Today, results were posted for Sherri Davidoff and Jonathan Ham’s third network forensics puzzle contest. The puzzles, hosted at, are meant to encourage the development of network forensic tools that might be integrated into SANS training and toolkits. Puzzle #3 involved pulling information from an Apple TV device’s network traffic.

I participated in this contest and wrote a small Python script that generates a .CSV summary of Apple TV activity on a network and extracts .plist files from that traffic. It was a lot of fun to tinker around with, and it looks like I just managed to land in the list of finalists. You can check out the finalist entries, including mine, at the following links:

These competitions are fun to participate in, and I’m hoping that I’ll have time to finish up my entry for Puzzle #4 before the deadline.

  4 Responses to “Network Forensics Puzzle #3 Finalist!”

  1. cops have no business learning this, they outta spend time writing tickets and catching killers and crack dealers, pimps and, maybe child porno, you know, people who really need to be in prison, id sleep better at night knowing that boss hawg and his high and mighty judge croneys, and the privatized prisons who make a capitolist mockery of justice, sleeping soundly knowing they dont have the power to put me away for a few petty keystrokes because impotence and anus cancer has got them afraid the bad man might sleep with their women. bwhahaha.

  2. A lot of digital forensic techniques that don’t look useful on the surface can come in handy with some cases.

    Even if it’s not directly related to the crime in question, being able to show that someone was in a household and using computers (or other devices) there at a given time can punch holes in alibis or whatever story a suspect might come up with when interviewed.

  3. just because a users account was logged in does not prove that he was there.

    • Certain kinds of network and file activity can show that someone was there. How that contradicts or corroborates what the suspect is saying in interviews, or how it relates to non-digital evidence varies from case to case.

      You’ve hit the nail on the head though: One of the biggest difficulties in digital forensics is “putting a butt in a chair”. You have to tie it together with other forms of forensics and investigations. I suppose other types of forensics have the same problem: if my fingerprints are on a knife, it doesn’t prove I stabbed someone with it. It’s up to investigators and legal teams to bring it all together into something that makes sense for that case.

 Leave a Reply



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

© 2012 McGrew Security Suffusion theme by Sayontan Sinha