SANS Digital Forensics and Incident Response Blog

Network Forensics Puzzle Contest!

By Jonathan Ham

*Prizewinner to be announced at Sec558 Network Forensics in San Diego, 9/16-9/18.

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company's prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company's secret recipe.


Security staff have been monitoring Ann's activity for some time, but haven't found anything suspicious- until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann's computer, ( sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

"We have a packet capture of the activity," said security staff, "but we can't figure out what's going on. Can you help?"

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:

  1. What is the name of Ann's IM buddy?
  2. What was the first comment in the captured IM conversation?
  3. What is the name of the file Ann transferred?
  4. What is the magic number of the file you want to extract (first four bytes)?
  5. What was the MD5sum of the file?
  6. What is the secret recipe?

Here is your evidence file:
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. All responses should be submitted as plain text files.

Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.

Email submissions to The deadline is 9/10/09. Good luck!!

If you want to learn more about collecting and analyzing network evidence, check out Sec558: Network Forensics. "No harddrive? No problem!"

Jonathan Ham is an independent security consultant and a SANS Certified Instructor, who teaches forensics and other tracks. When he goes to sleep at night, he counts packets as they leap through firewalls.


Posted August 19, 2009 at 7:30 PM | Permalink | Reply

Space Rogue

IMs to a laptop in the parking lot?
Why doesn't she just take photos of her computer screen with her cell phone?
''" SR

Posted August 20, 2009 at 5:17 PM | Permalink | Reply


Solved some of it manually by inspecting the trace in wireshark, but I can't extract file successfully. Its says invalid format when I go to open it. Guess I would need some tools to pull the file out.

Posted August 20, 2009 at 9:12 PM | Permalink | Reply


Wireshark will let you do most of the file extraction, try saving it to a file and comparing it to a real document of the same type. It should help you remove the extra bits from file.

Posted August 21, 2009 at 9:14 AM | Permalink | Reply

Kush Wadhwa

Solved all the questions''''..Do I have to just answer these questions or something else has to be answered? Recipe was quite nice ;)

Posted August 21, 2009 at 12:16 PM | Permalink | Reply

Robert Rittenhouse

I sent in my manual response on how I answered all of the questions at about 4:30pm on the 20th. I hope I got them *all* right :D