原题:# Puzzle #2: Ann Skips Bail
After being released on bail, Ann Dercover disappears! Fortunately, investigators were carefully monitoring her network activity before she skipped town.
“We believe Ann may have communicated with her secret lover, Mr. X, before she left,” says the police chief. “The [packet capture](https://forensicscontest.com/contest02/evidence02.pcap) may contain clues to her whereabouts.”
You are the forensic investigator.Your mission is to figure out what Ann emailed, where she went, and recover evidence including:
1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?
Here is your [evidence file](https://forensicscontest.com/contest02/evidence02.pcap):
[http://forensicscontest.com/contest02/evidence02.pcap](https://forensicscontest.com/contest02/evidence02.pcap)
MD5 (evidence02.pcap) = cfac149a49175ac8e89d5b5b5d69bad3
The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. scripting is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. You are welcome to build upon the work of others, **as long as their work has been released under a GPL license**. (If it has been released under another free-software license, [email us](mailto:contest@jhamcorp.com) to confirm eligibility.) All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will NOT be reviewed.
Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.
核心翻译:
Ann在保释的过程中逃跑了,但是在她出城之前,调查人员一直在仔细监视她的网络活动。
“我们认为安可能在离开之前与她的秘密情人X先生进行了沟通,”警察局长说。
你的任务是弄清楚Ann发了什么电子邮件,她去了哪里,并收集证据,包括:
1.安的电子邮件地址是什么?
2.Ann的电子邮件密码是什么?
3.安的秘密情人的电子邮件地址是什么?
4.安告诉她的秘密情人带哪两样东西?
5.安发给她的秘密情人的附件的名称是什么?
6.安发送给她的秘密情人的附件的MD5sum是多少?
7.他们的交会地点在哪个城市和国家?
8.文档中嵌入的图像的MD5sum是多少?
这是你的证据文件:https://forensicscontest.com/contest02/evidence02.pcap,MD5:cfac149a49175ac8e89d5b5b5d69bad3。
解答思路:
1、分析数据包,根据题干,重点关注邮件相关协议:SMTP/POP3/IMAP,对56号数据包跟踪流:
2、从跟踪流结果中,可以发现完整的SMTP协议内容,包含登录信息和目标Ann的邮箱地址:
3、一般而言,SMTP使用base64对内容进行加密,所有我们将登录信息的部分进行base64解密(https://base64.us/),得到登录信息:sneakyg33k@aol.com/558r00lz
4、继续分析跟踪流,发现这封邮件内容比较普通,没有太多关键内容,放弃,继续分析数据包。112号数据流开始又出现SMTP协议,继续跟踪数据流:
5、发现包括sweetheart等亲密字眼,可以确定这就是Ann和情人之间邮件,得到情人邮箱地址:mistersecretx@aol.com,邮件主题为“汇合”,提到携带假护照(“your fake passport and a bathing suit.”)并且后续数据流中,发现存在附件,数据流中还包含很多加密内容:
6、使用工具对base64加密内容进行文件生成(https://base64.guru/converter/decode/file):得到secretrendezvous.docx
7、继续按题目要求,计算MD5、百度地址信息等即可。
计算word文件中的图片MD5时,需要使用rar工具对word进行解压缩,提取图片。
1.安的电子邮件地址是什么?
sneakyg33k@aol.com
2.Ann的电子邮件密码是什么?
558r00lz
3.安的秘密情人的电子邮件地址是什么?
mistersecretx@aol.com
4.安告诉她的秘密情人带哪两样东西?
your fake passport and a bathing suit.
5.安发给她的秘密情人的附件的名称是什么?
secretrendezvous.docx
6.安发送给她的秘密情人的附件的MD5sum是多少?
9e423e11db88f01bbff81172839e1923
7.他们的交会地点在哪个城市和国家?
Playa del Carmen, Mexico
8.文档中嵌入的图像的MD5sum是多少?
aadeace50997b1ba24b09ac2ef1940b7
