CYBERTAP RECON
\nRecon ingests real-time or archived (Pcap) network packets, decompiles all the flows and indexes every byte of information using a search engine. All network data is indexed including address and port meta-data, protocol meta-data, message contents, embedded file meta-data, and file content metadata.<\/p>\n
WIRESHARK
\nWireshark is a network protocol analyzer.<\/p>\n
NETWORKMINER FREE
\nNetworkMiner is a Network Forensic Analysis Tool for Windows. NetworkMiner can parse PCAP files for off-line analysis and to regenerate\/reassemble transmitted files and certificates from PCAP files.<\/p>\n
HXD
\nHxD is a fast free hex.<\/p>\n
NOTEPAD++
\nNotepad++ is a free Windows based source code editor and Notepad replacement.<\/p>\n
VLC
\nVLC is an open-source cross-platform multimedia player.<\/p>\n
TRUECRYPT
\nFree open-source disk encryption software.<\/p>\n
USEFUL WEBSITES
\nwww.asciitohex.com – used to convert hex to ASCII text.
\ndisplay-kml.appspot.com – used to map KML data to a Google map.
\nhttp:\/\/en.wikipedia.org\/wiki\/List_of_file_signatures – Website with list of file signatures.<\/p>\n
Forensic Challenge<\/strong><\/p>\n 1. What day of the week is the meeting scheduled for? Time to compete task: 15 mins<\/p>\n NetworkMinner was able to identify an IRC chat but some messages were hex encoded. We used Notepad++ to clean up the text in the hex encoded messages and then converted the hex to ASCII.<\/p>\n Original text: Cleaned up hex: Converted to ASCII: Tools used: 2. What city are they meeting? Time to compete task: 46 mins<\/p>\n The solution for this one required multiple steps.<\/p>\n Using Recon we searched and found the word betty in an AOL email message that contain text about the meeting. Using the source IP address (172.29.1.50) and viewing the results in Recon\u2019s surveyor we were able to step through all the documents pertaining to this address. One document that stood out was sent on port 1024 and appeared to contain binary data.<\/p>\n To extract the original file out of the pcap we used Wireshark. There\u2019s probably an easier way to do this\u2026 Using this filter we were able to capture just the traffic from 172.29.1.50 on port 1024.<\/p>\n tcp.port == 1024 and ip.src == 172.29.1.50<\/p>\n The results were then saved to a new pcap using the File->Export Specified Packets option. Next we opened the new pcap in Wireshark, follow tcp stream (there is only one stream in this new pcap), and then saved as raw file.<\/p>\n We had a file that probably contained what we were looking for but no idea what the format was. The Linux file utility identified it as data (no help there) and stings did not produce anything useful. There was one of three possibilities\u2026 it\u2019s compressed, encrypted, or junk data to throw us off. The hint that it was encrypted was this bit of text from the email:<\/p>\n Here is the password for where you should meet me: S3cr3tVV34p0n<\/p>\n We have a password and what we assume is an encrypted file so the next step is to just start trying various encryption formats to see if there was anything that could open it. After lots of wasted time trying different formats, TrueCrypt was tried with the S3cr3tVV34p0n password with success. The TrueCrypt archive contained a text document and a picture of Vegas.<\/p>\n Tools used: 3. What will Gregory die from, if he fails to meet with Betty? Time to compete task: 16 mins<\/p>\n Looking at this pcap in Wireshark we found a session that contained both text and data. The text part contained \u201cVID_20130705_145557.mp4\u201d indicating the data was an MP4 file.<\/p>\n The session was saved in a raw format that included the extra text garbage at the start of the file. To figure out where the actual start of the MP4 file was we used a hex editor and searched for the magic number for MP4 files.<\/p>\n 00 00 00 nn 66 74 79 70<\/p>\n Once we had the start of the file we just remove all the data. The file was then playable in VLC. The video shows a reference to the game Oregon Trail and zooms in on the word dysentery.<\/p>\n Tools used: 4. What is the password provided to Gregory? Time to compete task: 10 mins<\/p>\n Using Recon we found an XML file in the body of an email message. The file contents indicated it was a klm file.<\/p>\n KML is a file format used to display geographic data in an Earth browser such as Google Earth, Google Maps, and Google Maps for mobile.<\/p>\n To map the KML data to a Google map we used this site: http:\/\/display-kml.appspot.com\/.<\/p>\n Tools used: 5. What happened to Gregory? Time to compete task: 60 mins<\/p>\n There was no pcap required to solve this round, just a dump of an Android smart phone. All the files from the dump were imported into Recon to make them searchable.<\/p>\n We were able to find text in a sent mms messages \u201cI got the recipe for the toxic pumpkin pie\u201d, but this was not the correct answer. Thinking maybe the message was hidden in an image we searched for just images and found one that provided the answer.<\/p>\n Tools used: 6. How many bytes of data is the malicious payload? Time to compete task: 4 mins<\/p>\n Processing the pcap in NetworkMiner the installed antivirus application flagged the 200912-paimia-&a.html file as malicious. Once we had the file name all that was required is to look at the size on disk.<\/p>\n Tools used: 7. What is the URL of the false(Malicious) web page Victoria is directed to? Time to compete task: 67 mins<\/p>\n Lots of time was wasted examining javascript for a possible Black Hole redirection. The solution was found by searching for webhosts in Recon that contained bankofamerica but not part of the bankofamerica domain.<\/p>\n Tools used: 8. Who killed Gregory? Time to compete task: 5 mins<\/p>\n Recon extracted 4 voip files perfectly. Listing to the first file the caller (Victoria) admitted to the crime.<\/p>\n Tools used: Wow! First place baby! Here is a write up I did on a competition that took place at DEFCON this year. To be fair I should disclose that I work for Cybertap and work on the Recon product. The tasks … Continue reading
\nWednesday<\/p>\n
\nHow does Wednesday sound?<\/p>\n
\n48 6F 77 20 64 6F 65 73 20 57 65 64 6E 65 73 64 61 79 20 73 6F 75 6E 64 3F<\/p>\n
\nHow does Wednesday sound?<\/p>\n
\nNetworkMinner
\nNotepad++<\/p>\n
\nLas Vegas<\/p>\n
\nRecon
\nWireshark
\nTrueCrypt<\/p>\n
\nDysentery<\/p>\n
\nWireshark
\nHxD
\nVLC<\/p>\n
\nBrutus<\/p>\n![\"Brutus\"](\"https:\/\/gencarelle.com\/blog\/wp-content\/uploads\/2013\/08\/brutis.png\")
<\/a><\/p>\n
\nRecon<\/p>\n
\nUnconscious behind recycle bin<\/p>\n<\/a><\/p>\n
\nRecon<\/p>\n
\n3113 B<\/p>\n
\nNetwork Miner<\/p>\n
\nbankofamerica.tt.omtrdc.net<\/p>\n
\nRecon<\/p>\n
\nVictoria<\/p>\n
\nRecon<\/p>\n","protected":false},"excerpt":{"rendered":"