Wednesday, November 25, 2009

Forensic contest: Puzzle #2

If you recall in one of my previous posts I've found an interesting website,, where you can take part in a forensic puzzle contest with the possibility of winning interesting prizes. Unfortunalty, like the first one, i've always found out about the puzzle after the deadline has passed. However, I still manage to attempt to solve the puzzles in aid of polishing up my skills and to learn as well. Well this is part #2 to solving the second puzzle(On my own i might add lol). With Puzzle one, i had to look at some solutions to figure out where i went wrong then had to banged myself in the head for not being able to figure it out myself.

You can start off by importing the pcap file with wireshark and then put a display filter for the smtp protocol. Observation showed that Ann sent two Emails. The first is not relevant to the puzzle, but the second one is. You have to right click on any packet (thats part of the second email, not the first. Pay close attention so you dont accidentaly start a display filter on the wrong stream) and click on 'follow tcp stream'. By observation, you can determine that Ann's email is and her secret lover's email is Further analysis shows the text that was sent in the email and the contents that she told him to bring ("fake passport and a bathing suit"). We also see the name of the document being transfered is "secretrendeviuz.docx"

Just to recap some of the answers we already found:
  • fake passport and a bathing suit
  • secretrendevouz.docx
Next we are going to extract file being transfered as an attachment.
First we seperate the tcp streams:
# tcpflow -r evidence02.pcap

Then we already identified the necessary src and dst IP's in wireshark for the communication of the document over the network. Its the largest file that tcpflow outputs (# ls -lh, to see file sizes in folder). To make things easier, since tcpflow output a bunch of files wiht confusing names, lets rename the necessary file to "file1". (mv 192.168.....etc. file1). Dont actually put '..etc', the actual filename was just too long for me to bother to type it out. Next we analyze that file with 'xxd' utility. We want to look for or estimate the starting bytes of the file. We see that the secretredevouz.docx is being transfered using base64 encoding. This means that we wont be able to find the usual magic starting hex bytes of .docx files, which is '504B0304'. What i did was encode another docx file in base64 and see what its starting bytes was.
# base64 test.docx > test.docx.base64

I then used 'xxd' to see what the magic bytes were for the base64 encrypted file.
# xxd -l 4 test.docx.base ans: "55457344"

Bingo. The next few commands i used to extract the docx file from the tcp stream.

# xxd -ps file1 > file2

i then opened the file in a text editor, did a search for the magic bytes '55457344', then when it was found. i deleted all the bytes before that. I saved the file then converted the file back into its raw binary format with the following command.

# xxd -ps -r file2 > secretrendevouz.docx.base64

We now have the file in base64 encoding. All we have to do now is decode it.

# base64 -d secretrendevouz.docx.base64 > secretrendevouz.docx

I then got the MD5 hash
#md5sum secretrendevouz.docx

Then i opened the document in Microsoft word on a windows machine and extracted the rest of the information required for the puzzle.

Rendez-vous point: Playa del Carmen, Mexico

MDDSum of PIC: aadeace50997b1ba24b09ac2ef1940b7

Unfortunatly i couldn't find the password, its mostly lazyness on my part to do the relevant research for a tool that extracts smtp passwords. I figured ettercap or dsniff would have those abilities but had no success with them. Ill update the blog whenever i do figure out how to do so.


Finally figured out how to get the password. It turns out that the password is encoded in base64 format. All thats needed is the encoded base64 pass string and feed it into the base64 program for decoding. This is the commands that i used to get the password:

# echo "NTU4cjAwbHo=" | base64 -di -

I got the "NTU4cjAwbHo=" from anaylzing the smtp communication stream in wireshark


  1. hmmm.. it seems cool,, btw I'm new to BT but i would like to learn from your blog,, the article seems like the detective game I wish I can learn analyzing just like you.. nice post.. ^^

  2. Thanks for the kind words. Its not too hard to learn this once you get the big picture. Then knowing which tools to use for a given scenario becomes second nature.