The results are in for the sixth Network Forensics Puzzle contest, and I won first place! You can see my writeup, along with many of the other winner’s entries, at the forensicscontest.com blog:
Big thanks to everyone who put this contest together, as well as the prize sponsors for making it well worth my time to put in an entry.
I wrote a tool for my entry, pcapline.py, which generates an HTML report for a pcap file that an investigator can use to navigate around the various conversations and inspect the data being sent back and forth. Here are some of the features I describe in my writeup:
- HTML reports that allow for easy navigation/importing into a larger report
- Generates a summary of flows between hosts on the network
- Flows are broken up by segments representing parts of the conversation
- Segments are dissected, carved, hashed. Currently, Pcapline supports HTTP GET requests and responses and the malware file transfers seen in challenge #6
While pcapline is developed and tuned for answering the questions from this challenge, it’s still a very useful starting point for examining other packet data as well. You can view the report generated by pcapline here:
(NOTE: Files and data are carved out that some signature-based IPS will detect as being malicious. I observed this on one computer where Sophos blocked access to this site on that computer after clicking the wrong link in this report. You’re not likely in any danger, as pcapline renames things in such a way that they shouldn’t be executed or viewed in their native formats, but do take care)
Here’s the script itself. It’s a slightly newer version than the one on forensicscontest.com . I fixed a couple of places where it was generating terrible HTML that non-firefox browsers choked on.
Enjoy!
Hi Wesley! Awesome tool. I updated forensicscontest.com so that it has the latest version of pcapline.py now. We’ll just put a link to your site in our “Tools” section, so that it’s always be the most up to date.
Congratulations!
Sherri
Thanks Sherri! Glad to see that the judges like the tool. I’m putting together some network forensics course material together for law enforcement training here at the NFTC, so I may be adding features to pcapline as I go to make it something the students in the class can use.
That was nice. Congratulations! because you win the 1st price.
Very nice tool. I did notice that some HTTP responses cause crashes due to missing Content-type headers. Fixed with a simple “if m:” around line 160.
I also made mods to add some additional fields:
# added by marty
m = re.search(r’^HTTP/1.1 (.+)\n’,data)
if m:
s += ‘ HTTP result: %s\n’ % m.group(1)
What’s the terms of use for pcapline?
Thanks for the patch. The lack of testing of pcapline shows
As for terms-of-use and licensing, let’s call it BSD. Essentially: do as you please with it, all I want is attribution.
Very interesting talk today. Thanks for coming by.
[...] part of a recent forensic challenge, Wesley McGrew created pcapline.py to help answer the questions of the challenge. Rather than focusing on the tool itself, what I [...]
Love the tool however when running it on my Ubuntu 11.04 box I’m having an issue where the html doc inside the seperate packet folders show up blank.. I’m using it to parse though the evidence file from that forensic challenge to ensure that it was working correctly.
Haven’t tried it out in Ubuntu 11.04, but I will soon to see if I can figure out what’s going on with that.