Had a little time to look into Ann’s Aurora, a forensic contest posted by SANS Digital Forensics. First of all, I got to say, these contests are totally awesome as it gives the opportunity for forensics investigators to try out new ideas and build new tools to solve very real problems. The solution to this has already been published by @McGrewSecurity where he posted a new tool called pcapline.py. It’s a tool that carves out embedded content in pcaps amongst other things. Very slick.
I wanted to see if xtractr could answer all the challenge questions. Some of the questions are fairly easy to answer since xtractr indexes pcaps and also does flow classification. In other words, it groups packets that belong to the same conversation so we can get a bird’s eye view of the packets and then quickly drill down.
Partial TCP flows
The first thing I ran into was the initial HTTP flow didn’t have the TCP 3-way-handshake. We had to update xtractr to handle these and so now TCP flows that don’t have the handshake are still classified properly and you can see this below:
As you can see, xtractr automatically pulls out content embedded in packets. This makes it super easy to answer MD5-related questions. This content extraction works even for HTTP chunked encoding as well gzip compression.
Open and Close
A bunch of the challenge questions were about timing of flows and packets. xtractr allows you to type in complex queries both at the flow and packet level. This means we can find packets that match specific criteria almost instantaneously since everything is indexed. Here’s one query that shows the time at which a syn-ack or a fin was received which of course corresponds to the connection getting established and torn down.
Plotting numerical values
Okay, the challenge questions involving how certain numbers change over time stumped xtractr briefly. We just didn’t have a way to chart things like TCP sequence numbers, IP Identifier’s and so on. We’ve updated xtractr to now plot any numeric value in the indexed pcaps. This allows the forensics investigator to look for patterns with just a couple of clicks. For example, here’s the TCP sequence number of a particular flow with repeated connection attempts:
We can clearly see that the initial sequence number in the SYN packets changed every 15 packets or so.
SANS Forensics Challenges is really pushing the creativity of both the investigators as well as the tools that help them solve complex investigations. You can download xtractr here. It’s free and can index up a 1GB of pcaps or 10 million packets.