The results are in for the sixth Network Forensics Puzzle contest, and I won first place! You can see my writeup, along with many of the other winner’s entries, at the forensicscontest.com blog:
Big thanks to everyone who put this contest together, as well as the prize sponsors for making it well worth my time to put in an entry.
I wrote a tool for my entry, pcapline.py, which generates an HTML report for a pcap file that an investigator can use to navigate around the various conversations and inspect the data being sent back and forth. Here are some of the features I describe in my writeup:
- HTML reports that allow for easy navigation/importing into a larger report
- Generates a summary of flows between hosts on the network
- Flows are broken up by segments representing parts of the conversation
- Segments are dissected, carved, hashed. Currently, Pcapline supports HTTP GET requests and responses and the malware file transfers seen in challenge #6
While pcapline is developed and tuned for answering the questions from this challenge, it’s still a very useful starting point for examining other packet data as well. You can view the report generated by pcapline here:
(NOTE: Files and data are carved out that some signature-based IPS will detect as being malicious. I observed this on one computer where Sophos blocked access to this site on that computer after clicking the wrong link in this report. You’re not likely in any danger, as pcapline renames things in such a way that they shouldn’t be executed or viewed in their native formats, but do take care)
Here’s the script itself. It’s a slightly newer version than the one on forensicscontest.com . I fixed a couple of places where it was generating terrible HTML that non-firefox browsers choked on.