Had a little time to look into Ann’s Aurora, a forensic contest posted by SANS Digital Forensics. First of all, I got to say, these contests are totally awesome as it gives the opportunity for forensics investigators to try out new ideas and build new tools to solve very real problems. The solution to this has already been published by @McGrewSecurity where he posted a new tool called pcapline.py. It’s a tool that carves out embedded content in pcaps amongst other things. Very slick.
I wanted to see if xtractr could answer all the challenge questions. Some of the questions are fairly easy to answer since xtractr indexes pcaps and also does flow classification. In other words, it groups packets that belong to the same conversation so we can get a bird’s eye view of the packets and then quickly drill down.
Partial TCP flows
The first thing I ran into was the initial HTTP flow didn’t have the TCP 3-way-handshake. We had to update xtractr to handle these and so now TCP flows that don’t have the handshake are still classified properly and you can see this below:
As you can see, xtractr automatically pulls out content embedded in packets. This makes it super easy to answer MD5-related questions. This content extraction works even for HTTP chunked encoding as well gzip compression.
Open and Close
A bunch of the challenge questions were about timing of flows and packets. xtractr allows you to type in complex queries both at the flow and packet level. This means we can find packets that match specific criteria almost instantaneously since everything is indexed. Here’s one query that shows the time at which a syn-ack or a fin was received which of course corresponds to the connection getting established and torn down.
Plotting numerical values
Okay, the challenge questions involving how certain numbers change over time stumped xtractr briefly. We just didn’t have a way to chart things like TCP sequence numbers, IP Identifier’s and so on. We’ve updated xtractr to now plot any numeric value in the indexed pcaps. This allows the forensics investigator to look for patterns with just a couple of clicks. For example, here’s the TCP sequence number of a particular flow with repeated connection attempts:
We can clearly see that the initial sequence number in the SYN packets changed every 15 packets or so.
SANS Forensics Challenges is really pushing the creativity of both the investigators as well as the tools that help them solve complex investigations. You can download xtractr here. It’s free and can index up a 1GB of pcaps or 10 million packets.
Pingback: Twitter Trackbacks for Mu Dynamics Research Labs » Blog Archive » Solving Ann’s Aurora with xtractr [mudynamics.com] on Topsy.com
Pingback: gain facebook fans
Pingback: guaranteed rankings
Pingback: Dallas Video Production
Pingback: Dallas Advertising
Pingback: Things to do in Siesta Key
Pingback: Dallas Boudoir Photographer
Pingback: downtown dentist toronto
Pingback: johnvespucci
Pingback: pre workout supplements
Pingback: Flying Cars
Pingback: pre workout supplement
Pingback: best bcaa
Pingback: Fishing Reel
Pingback: Bajaj Allianz Life Insurance Company
Pingback: colorado unemployment website
Pingback: cost of abortion
Pingback: Porn Discussion
Pingback: Bangkok flowers
Pingback: free iphone 5
Pingback: ipad sales tool
Pingback: legal protection insurance
Pingback: Phoenix
Pingback: ms word
Pingback: visit here
Pingback: study abroad
Pingback: webcam chat
Pingback: modern furniture austin texas
Pingback: hma vpn
Pingback: Jake Reeds
Pingback: scrap gold calculator
Pingback: Make Money Online
Pingback: Burlesque Dessous
Pingback: Escort girl Paris
Pingback: designer engagement rings
Pingback: anti spam
Pingback: lethbridge real estate
Pingback: syntha 6
Pingback: Roses to Sri lanka
Pingback: e-cigs
Pingback: tanie noclegi zakopane
Pingback: What are some things that help Teenage Acne
Pingback: dating advice
Pingback: bank teller resume
Pingback: PowerPoint Course
Pingback: what is serotonin
Pingback: huge yield scam
Pingback: Johnathan Juhl
Pingback: rc toys
Pingback: Squidoo lenses
Pingback: At Home Laser Hair Removal
Pingback: Calculator Online
Pingback: dog snuggie
Pingback: backlinks
Pingback: do you think
Pingback: Fancy dress costumes
Pingback: BPO Software
Pingback: Plastic Surgery Financing Options
Pingback: Appraisal Management Companies
Pingback: Loaded Balut
Pingback: video sales letter
Pingback: Website Hosting Solutions
Pingback: natural remedies for cold sores
Pingback: 4 phases of skill acquisition, 3 & 4
Pingback: football speed
Pingback: track and field training
Pingback: san diego seo services
Pingback: seo boise
Pingback: home aquaponics
Pingback: Debt Repayment
Pingback: Euro
Pingback: Cheap London Hotels
Pingback: online file storage
Pingback: toenail fungus
Pingback: allevatore rottweiler
Pingback: clothes moth infestation
Pingback: Natural Gout Treatment
Pingback: frostwire
Pingback: buyback
Pingback: grandfather clocks for sale
Pingback: Air Conditioning Maintenance
Pingback: Malibu beach house rental
Pingback: recipes
Pingback: Commercial Insurance Tampa
Pingback: kindle ebooks
Pingback: sex webcam
Pingback: noclegi zakopane
Pingback: best running treadmill
Pingback: fitness business and marketing
Pingback: read more about seo
Pingback: goal rush
Pingback: resume
Pingback: armin van buuren
Pingback: +1's
Pingback: Scott Tucker CBS
Pingback: Scott Tucker Racing
Pingback: Scott Tucker CBS
Pingback: Scott Tucker Racing
Pingback: Scott Tucker Racing
Pingback: Scott Tucker CBS
Pingback: Merchant Cash Advances
Pingback: causes of restless leg syndrome
Pingback: diet solution program
Pingback: cool games
Pingback: Corded curtain poles
Pingback: Kinky Curly Curling Custard
Pingback: star trek costumes
Pingback: seo company
Pingback: hyperpigmentation
Pingback: how to burn the fat