Digital Forensics & Incident Response Challenge

Digital Forensics & Incident Response Challenge

Ann's Aurora - An Advanced Persistent Threat based challenge

by Sherri Davidoff, Eric Fulton, and Jonathan Ham (Lake Missoula Group, LLC)

Introduction by Rob Lee

Rob Lee

Digital forensic professionals routinely have to deal with advanced threats such as the APT and organized crime. Understanding how many of these crimes take place is crucial to creating lethal forensicators armed with the knowledge and skills to analyze complex cases. We asked Jonathan Ham and Sherri Davidoff (who co-authored the sell-out Forensics 558: Network Forensics course and created many successful contests at forensicscontest.com) to create a contest based partially on how the APT might try and trigger a compromise to steal intellectual property via a targeted attack via spear phishing. This archived challenge is a very useful case study in exploring malicious network attacks and how to solve them.


Case Background

Ann Dercover is after SaucyCorp's Secret Sauce recipe. She's been trailing the lead developer, Vick Timmes, to figure out how she can remotely access SaucyCorp's servers. One night, while conducting reconnaissance, she sees him log into his laptop (10.10.10.70) and VPN into SaucyCorp's headquarters.

Leveraging her connections with international hacking organizations, Ann obtains a 0-day exploit for Internet Explorer and launches a client-side spear phishing attack against Vick Timmes. Ann carefully crafts an email to Vick containing tips on how to improve secret sauce recipes and sends it. Seeing an opportunity that could get him that Vice President of Product Development title (and corner office) that he's been coveting, Vick clicks on the link. Ann is ready to strike...


Contest Questions

You are the forensic investigator. Your mission is to analyze the packet capture containing Ann's exploit, build a timeline, and submit your evidence including...

  1. What was the full URI of Vick Timmes' original web request? (Please include the port in your URI.)
  2. In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this code, the attacker created an array with 1300 elements labeled "COMMENT", then filled their data element with a string. What was the value of this string?
  3. Vick's computer made a second HTTP request for an object.
    1. What was the filename of the object that was requested?
    2. What is the MD5sum of the object that was returned?
  4. When was the TCP session on port 4444 opened? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  5. When was the TCP session on port 4444 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  6. In packet 17, the malicious server sent a file to the client.
    1. What type of file was it? Choose one:
      • Windows executable
      • GIF image
      • PHP script
      • Zip file
      • Encrypted data
    2. What was the MD5sum of the file?
  7. Vick's computer repeatedly tried to connect back to the malicious server on port 4445, even after the original connection on port 4444 was closed. With respect to these repeated failed connection attempts:
    1. How often does the TCP initial sequence number (ISN) change? (Choose one.)
      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
    2. How often does the IP ID change? (Choose one.)
      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
    3. How often does the source port change? (Choose one.)
      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
  8. Eventually, the malicious server responded and opened a new connection. When was the TCP connection on port 4445 first successfully completed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  9. Subsequently, the malicious server sent an executable file to the client on port 4445. What was the MD5 sum of this executable file?
  10. When was the TCP connection on port 4445 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)

Evidence File Location

Here is your evidence file: evidence06.zip

  • MD5 (evidence06.pcap) = efac05c50c0ae92bf0818e98763920bd
  • SHA256 (evidence06.pcap)= fa5fc1ffad525688626c301372b37e101efcbbbd124f9781f5701648e6a02be3

Challenge Winners and Solutions

Challenge Solutions

Ann's Aurora was one of our hardest contests yet. To get all the answers right, you had to carve out two Windows executable files, dissect Vick Timmes' HTTP traffic, analyze malware, build a timeline and pinpoint connection open and close times to within a tenth of a second. Thanks to everyone who submitted an entry for Puzzle #6, "Ann's Aurora", and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of "Ann's Aurora" is (*drumroll*)...Wesley McGrew, for his fantastic new forensics tool, pcapline. Pcapline automatically parses a packet capture and generates an HTML report. Through your web browser, you can view a summary of all flows and drill down into each one. Pcapline automatically carves out all the files- not just the tiny GIFs embedded inside a single packet, but Windows executable files broken up throughout the packet capture. Wesley also included MD5sums in the report output.

Best of all, it's simple to use- you just type "pcapline.py" and the evidence file name, and pcapline does the rest. Wesley has put a copy of the pcapline report output here.

Erik Hjelmvik, our Silver medalist, released a new version of Network Miner (.92) for Contest #6. We know a lot of you already know and love Network Miner, because in previous contests about half of the entries relied on Erik's tool! For this contest, Erik noticed that Network Miner was not properly detecting the HTML transfers at the beginning of the pcap file, because the TCP handshake was missing. He added functionality so that Network Miner more intelligently figures out which host is the server, and which is the client, when the TCP handshake is missing. Thanks, Erik, for a shiny new release of your fantastic tool.

Leendert Pieter van Drimmelen built three utilities for this contest: stream_ts.py, which automatically displays TCP connection established/closed times; analyse_syn_packets.py, which calculates how often an IP or TCP field changes (it also accepts tshark filters); and pextract.c, which extracts PE files from packet captures or incoming traffic. Pextract also accepts BPF filters and tries to find executables that are XOR obfuscated. These are three small, sharp utilities which are good to have in your toolkit.

Eric Kollmann wrote three handy tools: mzcarver.exe (PE carving utility), contest6.pl (provides info about conversations), and contest6.exe (produces info about individual packets. You can limit by TCP flag and use BPFs). Nice work, Eric!

Jeff Wichman and Ruben Recabarren both created fantastic writeups, which you can read to get two detailed (and very different) methods for solving the contest. Iulian Anton also had a thorough narrative and created a couple of Perl utilities to assist with solving the contest. Candice Quates went "down the rabbit hole of javascript and exploit analysis", and created trimexe.c, which extracts PE files from exported streams.

Challenge Solutions and Posted Winners
Finalists
Semifinalists
  • Francesco Acchiappati
  • Mark Hillick
  • Richard Shawn O'Connell
  • Ashish, Garima, Vikrant
  • Jon Larimer
Correct Answers
  • Andy Patrick
  • Brian Sommers
  • Candice Quates
  • Carlos Pérez López
  • David Rodriguez
  • Eric Kollmann
  • Erik Hjelmvik
  • Francesco Acchiappati
  • Hsiang-Jen Shih
  • Iulian Anton
  • Jeremy Scott
  • Jon Larimer
  • Kazunori Kojima
  • Leendert Pieter van Drimmelen
  • Mark Hillick
  • Masashi Fujiwara
  • Peter Chong
  • Rakesh Mukundan
  • Richard Shawn O'Connell
  • Ruben Recabarren
  • Seth Leone & Ryan Sommers
  • Takuro Uetori
  • Wesley McGrew
  • Winter Faulk
  • Yogesh Khatri
  • Zoher Anis

Copyright 2014, Lake Missoula Group, LLC. All rights reserved.

Lake Missoula Group offers customized consulting services, including network assessments, penetration tests, web application assessments, forensics and incident response, social engineering tests, policy and procedure review. We provide realistic, maintainable information security strategies, and help organizations effectively prioritize and adapt their pre-existing infrastructure to meet current and future IT security needs. Our core consulting group boasts over 30 years of experience, and hold CISSP, GPEN, GCFA, GCIA and other certifications. We develop sustainable security strategies, customized to suit your unique environment.