class=\"size-medium wp-image-158\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/top-10-teams-300x153.png\" alt=\"top 10 teams\" width=\"300\" height=\"153\" srcset=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/top-10-teams-300x153.png 300w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/top-10-teams-500x256.png 500w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/top-10-teams.png 790w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/span><\/span><\/p>\n<h1 style=\"text-align: center;\"><\/h1>\n<h1 style=\"text-align: center;\">DEFCON\u00a0Files<\/h1>\n<p style=\"text-align: left;\">I&#8217;ve created a zip file with the original DEFCON pcaps and all the extracted files for all the rounds. You can download the zip from here:<br \/>\n<a href=\"http:\/\/gencarelle.com\/public_files\/Defcon2015\/defcon_2015.zip\" target=\"_blank\">http:\/\/gencarelle.com\/public_files\/Defcon2015\/defcon_2015.zip<\/a><\/p>\n<h1 style=\"text-align: center;\">Round 1<\/h1>\n<p>Truecrypt password: WhcFDjEQm9<br \/>\nAnswer: Dimitri Bogomolovo<br \/>\nTools used: Forensics, text editor, ROT13 decrypt (<a href=\"http:\/\/www.rot13.com\/\">http:\/\/www.rot13.com\/<\/a>)<\/p>\n<p style=\"padding-left: 30px;\">The attendees at this year&#8217;s DEFCON have noticed something strange. There is a man walking around screaming about how aliens have contacted him. If anyone actually stops and listens to him, he claims he can prove it because he captures his network traffic every night. Figure out who he is so we can look deeper into this.<\/p>\n<p style=\"padding-left: 30px;\">What is the first and last name of the crazed patron?<\/p>\n<p>After importing the pcap into Forensics the first step is to eliminate non-relevant documents. Open the Filters window and expand ApplicationProtocol. Looking at the list of protocols in this pcap the most likely documents that will contain what we are looking for are IRC, ymsg, and unknown. Add these to the include filter.<\/p>\n<p class=\"TextBody\" style=\"text-align: center;\" align=\"center\"><span class=\"Heading1Char\"><span style=\"font-size: 16.0pt; line-height: 120%;\"><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-1-1.png\"><img loading=\"lazy\" class=\"aligncenter size-medium wp-image-138\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-1-1-300x280.png\" alt=\"round 1 1\" width=\"300\" height=\"280\" srcset=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-1-1-300x280.png 300w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-1-1-321x300.png 321w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-1-1.png 787w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/span><\/span><\/p>\n<p>Scanning down the Content field in the search results there is an \u201cUnknown Session\u201d document that looks interesting.<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-1-2.png\"><img loading=\"lazy\" class=\"aligncenter wp-image-139\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-1-2-300x174.png\" alt=\"round 1 2\" width=\"379\" height=\"225\" \/><\/a><\/p>\n<p>Click on the document to open. This appears to be some sort of chat. The only lines we are concerned with are the ones that begin with PRIVMSG.<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-1-3.png\"><img loading=\"lazy\" class=\"aligncenter wp-image-140\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-1-3-300x195.png\" alt=\"round 1 3\" width=\"362\" height=\"240\" \/><\/a><\/p>\n<p>Encrypted message:<br \/>\nPRIVMSG #meeh whfg urer jurer Nffhzvat svaq<br \/>\nPRIVMSG #meeh guvf zrff.<br \/>\nPRIVMSG #meeh obbgu cvpxvat pbagrfg whfg zrrg urer.<br \/>\nPRIVMSG #meeh gung gung pbaivaprq gung<br \/>\nPRIVMSG #meeh :nyvraf unir pbagnpgrq<br \/>\nPRIVMSG #meeh :Lrnu jvgu nyvra phgbhg fpernzvat. xvaq uneq zvff.<br \/>\nPRIVMSG #meeh zrna oryvrir nyvraf orpnhfr ernyyl yvxryl<br \/>\nPRIVMSG #meeh gung gurer ryfr gurer.<br \/>\nPRIVMSG #meeh nterr guvax gurl jnagrq pbagnpg gurl jbhyq pbagnpg fbzr penml<br \/>\nPRIVMSG #meeh xabj gung fubj nobhg nyvraf<br \/>\nPRIVMSG #meeh sbetrg jung punaary<br \/>\nPRIVMSG #meeh zrna Qvzvgev Obtbzbybib. Whfg orpnhfr qbra&#8217;g zrna yrff penml.<br \/>\nPRIVMSG #meeh argjbex npgvivgl pncgherq tvivat tenoorq orpnhfr yvggyr phevbhf. Rirelbar gnyxvat nobhg<br \/>\nPRIVMSG #meeh :Pbagrfg svefg ybbx yngre.<br \/>\nPRIVMSG #meeh :Njrfbzr fbba.<\/p>\n<p>ROT13 decrypted message:<br \/>\nCEVIZFT #zrru just here where Assuming find<br \/>\nCEVIZFT #zrru this mess.<br \/>\nCEVIZFT #zrru booth picking contest just meet here.<br \/>\nCEVIZFT #zrru that that convinced that<br \/>\nCEVIZFT #zrru :aliens have contacted<br \/>\nCEVIZFT #zrru :Yeah with alien cutout screaming. kind hard miss.<br \/>\nCEVIZFT #zrru mean believe aliens because really likely<br \/>\nCEVIZFT #zrru that there else there.<br \/>\nCEVIZFT #zrru agree think they wanted contact they would contact some crazy<br \/>\nCEVIZFT #zrru know that show about aliens<br \/>\nCEVIZFT #zrru forget what channel<br \/>\nCEVIZFT #zrru mean <strong>Dimitri Bogomolovo<\/strong>. Just because doen&#8217;t mean less crazy.<br \/>\nCEVIZFT #zrru network activity captured giving grabbed because little curious. Everyone talking about<br \/>\nCEVIZFT #zrru :Contest first look later.<br \/>\nCEVIZFT #zrru :Awesome soon.<\/p>\n<h1 style=\"text-align: center;\"><\/h1>\n<h1 style=\"text-align: center;\">Round 2<\/h1>\n<p>Truecrypt password: 4TWSDjtAeb<br \/>\nAnswer: 19bebeab4457def688c9520b28464157<br \/>\nTools used: volatility, md5sum<\/p>\n<p style=\"padding-left: 30px;\">During the investigation into the truth behind Dimitri&#8217;s statement, a image of his RAM was captured. We are trying to figure out if this is all in his head or not. Can you figure out what he has been up to lately?<\/p>\n<p style=\"padding-left: 30px;\">1. What is the MD5 sum of Dimitri&#8217;s research file?<\/p>\n<p>In this round we are investigating a memory dump. There\u2019s lots of interesting and important stuff in the dump\u2026 always keep an eye out for solutions required in later rounds. Unfortunately there is also a lot of garbage that can lead you down the wrong path. I\u2019ve listed the commands that proved to be useful.<\/p>\n<p>volatility -f Round2.mem clipboard<br \/>\n&#8211; Extract the contents of the windows clipboard<\/p>\n<p>Nothing all that interesting for this round but does include a hint for a later round.<\/p>\n<p>volatility -f Round2.mem pslist<br \/>\n&#8211; Print all running processes by following the EPROCESS lists<\/p>\n<p>Looking at the running processes we can see there are multiple notepads and one wordpad running. The text the user was typing is of interest.<\/p>\n<p>volatility -f Round2.mem notepad<br \/>\n&#8211; List currently displayed notepad text<\/p>\n<p>There are three files of interest. A file that seems to contain some sort of key and a gpg private key split into two files. The gpg key parts are for the same key so can be resembled back into a single file. Not what we are looking for this round but useful in a later rounds.<\/p>\n<p>volatility -f Round2.mem cmdscan<br \/>\n&#8211; Extract command history by scanning for _COMMAND_HISTORY<\/p>\n<p>The command history is a hint to put the two parts of the gpg key into a single file.<\/p>\n<p>volatility -f Round2.mem iehistory<br \/>\n&#8211; Reconstruct Internet Explorer cache \/ history<\/p>\n<p>Not much interesting here, with one exception. One file has a name that is an md5 hash.<\/p>\n<p>volatility -f Round2.mem &#8211;dump-dir dumpdir memdump<br \/>\n&#8211; Dump the addressable memory for a process<\/p>\n<p>This command will give us the text typed into the wordpad application. First thing to do is dump the running processes.<\/p>\n<p>We know from the output from the pslist command that wordpad is process 1944 so we look for the 1944.dmp file. Dump all the strings from the binary file.<\/p>\n<p>strings 1944.dmp\u00a0 &gt; 1944.dmp.strings<\/p>\n<p>Open the 1944.dmp.strings file and search down the file and you will find this text:<\/p>\n<p>This is my research.<br \/>\nI believe that I have a newly implanted chip in my head.<br \/>\nThe doctors scanned me and said there was nothing there.<br \/>\nI think they&#8217;re lying.<\/p>\n<p>Save it to a text file named research and hash. Make sure you capture all the text, it has Linux EOL, and no trailing new line after the last line of text.<\/p>\n<p>md5sum research.txt<br \/>\n<strong>19bebeab4457def688c9520b28464157\u00a0 research.txt<\/strong><\/p>\n<p>This hash matches the one oddball filename in the IE cache file. This is the hash we are looking for.<\/p>\n<p>I\u2019ve included the output from the other commands bellow:<\/p>\n<p>volatility -f Round2.mem pslist<br \/>\nVolatility Foundation Volatility Framework 2.4<br \/>\nOffset(V)\u00a0 Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PID\u00a0\u00a0 PPID\u00a0\u00a0 Thds\u00a0\u00a0\u00a0\u00a0 Hnds\u00a0\u00a0 Sess\u00a0 Wow64 Start\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Exit\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0&#8212;&#8212;&#8212;- &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211; &#8212;&#8212; &#8212;&#8212; &#8212;&#8212; &#8212;&#8212;&#8211; &#8212;&#8212; &#8212;&#8212; &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212; &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;<br \/>\n\u2026<\/p>\n<p>0x861fb8d0 notepad.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2320\u00a0\u00a0 1840\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 37\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0 0 2015-07-14 18:52:00 UTC+0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00x85fa3020 notepad.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2376\u00a0\u00a0 1840\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 37\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0 0 2015-07-14 18:52:02 UTC+0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x85ea4700 notepad.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2432\u00a0\u00a0 1840\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 37\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0 0 2015-07-14 18:52:05 UTC+0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x86009a30 wordpad.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1944\u00a0\u00a0 1840\u00a0\u00a0\u00a0\u00a0\u00a0 4\u00a0\u00a0\u00a0\u00a0\u00a0 100\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0 0 2015-07-14 18:53:31 UTC+0000<br \/>\n\u2026<\/p>\n<p>volatility -f Round2.mem cmdscan<br \/>\nVolatility Foundation Volatility Framework 2.4<br \/>\n**************************************************<br \/>\nCommandProcess: csrss.exe Pid: 616<br \/>\nCommandHistory: 0x12386f8 Application: cmd.exe Flags: Allocated, Reset<br \/>\nCommandCount: 5 LastAdded: 4 LastDisplayed: 4<br \/>\nFirstCommand: 0 CommandCountMax: 50<br \/>\nProcessHandle: 0x758<br \/>\nCmd #0 @ 0x12447f0: SUPER_DUPER_SECRET1.txt + SUPER_DUPER_SECRET2.txt &gt; The_Key<br \/>\nCmd #1 @ 0x12448f0: I have hidden my research<br \/>\nCmd #2 @ 0x1244930: I hope the aliens don&#8217;t figure out I am on to them<br \/>\nCmd #3 @ 0x12449a0: I am sure they implanted something in me to monitor me<br \/>\nCmd #4 @ 0x1244a18: if you are human, good luck the world is counting on you<\/p>\n<p>&nbsp;<\/p>\n<p>volatility -f Round2.mem iehistory<br \/>\nVolatility Foundation Volatility Framework 2.4<br \/>\n**************************************************<br \/>\nProcess: 1840 explorer.exe<br \/>\nCache type &#8220;URL &#8221; at 0x18a6800<br \/>\nRecord length: 0x100<br \/>\nLocation: Visited:<br \/>\n\u2026<br \/>\nQueen_Elizabeth@file:\/\/\/C:\/Documents%20and%20Settings\/Queen_Elizabeth\/Desktop\/19bebeab4457def688c9520b28464157.txt<br \/>\n\u2026<\/p>\n<p>Last modified: 2015-07-08 16:24:46 UTC+0000<br \/>\nLast accessed: 2015-07-08 16:24:46 UTC+0000<br \/>\nFile Offset: 0x100, Data Offset: 0x0, Data Length: 0xe4<\/p>\n<p>volatility -f Round2.mem notepad<br \/>\nVolatility Foundation Volatility Framework 2.4<br \/>\nProcess: 2320<br \/>\nText:<\/p>\n<p>Text:<br \/>\nOpen: 3,9<br \/>\nClosed: 4<br \/>\nOpen: 25,1,22<br \/>\nClosed: 9,12,19,21<br \/>\nOpen: 11,18<br \/>\nClosed: 2<br \/>\nOpen: 10,16<br \/>\nClosed: 13<\/p>\n<p>Process: 2376<br \/>\nText:<br \/>\nText:<br \/>\n8dagr1+7EiLkJER4JmBEy6owEZdPEQBt90S2QJ0DvgRVeE81AQgAnuVdCSsKR0O1<br \/>\n0sdaF3lYLZeluBdvC9\/VR6MJtO72HFyxDEJ3iD46GptJC8ePvK+fUD\/lc+s3gQUP<br \/>\nflPQy7iv651KcdVNvUKBoNUQtU5b97me2Egj4R7YnWbBk024G8qFRk\/4if0TUCiZ<br \/>\naOZRUytTa0IOksya4WupFzRQMq61pKUGz4XTlilLrN+c88AG9fQ4\/+jvS\/RRMEIZ<br \/>\nlkJDDsNomuuZZFqdtSORvsDv4eeZ918NB\/e7hizWBzlCA\/Fl1uxlXt86\/RVcdI0P<br \/>\nC4N2N3P3frRrjAQvxo6PIEw5gm6mQxjCXBDcVe74mzGQwFordcJ+rF9nV6O0ZOUl<br \/>\nyooPIucQcQARAQAB\/gMDAhDdgA\/GJMA+0B8Y4lOIBo3dlKMdQuNJCqUS5JjRKF+a<br \/>\nT\/ij2aWKleX\/7xeEe\/28Oz7oYy\/KyalRyP9NXRG8+YGHUVH\/BMUKYbom3Mhis\/Dr<br \/>\naETbcaVYlyiko9eK1blBG3FOCO\/aLFxQMrHT1gN9CF2JK2iUX86NwhU1Eq5OYptu<br \/>\nJ9yw8190zP3qnKhvdwV0kkawK8a0wwofb6eAt9H3y9YM3YIsNRKRVRUeWzntp6dK<br \/>\nIHGnbVN0bU6olvUueTusGbrrBuATx6V2A6NJAR+wStQyapdFOBVGnu8Fxq3GwQW\/<br \/>\nPXvXapjrFXvv1Rf+oSxboiOgoq4J3ErfD6GVda1ZjpVoaAPt+z+XHK8SJTa0VwWy<br \/>\nHZ0P5WlhM+oIix20uYEYnPOPsXqw5\/laqoBDNF39RVt1bnHz9l13WpYa3IC7uJgT<br \/>\no61v5+z3Edj0z\/rmG69gAS0oEaCv++lIoDIFi5LyRvPrf89R2i6f51dmuyCAsHto<br \/>\nqrwKSkza+xbKJaGSwQHKBI2qHbAjDvLlRekRaLzBFYyZHD+rmrzfJnioloBVtGTx<br \/>\nHmfEY9HXAMNWDi9xypYArXS10oswe8nUmvMn+gqYnjSwOadaOsTAT6sJUnxLV2\/U<br \/>\nin4\/tb1JIG0Rn0LMKOpj2BCnMee9vA14FRHk3PJ5qNUObX7n3R5f11PYc4q2sQzQ<br \/>\nBD5p+h7gNNd9VPp3zcLJhToVWgA8FDMff6EUabHJMOkmdXI6I3hfp5XbJPeHyRZv<br \/>\nhGN4M7SuVMsmHaem86eVTp1V+mSYDemMxnNQ1uw36hQMPPwzbIoAbbUSNYhIb1Qm<br \/>\nmJ4fiMJSAMPmAiKu2dY+xZOlmWEnOYU2wHeN8cyHCElh+rVZmXYxdmlS5F5SRC7c<br \/>\nEOhwInqkJYDnn6Hpe8PL1+u\/rB2GDyph1+Bnrj+JASUEGAECAA8FAlV4TzUCGwwF<br \/>\nCQeGH4AACgkQOUxGFasYh551yAf9EARlLhREdp\/w7GjUroIZSMZ1lJIcU3AJ8Vb+<br \/>\nlge\/ZU5\/nSkD0rPSrSp\/nnrBhhpNgcMmaTPxr+RHK0bbK0JXeuHvFgmJjtBo8xSY<br \/>\njdet6IxV2eR0J32yA1msRSJhmzpsQvD+n60l5qTwbT\/DgBMe+dXnHc+OcdDZgQdH<br \/>\n+or0d8lS1ZEGZj\/NBPA+kr7vimanyybqIT\/WHhvuS5KrCi4rKleKcHG\/oelk8chT<br \/>\n+QfHMLFtL\/aTLt9Tupb7vazZIdjF65RmW1dvLD8bg3yamb7Yblv36XMnvB5yy8Tq<br \/>\nBOPWRGIFr14P0\/6RRVh5hAdtV4vHp\/jvYQPOUF8Ciho1cgH6lg==<br \/>\n=l4pC<br \/>\n&#8212;&#8211;END PGP PRIVATE KEY BLOCK&#8212;&#8211;<\/p>\n<p>Process: 2432<br \/>\nText:<br \/>\nText:<br \/>\n&#8212;&#8211;BEGIN PGP PRIVATE KEY BLOCK&#8212;&#8211;<br \/>\nVersion: GnuPG\/MacGPG2 v2<br \/>\nlQO+BFV4TzUBCAD4CAngutPnU0fcvIxVSdKM8l\/tGHSWlOg9bltmH+CRh197t+0z<br \/>\nW4nu3nefyFjXKRWunH90mRSsm\/71DeKCnQw9EuNRVAiwh1I1bigcZwkLZCKoX3xn<br \/>\nHbD6WLMQ2EAaCIyHyzWvbqo9lsQRCcsyyUMJnLttTFGaWjw3omV0CQ4ZHthcpsDd<br \/>\nME+Bb+i0D9jJc+aTbflo7y\/IPM4yXSwlyG4x1XBL4TmDdnLQxNQPEPGiy+\/kgIpm<br \/>\n58EGsyuzB1UNb9UWFdLpHgemKVzrpGGVRUm7aawPzlnjRFKEjRa4Ap9j8L+874nU<br \/>\njtkiSpwPZskNuSa+0Fwk9Gjmbey8sug23WPHABEBAAH+AwMCEN2AD8YkwD7QXn1E<br \/>\nTUAFbyJkNbidPYoZXXnqAwycQ3J0rC2hDgVrbzm0JGDlLtxSZ6ZUBjXRzWdwLONo<br \/>\nlhaKCaS6zp73Wm7E9a+J088WT+3vcZb0t8Hc\/\/WPXE1mz0qEwkBTnfpmUOPsNVav<br \/>\nUarf7Vjp9VRUz5X2PmQ67WhxnZnmTKOv6wGW97F2dAg+T5D35GPkkfLcguIeBlnV<br \/>\nvx+ZuGFOP4T\/KZiDtaBrryyGX7DPI\/oQzK8s2Kd+jcf4TTaLWnAHCi1mYIVTs+MD<br \/>\nEa9eyaXFHUna1jPyzcDgnJEghAvLg\/d\/OaCBN2AuW8Lh8tVajdYfEd5qjlcpjvLV<br \/>\nJkMdiua6IFei5mSmufADfFJx5vaGZBNJ8\/9j6OoOUp6Vf4BOoXvPw25oB7ROCgqP<br \/>\nw0xjYZ9gX7qZ0j\/20qHAFYQ7pNBlC7\/GBT3iIrGQ1litCIxM3AizcAThjPnkbaFy<br \/>\ndqCKXLWg6B6cg6ll7buqW3QUtBvrANa1igONjDOk\/CvdN39yn+vVZtZPFjkJ252f<br \/>\ni1JLRmDSZG0yJ611dOpPfSmJBVFysulKKNT1nwTLZrMdY7plUoPo0rgK+BD9L6EJ<br \/>\nmlDmikQBS9Ncyk6mvu9I928tFCCOHd\/+0eIzjNO8Rf0Utf7PIOTTUOdFQce95N7U<br \/>\nSok50NbtEwzw92P2sIEwwRR9GQyM9wJIoZE2sqaN4gb7n2qplBqhUG+ZGBYQnobB<br \/>\nH2n+whibMc\/QGuAon+6lc9Kv9WjyN3YUqceaj17ZzKQ+Su+TCGgL\/bvE3stFJhIJ<br \/>\nmaYoTJBdW+EJffAjvlZm3Ax4lkoIk7ZKBs2VUsp4cyNwswmcBwpDVZJjZI48hTZ3<br \/>\nAJdJLHm8VY0uAgUFj6vvGvOCvmvnwggjLBOinzoLJJwxjoa0nHaZefCNTRo7Cumz<br \/>\ngLQoQWN0dXJpYW5zIDxicnlhbnRoZXNjaWVuY2VndXlAZ21haWwuY29tPokBPgQT<br \/>\nAQIAKAUCVXhPNQIbAwUJB4YfgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ<br \/>\nOUxGFasYh56PHAgAx1C5eRtpQVVfRR7nekjekXW8xQk5zavgarVgGmial8at3n9K<br \/>\nxPPMJclFNCIreA6rry3NUhR3in0U\/TV0j0+5NQDhprI5OeUg74O\/xSCe72pJBYRl<br \/>\nTIJZM7zYb9CxMGoD0E36FSD0YUQaCD+UvH98nGAK+dJ5E3WRGN4gdp84gwATJeVH<br \/>\nJN+jmL0tOXXTOPNEZQ\/V3H4pYnwIG+CBfzruRNv3eSqRlauj5eheTBmkAXtDEaCY<br \/>\nXQBJdbA\/mF+6RrZPemyBjxQ06fFaJb0XeTH4R5Rq30ghIRLCuBqbMPBQLVGxsEY7<\/p>\n<p>volatility -f Round2.mem clipboard<br \/>\nVolatility Foundation Volatility Framework 2.4<br \/>\nSession\u00a0\u00a0\u00a0 WindowStation Format\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Handle Object\u00a0\u00a0\u00a0\u00a0 Data<br \/>\n&#8212;&#8212;&#8212;- &#8212;&#8212;&#8212;&#8212;- &#8212;&#8212;&#8212;&#8212;&#8212;&#8212; &#8212;&#8212;&#8212;- &#8212;&#8212;&#8212;- &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>\n0 WinSta0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CF_UNICODETEXT\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x2a003f 0xe294d738 acturians first contact with stegosauruses<br \/>\n0 WinSta0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CF_LOCALE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x60105 0xe274b4e0<br \/>\n0 WinSta0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CF_TEXT\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x1 &#8212;&#8212;&#8212;-<br \/>\n0 WinSta0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CF_OEMTEXT\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x1 &#8212;&#8212;&#8212;-<\/p>\n<p>&nbsp;<\/p>\n<h1 style=\"text-align: center;\">Round 3<\/h1>\n<p>Truecrypt password: jHfk4ykZBC<br \/>\nAnswer: precious<br \/>\nTools used: Forensics, text editor, Wireshark, Foremost, Audacity<\/p>\n<p style=\"padding-left: 30px;\">Dimitri claims that he captures his traffic every day just in case he is ever contacted. This time it may have finally paid off! He believes he has actually been contacted by an alien race. Can you confirm if this is true?<\/p>\n<p style=\"padding-left: 30px;\">1. What word was used to describe the Earth?<\/p>\n<p>After importing the pcap into Forensics eliminate non-relevant documents. \u00a0Open the Filters window and expand ApplicationProtocol. Looking at the list of protocols in this pcap the most likely documents are the ones containing Yahoo, and unknown. Select to add them to the include filter.<\/p>\n<p>Doing a quick scan of the content field you will see there is a chat message similar to the first round. After cleaning up the text this is the conversation:<\/p>\n<p>PRIVMSG #messages will never believe what happened just received strangest message.<br \/>\nPRIVMSG #messages :Yeah what even talking about?<br \/>\nPRIVMSG #messages :Check<br \/>\nPRIVMSG #messages :Yeah what this just noise. Weird just noise.<br \/>\nPRIVMSG #messages message from someone something.<br \/>\nPRIVMSG #messages nuts<br \/>\nPRIVMSG #messages what<br \/>\nPRIVMSG #messages :Because aliens<\/p>\n<p>Time to find the audio file mentioned in the chat. A search for Filename:*mp3 produces no hits. Maybe just searching for mp3 will find something? The two documents are Yahoo Chat and contain the text blank.mp3. From this we know there was probably an mp3 file transferred that Forensics was not able to extract. We will need to dig a bit deeper using Wireshark, but first let\u2019s narrow down what we need to investigate to just the two client IP address of the chat session.<\/p>\n<p>PRIVMSG AND IPAddress:*<\/p>\n<p>Looking at the IPAddress column we can see the both the server and client IP addresses of the chat conversion. We want just the private client address, 192.168.1.106 and 192.168.1.112.<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-1.png\"><img loading=\"lazy\" class=\"aligncenter size-medium wp-image-141\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-1-300x79.png\" alt=\"round 3 1\" width=\"300\" height=\"79\" srcset=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-1-300x79.png 300w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-1-1024x269.png 1024w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-1-500x131.png 500w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-1.png 1407w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Load the pcap into Wireshark and filter on the first IP address:<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-2.png\"><img loading=\"lazy\" class=\"aligncenter size-medium wp-image-142\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-2-300x28.png\" alt=\"round 3 2\" width=\"300\" height=\"28\" srcset=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-2-300x28.png 300w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-2-500x47.png 500w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-2.png 641w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>If you scroll down a bit there is an YMSG protocol packet that\u2019s a \u201cFile Transfer Accept\u201d which is very promising. Select the next packet (on port 80), right click and then select follow tcp stream.<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-3.png\"><img loading=\"lazy\" class=\"aligncenter wp-image-143\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-3-300x130.png\" alt=\"round 3 3\" width=\"345\" height=\"157\" \/><\/a><\/p>\n<p>We only want the data from the client to the server. Select the 192.168.1.112:1368 -&gt; 66.196.120.71:80 traffic from the drop down, select Raw, and then Save As. Save the file as blank.mp3.<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-4.png\"><img loading=\"lazy\" class=\"aligncenter wp-image-144\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-4-300x69.png\" alt=\"round 3 4\" width=\"362\" height=\"94\" \/><\/a><\/p>\n<p>If you listen to the file in Audacity all you will hear is static. This is expected based on the chat message. The next step is to see if there is anything hidden in the audio file using foremost.<\/p>\n<p>foremost blank.mp3<\/p>\n<p>Foremost will find two mp4 files, 00000465.mp4 and 00001182.mp4. If you listen to then the audio it\u2019s reversed. Audacity has an option under the effect menu option to reverse the audio. The 00001182.mp4 file has the answer.<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-5.png\"><img loading=\"lazy\" class=\"aligncenter size-medium wp-image-145\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-5-300x163.png\" alt=\"round 3 5\" width=\"300\" height=\"163\" srcset=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-5-300x163.png 300w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-5-1024x558.png 1024w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-5-500x272.png 500w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-3-5.png 1195w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h1 style=\"text-align: center;\">Round 4<\/h1>\n<p>Truecrypt password: 86BNnSn7Jp<br \/>\nAnswer: Arcturians<br \/>\nTools used: Forensics<\/p>\n<p style=\"padding-left: 30px;\">It turns out Dimitri isn&#8217;t as crazy as we thought! As we discovered, the aliens did in fact contact him. Time is of the essence, can you help figure out who is behind all of this?<\/p>\n<p style=\"padding-left: 30px;\">1. What alien race contacted him?<\/p>\n<p>After importing the pcap into Forensics the first step is to eliminate non-relevant documents. Open the Filters window and expand ApplicationProtocol. Looking at the list of protocols in this pcap http and unknown are where we will find the answer. Add them to the include filter.<\/p>\n<p>A few simple searches reveals there are no chats and nothing with alien, race, or Dimitri in it. Let\u2019s take a look at the images. Search for ApplicationProtocol:http, change the grid size to 1000, select all documents, and then click the Image Analysis button.<\/p>\n<p>The first thing to notice is there are a lot single letter images. Let\u2019s see if we can filter out some of the non-letter images. Right click on one of the letter images and select Display Document.<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-1.png\"><img loading=\"lazy\" class=\"aligncenter size-medium wp-image-146\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-1-300x222.png\" alt=\"round 4 1\" width=\"300\" height=\"222\" srcset=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-1-300x222.png 300w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-1-1024x757.png 1024w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-1-406x300.png 406w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-1.png 1046w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Under the Attributes tab right click on the host and select Search for. Close the document window and go back to the search grid.<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-2.png\"><img loading=\"lazy\" class=\"aligncenter wp-image-147\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-2-300x63.png\" alt=\"round 4 2\" width=\"341\" height=\"82\" \/><\/a><\/p>\n<p>Select all documents, and then click the Image Analysis button. We can see there are enough letters to spell a word but they appear to be all jumbled. Let\u2019s see if they spell something if put in time order. This can be done in the surveyor. Close the Image Analysis popup.<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-31.png\"><img loading=\"lazy\" class=\"aligncenter size-medium wp-image-161\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-31-300x124.png\" alt=\"round 4 3\" width=\"300\" height=\"124\" srcset=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-31-300x124.png 300w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-31-1024x424.png 1024w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-31-500x207.png 500w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-31.png 1368w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Select all document and then click on the surveyor button. Once in the surveyor change the Relevancy to 5 \u2013 Least Relevant.<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-4.png\"><img loading=\"lazy\" class=\"aligncenter size-medium wp-image-149\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-4-300x126.png\" alt=\"round 4 4\" width=\"300\" height=\"126\" srcset=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-4-300x126.png 300w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-4-500x210.png 500w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-4.png 783w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Clicking documents in order and removing the doubles you will find the letters spell <strong>arcturians<\/strong>.<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-5.jpg\"><img loading=\"lazy\" class=\"aligncenter size-medium wp-image-150\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-5-238x300.jpg\" alt=\"round 4 5\" width=\"238\" height=\"300\" srcset=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-5-238x300.jpg 238w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-4-5.jpg 402w\" sizes=\"(max-width: 238px) 100vw, 238px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h1>Round 5<\/h1>\n<p>Truecrypt password: djawp7Tw6W<br \/>\nAnswer: Mega Death Ray 5102<br \/>\nTools used: Aircrack, Wireshark, Forensics, Google<\/p>\n<p style=\"padding-left: 30px;\">Word has spread about our confirmed alien contact and now everyone is trying to find them! A NASA scientist has even intercepted some traffic that looks rather suspicious. The only problem is we are unable to read it. Can you help us figure out what kind of traffic the scientist collected?<\/p>\n<p style=\"padding-left: 30px;\">1. What technological instrument are they going to use to destroy the Earth?<\/p>\n<p>Processing this pcap in Forensics produces 0 documents which is never a good sign. Opening in Wireshark you will see its all WPA encrypted 802.11 traffic. Wireshark can decrypt WPA traffic but we need the password.<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-5-1.png\"><img loading=\"lazy\" class=\"aligncenter wp-image-151\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-5-1-300x96.png\" alt=\"round 5 1\" width=\"344\" height=\"119\" \/><\/a><\/p>\n<p>In previous years it was made clear brute force cracking passwords should not be used as the passwords were very long and very random. Past rules apparently no longer apply as it\u2019s the only way to find the WPA password for this round. The password is in the rockyou.txt password file. Here is the command to run the crack:<\/p>\n<p>aircrack-ng -w rockyou.txt Round5.pcap<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-5-2.png\"><img loading=\"lazy\" class=\"aligncenter size-medium wp-image-152\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-5-2-300x156.png\" alt=\"round 5 2\" width=\"300\" height=\"156\" srcset=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-5-2-300x156.png 300w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-5-2-500x260.png 500w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-5-2.png 647w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The password to decrypt the WPA traffic is \u201ccosmocat\u201d.<\/p>\n<p>Using Wireshark you can now unencrypted the pcap with the password and save a new unencrypted pcap file. We can now use the unencrypted pcap in Forensics.<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-5-3.png\"><img loading=\"lazy\" class=\"aligncenter wp-image-153\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-5-3-300x156.png\" alt=\"round 5 3\" width=\"362\" height=\"195\" \/><\/a><\/p>\n<p>After importing the unencrypted pcap into Forensics we should again eliminate non-relevant documents. Open the Filters window and expand ApplicationProtocol. Similar to previous rounds we want only the IRC and unknown documents. Add them to the include filter. Scrolling over the results while looking at the Content column the first interesting document is an IRC chat with a PRIVMSG. Click on this document to open.<\/p>\n<p>This chat has what we are looking for but it\u2019s been encrypted in some way.<\/p>\n<p>No Avatar Mon, 02:55 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : PRIVMSG #Mothership :These humans are so dumb they will never figure out all the clues.<br \/>\nNo Avatar Mon, 02:55 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 vork: :vork!~bryan@162.219.72.250 PRIVMSG #Mothership :I know as time ticks down to the earth&#8217;s destruction I grow happier.<br \/>\nNo Avatar Mon, 02:56 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : PRIVMSG #Mothership :You seem particularly happy about it. Any reason why?<br \/>\nNo Avatar Mon, 02:56 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 vork: :vork!~bryan@162.219.72.250 PRIVMSG #Mothership :Of course we just finished a new weapon of massive planetary distruction.<br \/>\nNo Avatar Mon, 02:56 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 vork: :vork!~bryan@162.219.72.250 PRIVMSG #Mothership :Destruction*<br \/>\nNo Avatar Mon, 02:56 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : PRIVMSG #Mothership :I didn&#8217;t think that was finished. What&#8217;s it called again.<br \/>\nNo Avatar Mon, 02:57 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 vork: :vork!~bryan@162.219.72.250 PRIVMSG #Mothership :Oh yes it&#8217;s finished and we are going to try it out on earth first.<br \/>\nNo Avatar Mon, 02:57 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 vork: :vork!~bryan@162.219.72.250 PRIVMSG #Mothership :fde5020a5a97322bf5a7aee8174abbd8<br \/>\nNo Avatar Mon, 02:57 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 vork: :vork!~bryan@162.219.72.250 PRIVMSG #Mothership :d8c7d877ba6139c4872450e3847613a50c79f4e2<br \/>\nNo Avatar Mon, 02:57 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 vork: :vork!~bryan@162.219.72.250 PRIVMSG #Mothership :9406e3c325bfc9873426e5eda4ba6e18<br \/>\nNo Avatar Mon, 02:57 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 vork: :vork!~bryan@162.219.72.250 PRIVMSG #Mothership :0519a3b8d19f6d01501da1960c19385b5e938f86<br \/>\nNo Avatar Mon, 02:57 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 vork: :vork!~bryan@162.219.72.250 PRIVMSG #Mothership :I think it sounds powerful.<br \/>\nNo Avatar Mon, 02:58 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : PRIVMSG #Mothership :Yeah I would agree.<br \/>\nNo Avatar Mon, 02:58 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : PRIVMSG #Mothership :Have fun working on it. I wish I was assigned there.<br \/>\nNo Avatar Mon, 02:59 pm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 vork: :vork!~bryan@162.219.72.250 PRIVMSG #Mothership :Well it is pretty awesome. But no rest for us. Talk to you later.<\/p>\n<p>The encryption looks like an MD5 hash. Googling the first encrypted entry we find that it is.<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-5-41.png\"><img loading=\"lazy\" class=\"aligncenter wp-image-163\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-5-41-300x140.png\" alt=\"round 5 4\" width=\"339\" height=\"165\" \/><\/a><\/p>\n<p>To decipher the message Google each hash to find the corresponding word.<\/p>\n<p>fde5020a5a97322bf5a7aee8174abbd8 = Mega<br \/>\nd8c7d877ba6139c4872450e3847613a50c79f4e2 = Death<br \/>\n9406e3c325bfc9873426e5eda4ba6e18 = Ray<br \/>\n0519a3b8d19f6d01501da1960c19385b5e938f86 = 5102<\/p>\n<p>&nbsp;<\/p>\n<h1 style=\"text-align: center;\">Round 6<\/h1>\n<p>Truecrypt password: hcdLwUKPTC<br \/>\nAnswer: 08-21-51 13:37:54<br \/>\nTools used: Wireshark, Forensics, TrueCrypt, quipqiup.com, gpg<\/p>\n<p style=\"padding-left: 30px;\">It appears the aliens are preparing to destroy earth! This must be stopped! We have discovered some additional data that may be helpful in our efforts to protect earth. Unfortunately, the data is protected by a password that has yet to be cracked. Can you help us figure out how to read the secured information?<\/p>\n<p style=\"padding-left: 30px;\">What time must the message be sent? Remember, time is running out! We need to know the exact time down to the very second!<\/p>\n<p>Format of Answer: MM\/DD\/YR HR:MN:SC<br \/>\nThe time is in military<br \/>\nExample Answer: 08\/07\/15 13:02:03<\/p>\n<p>This round was very difficult and took the majority of time to complete. Additionally, there are two problems with this round that will make it virtually impossible to finish.<\/p>\n<p>Any documents you can extract in Forensics are just a distraction. Using Wireshark you can see there is a large amount of network traffic between two IP addresses. Also, before and after this network traffic is series of SYN packets. The network traffic is a file transfer and the SYN packets is the key to unencrypt the file.<\/p>\n<p>Use this filter in Wireshark to view the file transfer packets:<br \/>\nip.src eq 192.168.1.5 &amp;&amp;\u00a0 ip.dst eq 192.168.1.6<\/p>\n<p>Ignoring the SYN and ssh packets we carved out the transfer and save to a file named mystery.pcap<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-6-1.png\"><img loading=\"lazy\" class=\"aligncenter size-medium wp-image-155\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-6-1-300x120.png\" alt=\"round 6 1\" width=\"300\" height=\"120\" srcset=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-6-1-300x120.png 300w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-6-1-1024x411.png 1024w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-6-1-500x201.png 500w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-6-1.png 1178w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Inspecting the contents of the mystery.pcap file we can tell it\u2019s probably a Truecrypt volume based on the data seemed to be completely random, there is no file header, and the data is in multiples of 512 bytes. Now all we need is the password\u2026<\/p>\n<p>Remember the file from round two in the memory dump that had the Open and Close lines? Well, we need that now. Open is the Dest Port number of the series of SYN packets before the transfer. Close is the Dest Port number of the series of SYN packets after the transfer. The numbers in the file represent the SYN packet number starting at 1.<\/p>\n<p>Open: 3, 9<br \/>\nClosed: 4<br \/>\nOpen: 25,1,22<br \/>\nClosed: 9,12,19,21<br \/>\nOpen: 11, 18<br \/>\nClosed: 2<br \/>\nOpen: 10, 16<br \/>\nClosed: 13<\/p>\n<p>Password for Truecrypt image:<br \/>\n<strong>94889488423292072372006423840394882920583871095838695030065838<\/strong><\/p>\n<p>Contained in the Truecrypt image file are two files:<\/p>\n<ol>\n<li>log \u2013 This is a bluetooth capture and can be opened in Wireshark.<\/li>\n<li>txt.gpg \u2013 This is a gpg encrypted file that we will need to decrypt.<\/li>\n<\/ol>\n<p>A quick look at the bluetooth capture does not reveal anything obvious. Whatever is in the information.txt.gpg must hold the key. To decrypt the information.txt.gpg file we need the pgp private keys and the password. Both are in previous rounds.<\/p>\n<p>If you remember back we found the private key in round two in the memory dump. It was split into two files. Here it is the complete key. Save the private key text into a file and then import into gpg.<\/p>\n<p>&#8212;&#8211;BEGIN PGP PRIVATE KEY BLOCK&#8212;&#8211;<br \/>\nVersion: GnuPG\/MacGPG2 v2<br \/>\nlQO+BFV4TzUBCAD4CAngutPnU0fcvIxVSdKM8l\/tGHSWlOg9bltmH+CRh197t+0z<br \/>\nW4nu3nefyFjXKRWunH90mRSsm\/71DeKCnQw9EuNRVAiwh1I1bigcZwkLZCKoX3xn<br \/>\nHbD6WLMQ2EAaCIyHyzWvbqo9lsQRCcsyyUMJnLttTFGaWjw3omV0CQ4ZHthcpsDd<br \/>\nME+Bb+i0D9jJc+aTbflo7y\/IPM4yXSwlyG4x1XBL4TmDdnLQxNQPEPGiy+\/kgIpm<br \/>\n58EGsyuzB1UNb9UWFdLpHgemKVzrpGGVRUm7aawPzlnjRFKEjRa4Ap9j8L+874nU<br \/>\njtkiSpwPZskNuSa+0Fwk9Gjmbey8sug23WPHABEBAAH+AwMCEN2AD8YkwD7QXn1E<br \/>\nTUAFbyJkNbidPYoZXXnqAwycQ3J0rC2hDgVrbzm0JGDlLtxSZ6ZUBjXRzWdwLONo<br \/>\nlhaKCaS6zp73Wm7E9a+J088WT+3vcZb0t8Hc\/\/WPXE1mz0qEwkBTnfpmUOPsNVav<br \/>\nUarf7Vjp9VRUz5X2PmQ67WhxnZnmTKOv6wGW97F2dAg+T5D35GPkkfLcguIeBlnV<br \/>\nvx+ZuGFOP4T\/KZiDtaBrryyGX7DPI\/oQzK8s2Kd+jcf4TTaLWnAHCi1mYIVTs+MD<br \/>\nEa9eyaXFHUna1jPyzcDgnJEghAvLg\/d\/OaCBN2AuW8Lh8tVajdYfEd5qjlcpjvLV<br \/>\nJkMdiua6IFei5mSmufADfFJx5vaGZBNJ8\/9j6OoOUp6Vf4BOoXvPw25oB7ROCgqP<br \/>\nw0xjYZ9gX7qZ0j\/20qHAFYQ7pNBlC7\/GBT3iIrGQ1litCIxM3AizcAThjPnkbaFy<br \/>\ndqCKXLWg6B6cg6ll7buqW3QUtBvrANa1igONjDOk\/CvdN39yn+vVZtZPFjkJ252f<br \/>\ni1JLRmDSZG0yJ611dOpPfSmJBVFysulKKNT1nwTLZrMdY7plUoPo0rgK+BD9L6EJ<br \/>\nmlDmikQBS9Ncyk6mvu9I928tFCCOHd\/+0eIzjNO8Rf0Utf7PIOTTUOdFQce95N7U<br \/>\nSok50NbtEwzw92P2sIEwwRR9GQyM9wJIoZE2sqaN4gb7n2qplBqhUG+ZGBYQnobB<br \/>\nH2n+whibMc\/QGuAon+6lc9Kv9WjyN3YUqceaj17ZzKQ+Su+TCGgL\/bvE3stFJhIJ<br \/>\nmaYoTJBdW+EJffAjvlZm3Ax4lkoIk7ZKBs2VUsp4cyNwswmcBwpDVZJjZI48hTZ3<br \/>\nAJdJLHm8VY0uAgUFj6vvGvOCvmvnwggjLBOinzoLJJwxjoa0nHaZefCNTRo7Cumz<br \/>\ngLQoQWN0dXJpYW5zIDxicnlhbnRoZXNjaWVuY2VndXlAZ21haWwuY29tPokBPgQT<br \/>\nAQIAKAUCVXhPNQIbAwUJB4YfgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ<br \/>\nOUxGFasYh56PHAgAx1C5eRtpQVVfRR7nekjekXW8xQk5zavgarVgGmial8at3n9K<br \/>\nxPPMJclFNCIreA6rry3NUhR3in0U\/TV0j0+5NQDhprI5OeUg74O\/xSCe72pJBYRl<br \/>\nTIJZM7zYb9CxMGoD0E36FSD0YUQaCD+UvH98nGAK+dJ5E3WRGN4gdp84gwATJeVH<br \/>\nJN+jmL0tOXXTOPNEZQ\/V3H4pYnwIG+CBfzruRNv3eSqRlauj5eheTBmkAXtDEaCY<br \/>\nXQBJdbA\/mF+6RrZPemyBjxQ06fFaJb0XeTH4R5Rq30ghIRLCuBqbMPBQLVGxsEY7<br \/>\n8dagr1+7EiLkJER4JmBEy6owEZdPEQBt90S2QJ0DvgRVeE81AQgAnuVdCSsKR0O1<br \/>\n0sdaF3lYLZeluBdvC9\/VR6MJtO72HFyxDEJ3iD46GptJC8ePvK+fUD\/lc+s3gQUP<br \/>\nflPQy7iv651KcdVNvUKBoNUQtU5b97me2Egj4R7YnWbBk024G8qFRk\/4if0TUCiZ<br \/>\naOZRUytTa0IOksya4WupFzRQMq61pKUGz4XTlilLrN+c88AG9fQ4\/+jvS\/RRMEIZ<br \/>\nlkJDDsNomuuZZFqdtSORvsDv4eeZ918NB\/e7hizWBzlCA\/Fl1uxlXt86\/RVcdI0P<br \/>\nC4N2N3P3frRrjAQvxo6PIEw5gm6mQxjCXBDcVe74mzGQwFordcJ+rF9nV6O0ZOUl<br \/>\nyooPIucQcQARAQAB\/gMDAhDdgA\/GJMA+0B8Y4lOIBo3dlKMdQuNJCqUS5JjRKF+a<br \/>\nT\/ij2aWKleX\/7xeEe\/28Oz7oYy\/KyalRyP9NXRG8+YGHUVH\/BMUKYbom3Mhis\/Dr<br \/>\naETbcaVYlyiko9eK1blBG3FOCO\/aLFxQMrHT1gN9CF2JK2iUX86NwhU1Eq5OYptu<br \/>\nJ9yw8190zP3qnKhvdwV0kkawK8a0wwofb6eAt9H3y9YM3YIsNRKRVRUeWzntp6dK<br \/>\nIHGnbVN0bU6olvUueTusGbrrBuATx6V2A6NJAR+wStQyapdFOBVGnu8Fxq3GwQW\/<br \/>\nPXvXapjrFXvv1Rf+oSxboiOgoq4J3ErfD6GVda1ZjpVoaAPt+z+XHK8SJTa0VwWy<br \/>\nHZ0P5WlhM+oIix20uYEYnPOPsXqw5\/laqoBDNF39RVt1bnHz9l13WpYa3IC7uJgT<br \/>\no61v5+z3Edj0z\/rmG69gAS0oEaCv++lIoDIFi5LyRvPrf89R2i6f51dmuyCAsHto<br \/>\nqrwKSkza+xbKJaGSwQHKBI2qHbAjDvLlRekRaLzBFYyZHD+rmrzfJnioloBVtGTx<br \/>\nHmfEY9HXAMNWDi9xypYArXS10oswe8nUmvMn+gqYnjSwOadaOsTAT6sJUnxLV2\/U<br \/>\nin4\/tb1JIG0Rn0LMKOpj2BCnMee9vA14FRHk3PJ5qNUObX7n3R5f11PYc4q2sQzQ<br \/>\nBD5p+h7gNNd9VPp3zcLJhToVWgA8FDMff6EUabHJMOkmdXI6I3hfp5XbJPeHyRZv<br \/>\nhGN4M7SuVMsmHaem86eVTp1V+mSYDemMxnNQ1uw36hQMPPwzbIoAbbUSNYhIb1Qm<br \/>\nmJ4fiMJSAMPmAiKu2dY+xZOlmWEnOYU2wHeN8cyHCElh+rVZmXYxdmlS5F5SRC7c<br \/>\nEOhwInqkJYDnn6Hpe8PL1+u\/rB2GDyph1+Bnrj+JASUEGAECAA8FAlV4TzUCGwwF<br \/>\nCQeGH4AACgkQOUxGFasYh551yAf9EARlLhREdp\/w7GjUroIZSMZ1lJIcU3AJ8Vb+<br \/>\nlge\/ZU5\/nSkD0rPSrSp\/nnrBhhpNgcMmaTPxr+RHK0bbK0JXeuHvFgmJjtBo8xSY<br \/>\njdet6IxV2eR0J32yA1msRSJhmzpsQvD+n60l5qTwbT\/DgBMe+dXnHc+OcdDZgQdH<br \/>\n+or0d8lS1ZEGZj\/NBPA+kr7vimanyybqIT\/WHhvuS5KrCi4rKleKcHG\/oelk8chT<br \/>\n+QfHMLFtL\/aTLt9Tupb7vazZIdjF65RmW1dvLD8bg3yamb7Yblv36XMnvB5yy8Tq<br \/>\nBOPWRGIFr14P0\/6RRVh5hAdtV4vHp\/jvYQPOUF8Ciho1cgH6lg==<br \/>\n=l4pC<br \/>\n&#8212;&#8211;END PGP PRIVATE KEY BLOCK&#8212;&#8211;<\/p>\n<p><strong>gpg &#8211;allow-secret-key-import &#8211;import private_gpg.key<\/strong><\/p>\n<p>gpg: Total number processed: 1<br \/>\ngpg:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 imported: 1\u00a0 (RSA: 1)<br \/>\ngpg:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 secret keys read: 1<br \/>\ngpg:\u00a0\u00a0 secret keys imported: 1<\/p>\n<p>Now to find the password. Going back to round one there was a second ymsg chat. Enter the following search in Forensics and select the second document.<\/p>\n<p>ApplicationProtocol:ymsg<\/p>\n<p>This is the raw chat with everything but the message removed:<\/p>\n<p>Wrw blf ivnvnyvi gl hsldvi zmw kfg lm xovzm fmwvidvzi<br \/>\nuli WvuXlm?<br \/>\nNln sld wrw blf tvg lm Ofpv&#8217;h xlnkfgvi?&#8230;zmw bvh.<br \/>\nNln&#8217;h szev vbvh rm gsv yzxp lu gsvri svzwh&#8230;zmw z<br \/>\ngdvoev bvzi lowh kzhhdliw rh vzhb gl tfvhh.<br \/>\nBvzs R tfvhh hrmxw rg&#8217;h qfhg rorpvzorvmh.<\/p>\n<p>Unfortunately it\u2019s not a simple ROT13 encrypted message.\u00a0 Let\u2019s try <a href=\"http:\/\/quipqiup.com\/index.php\">http:\/\/quipqiup.com\/index.php<\/a> and see if we have any luck there\u2026<\/p>\n<p><a href=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-6-2.png\"><img loading=\"lazy\" class=\"aligncenter size-medium wp-image-156\" src=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-6-2-300x156.png\" alt=\"round 6 2\" width=\"300\" height=\"156\" srcset=\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-6-2-300x156.png 300w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-6-2-1024x534.png 1024w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-6-2-500x261.png 500w, https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2015\/09\/round-6-2.png 1236w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p style=\"padding-left: 30px;\">Did you remember to shower and put on clean underwear\u00a0 for DEFCON? Mom how did you get on Luke&#8217;s computer?&#8230;and yes. Mom&#8217;s have eyes in the back of their heads&#8230;and a twelve year olds password is easy to guess. Yeah I guess sincd it&#8217;s just ilikealiens.<\/p>\n<p>This is the first error in this round and probably show stopper without a bit of luck. The answer was supposed to be ilikealiens but it\u2019s not, its <strong>ilovealiens<\/strong>.<\/p>\n<p>Let\u2019s decrypt the information.txt.gpg now. When prompted enter \u201c<strong>ilovealiens<\/strong>\u201d without the quotes.<\/p>\n<p><strong>gpg &#8211;output information.txt &#8211;decrypt information.txt.gpg<\/strong><\/p>\n<p>File contents:<\/p>\n<p>Cyper<\/p>\n<p>08\/21\/15 16:37:54<\/p>\n<p>DATE: 2015-07-01<br \/>\nWeight:3<br \/>\nMinutes Awake:2<br \/>\nGives Month<\/p>\n<p>DATE: 2015-05-21<br \/>\nCalories Burned:1<br \/>\nSteps:2<br \/>\nGives Day<\/p>\n<p>DATE: 2015-05-17<br \/>\nFloors:2<br \/>\nMinutes Sedentary:4<br \/>\nGives Year<\/p>\n<p>DATE: 2015-06-03<br \/>\nSteps:2<br \/>\nMinutes Lightly Active:3<br \/>\nGives Hour<\/p>\n<p>DATE: 2015-06-09<br \/>\nSteps:1<br \/>\nCalories:2<br \/>\nGives Minutes<\/p>\n<p>DATE: 2015-06-27<br \/>\nActivity Calories:1<br \/>\nDistnace:3<br \/>\nGives Seconds<\/p>\n<p>This file this is key and the btsnoop_hci.log Bluetooth capture contains Fitbit log data that we can use with the key to find the answer. Open btsnoop_hci.log in a text editor and search for \u201ctext\/comma-separated-values\u201d. Save each CSV section to a text file.\u00a0 To make things easier open the CSV file in Excel. To find the date you need to search for the column on the given date and then use the number as the offset.<\/p>\n<p>DATE: 2015-07-01<br \/>\nWeight:3<br \/>\nMinutes Awake:2<br \/>\nGives Month<\/p>\n<p>This is the second error with this round. This date does not exists! Let\u2019s just assume we can make a few guesses and get lucky\u2026.\u00a0 (We got it on the second try):<\/p>\n<p><strong>= 08<\/strong><\/p>\n<p>DATE: 2015-05-21<br \/>\nCalories Burned:1<br \/>\nSteps:2<br \/>\nGives Day<\/p>\n<p>2,030 \u2190 Position 1<br \/>\n6,109 \u2190 Position 2<br \/>\n<strong>= 21<\/strong><\/p>\n<p>DATE: 2015-05-17<br \/>\nFloors:2<br \/>\nMinutes Sedentary:4<br \/>\nGives Year<\/p>\n<p>15 \u2190 Position 2<br \/>\n1,091 \u2190 Position 4<br \/>\n<strong>= 51<\/strong><\/p>\n<p>DATE: 2015-06-03<br \/>\nSteps:2<br \/>\nMinutes Lightly Active:3<br \/>\nGives Hour<\/p>\n<p>6,144 \u2190 Position 2<br \/>\n233 \u2190 Position 3<br \/>\n<strong>= 13<\/strong><br \/>\nDATE: 2015-06-09<br \/>\nSteps:1<br \/>\nCalories:2<br \/>\nGives Minutes<br \/>\n3,885 \u2190 Position 1<br \/>\n1,793 \u2190 Position 2<br \/>\n<strong>= 37<\/strong><\/p>\n<p>DATE: 2015-06-27<br \/>\nActivity Calories:1<br \/>\nDistnace:3<br \/>\nGives Seconds<\/p>\n<p>577 \u2190 Position 1<br \/>\n1.74 \u2190 Position 3<br \/>\n<strong>= 54<\/strong><br \/>\nBarring the issues with this year\u2019s competition it was a lot of fun. Third place was Amazon Fire TV that no one on the team seemed to want. Maybe next year we can reclaim our first place position and have a prize worth fighting over. Thanks to everyone who not only helped during the competition but also worked to make Forensics a better product. If you are at DEFCON next year stop by the competition area and say hi.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>DEFCON 23 Network Forensics Competition This year marked the fourth year participating in Network Forensics Competition and the fourth years of placing within the top three teams to finish. Similar to previous years, the competition consisted of six rounds plus &hellip; <a href=\"https:\/\/gencarelle.com\/blog\/2015\/09\/11\/defcon-23-network-forensics-competition\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":157,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/gencarelle.com\/blog\/wp-json\/wp\/v2\/posts\/137"}],"collection":[{"href":"https:\/\/gencarelle.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gencarelle.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gencarelle.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gencarelle.com\/blog\/wp-json\/wp\/v2\/comments?post=137"}],"version-history":[{"count":9,"href":"https:\/\/gencarelle.com\/blog\/wp-json\/wp\/v2\/posts\/137\/revisions"}],"predecessor-version":[{"id":169,"href":"https:\/\/gencarelle.com\/blog\/wp-json\/wp\/v2\/posts\/137\/revisions\/169"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gencarelle.com\/blog\/wp-json\/wp\/v2\/media\/157"}],"wp:attachment":[{"href":"https:\/\/gencarelle.com\/blog\/wp-json\/wp\/v2\/media?parent=137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gencarelle.com\/blog\/wp-json\/wp\/v2\/categories?post=137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gencarelle.com\/blog\/wp-json\/wp\/v2\/tags?post=137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}