Ann skips bail. Cue forensics puzzle!

Written by Tariq. Date: 2009-11-27

Found a website and a forensics contest yesterday quite by accident. I was waiting for somebody before going out for the night and I thought this might be a little fun while I waited. Now the contest had closed and the results where available, which I ignored until the end and went straight to Puzzle #2: Ann skips bail.

Details

The puzzle revolves around a packet capture of Ann’s network taken by wily investigators before she skipped bail. Police are confident that she communicated with a secret lover prior to her disappearance. And so follows a number of competition questions. It is important to note that the organizers are looking for the most elegant solutions, and you won’t see that here. What you will see is how to solve the puzzle very quickly.

  1. What is Ann’s email address?
  2. What is Ann’s email password?
  3. What is Ann’s secret lover’s email address?
  4. What two items did Ann tell her secret lover to bring?
  5. What is the NAME of the attachment Ann sent to her secret lover?
  6. What is the MD5sum of the attachment Ann sent to her secret lover?
  7. In what CITY and COUNTRY is their rendez-vous point?
  8. What is the MD5sum of the image embedded in the document?

I downloaded the packet dump file from the organiser’s site and verified the hash using md5 as I am on a Mac, otherwise md5sum does the job.

I fired up wireshark and opened the packet capture file. There appeared to be a good bit of SMTP traffic. So I did a quick

grep -an "To:.*\|From:*\|Subject:.*" evidence02.pcap

on the packet dump which revealed the following.

From: "Ann Dercover" <sneakyg33k@aol.com>
To: <sec558@gmail.com>
Subject: lunch next week
From: "Ann Dercover" <sneakyg33k@aol.com>
To: <mistersecretx@aol.com>
Subject: rendezvous

Its clear that Ann Dercover’s email address is sneakyg33k@aol.com. This is the answer to question 1. We also see she sent two emails. One to mistersecretx@aol.com, could this be Ann’s secret lover? I expanded the grep to

grep -aA50 "mistersecretx@aol.com" evidence02.pcap

This gives me 50 lines after and including lines matching mistersecretx@aol.com.

To: <mistersecretx@aol.com>
Subject: rendezvous
Date: Sat, 10 Oct 2009 07:38:10 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000D_01CA497C.9DEC1E70"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

——=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_001_000E_01CA497C.9DEC1E70″

——=_NextPart_001_000E_01CA497C.9DEC1E70
Content-Type: text/plain;
charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

Hi sweetheart! Bring your fake passport and a bathing suit. Address =
attached. love, Ann
——=_NextPart_001_000E_01CA497C.9DEC1E70
Content-Type: text/html;
charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

…SNIP…

Hi sweetheart! Bring your fake passport =
and a=20
bathing suit. Address attached. love, Ann

…SNIP…

——=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: application/octet-stream;
name=”secretrendezvous.docx”
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=”secretrendezvous.docx”

Wow. So mistersecretx@aol.com IS the email address of Ann’s lover. This is the answer to question 3. We also see in her message she instructs them to “bring your fake passport and bathing suit”, this is the answer to question 4. Towards the bottom we see an attachment that probably appears later than the lines we grep’d called secretrendezvous.docx which will appear base64 encoding. This is the answer to question 5.

I then returned to wireshark, looking down through the packets I quickly see SMTP traffic with C: DATA fragment which tells us this traffic was broken up into smaller pieces. This is likely to be an email with a large attachment. I right clicked on one of these packets as shown below and clicked on Follow TCP Stream as shown below.

This gives me the following.

220 cia-mc07.mx.aol.com ESMTP mail_cia-mc07.1; Sat, 10 Oct 2009 15:37:56 -0400
EHLO annlaptop
250-cia-mc07.mx.aol.com host-69-140-19-190.static.comcast.net
250-AUTH=LOGIN PLAIN XAOL-UAS-MB
250-AUTH LOGIN PLAIN XAOL-UAS-MB
250-STARTTLS
250-CHUNKING
250-BINARYMIME
250-X-AOL-FWD-BY-REF
250-X-AOL-DIV_TAG
250-X-AOL-OUTBOX-COPY
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
c25lYWt5ZzMza0Bhb2wuY29t
334 UGFzc3dvcmQ6
NTU4cjAwbHo=
235 AUTHENTICATION SUCCESSFUL
MAIL FROM: <sneakyg33k@aol.com>
250 OK
RCPT TO: <mistersecretx@aol.com>
250 OK
DATA
354 START MAIL INPUT, END WITH "." ON A LINE BY ITSELF
Message-ID: <001101ca49ae$e93e45b0$9f01a8c0@annlaptop>
From: "Ann Dercover" <sneakyg33k@aol.com>
To: <mistersecretx@aol.com>
Subject: rendezvous
Date: Sat, 10 Oct 2009 07:38:10 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
.boundary="----=_NextPart_000_000D_01CA497C.9DEC1E70"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

——=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: multipart/alternative;
.boundary=”—-=_NextPart_001_000E_01CA497C.9DEC1E70″

——=_NextPart_001_000E_01CA497C.9DEC1E70
Content-Type: text/plain;
.charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

Hi sweetheart! Bring your fake passport and a bathing suit. Address =
attached. love, Ann
——=_NextPart_001_000E_01CA497C.9DEC1E70
Content-Type: text/html;
.charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D”text/html; =
charset=3Diso-8859-1″>
<META content=3D”MSHTML 6.00.2900.2853″ name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hi sweetheart! Bring your fake passport =
and a=20
bathing suit. Address attached. love, Ann</FONT></DIV></BODY></HTML>

——=_NextPart_001_000E_01CA497C.9DEC1E70–

——=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: application/octet-stream;
.name=”secretrendezvous.docx”
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
.filename=”secretrendezvous.docx”

UEsDBBQABgAIAAAAIQDleUAGfwEAANcFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0
VMluwjAQvVfqP0S+VsTQQ1VVBA5dji1S6QcYexKsepNttr/vOEBEKQSpwCVSPH7LPI/dHy61yubg
g7SmIL28SzIw3AppqoJ8jd86jyQLkRnBlDVQkBUEMhzc3vTHKwchQ7QJBZnG6J4oDXwKmoXcOjBY
Ka3XLOKvr6hj/JtVQO+73QfKrYlgYicmDjLov0DJZipmr0tcXjtxpiLZ83pfkiqI1Amf1ulBhAcV
9iDMOSU5i9gbnRux56uz8ZQjst4TptKFOzR+RCFVfnvaFdjgPjBMLwVkI+bjO9PonC6sF1RYPtPY
dd5Oc8CnLUvJocEnNucthxDwlLTKm4pm0mz9H/VhZnoCHpGXN9JQnzQR4kpBuLyDNW+bPIY18tYF
imd3tj6kgRUgOngeDnyU0MzP0fwDxIjpX6P5DXNb+/UoRrymQOtv7+wMapqTkiVe5TGbKDhb78/4
N9QnTSxg8nm19HfI24w088et/0cY2zcroQ9MHa2f5cEPAAAA//8DAFBLAwQUAAYACAAAACEAHpEa
t/MAAABOAgAACwAIAl9yZWxzLy5yZWxzIKIEAiigAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIyS20oDQQyG7wXfYch9N9sKItLZ3kihdyLr
A4SZ7AF3Dsyk2r69oyC6UNte5vTny0/Wm4Ob1DunPAavYVnVoNibYEffa3htt4sHUFnIW5qCZw1H
zrBpbm/WLzyRlKE8jDGrouKzhkEkPiJmM7CjXIXIvlS6kBxJCVOPkcwb9Yyrur7H9FcDmpmm2lkN
aWfvQLXHWDZf1g5dNxp+Cmbv2MuJFcgHYW/ZLmIqbEnGco1qKfUsGmwwzyWdkWKsCjbgaaLV9UT/
X4uOhSwJoQmJz/N8dZwDWl4PdNmiecevOx8hWSwWfXv7Q4OzL2g+AQAA//8DAFBLAwQUAAYACAAA
ACEApOAquCABAAA6BAAAHAAIAXdvcmQvX3JlbHMvZG9jdW1lbnQueG1sLnJlbHMgogQBKKAAAQAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACsk01OwzAQhfdI3MHynjgpUBCq0w1C6hbCAdxkkljE
P7KnQG7PKFKbVJSwycbSvCjvfZ7xbLbfpmOfEKJ2VvIsSTkDW7pK20by9+Ll5pGziMpWqnMWJO8h
8m1+fbV5hU4h/RRb7SMjFxslbxH9kxCxbMGomDgPlr7ULhiFVIZGeFV+qAbEKk3XIkw9eH7myXaV
5GFX3XJW9J6S//d2da1LeHblwYDFCxEiAiLdLJKnCg2g5EclIU4uLiM8LImA1BoY84dSDGc2x7Ba
kiFi39EcxyYM9Vx8tmS8PZg9BJrDSHCS5iDWS0LUzmKh9t1kFidpDuJ+SQhtaBfGLhiotBKDmCWe

…SNIP: not publishing the whole thing, its a bit long. See the whole thing?

JZ2ekPwNAAD//wMAUEsBAi0AFAAGAAgAAAAhAOV5QAZ/AQAA1wUAABMAAAAAAAAAAAAAAAAAAAAA
AFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEAHpEat/MAAABOAgAACwAAAAAAAAAA
AAAAAAC4AwAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEApOAquCABAAA6BAAAHAAAAAAAAAAA
AAAAAADcBgAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc1BLAQItABQABgAIAAAAIQA6Q0kI
FQQAAFgKAAARAAAAAAAAAAAAAAAAAD4JAAB3b3JkL2RvY3VtZW50LnhtbFBLAQItAAoAAAAAAAAA
IQBg7VaATPYCAEz2AgAVAAAAAAAAAAAAAAAAAIINAAB3b3JkL21lZGlhL2ltYWdlMS5wbmdQSwEC
LQAUAAYACAAAACEAlrWt4pYGAABQGwAAFQAAAAAAAAAAAAAAAAABBAMAd29yZC90aGVtZS90aGVt
ZTEueG1sUEsBAi0AFAAGAAgAAAAhAIkUT0qVAwAAcQgAABEAAAAAAAAAAAAAAAAAygoDAHdvcmQv
c2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhAErYipK7AAAABAEAABQAAAAAAAAAAAAAAAAAjg4D
AHdvcmQvd2ViU2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhADVKHsm+CgAALFoAAA8AAAAAAAAA
AAAAAAAAew8DAHdvcmQvc3R5bGVzLnhtbFBLAQItABQABgAIAAAAIQCQUuGobwEAANcCAAARAAAA
AAAAAAAAAAAAAGYaAwBkb2NQcm9wcy9jb3JlLnhtbFBLAQItABQABgAIAAAAIQAXVdHWCQQAAMsZ
AAASAAAAAAAAAAAAAAAAAAwdAwB3b3JkL251bWJlcmluZy54bWxQSwECLQAUAAYACAAAACEAu6G5
NXECAACGCAAAEgAAAAAAAAAAAAAAAABFIQMAd29yZC9mb250VGFibGUueG1sUEsBAi0AFAAGAAgA
AAAhAKVR8wbYAQAA2QMAABAAAAAAAAAAAAAAAAAA5iMDAGRvY1Byb3BzL2FwcC54bWxQSwUGAAAA
AA0ADQBEAwAA9CYDAAAA

——=_NextPart_000_000D_01CA497C.9DEC1E70–

.
250 OK
QUIT
221 SERVICE CLOSING CHANNEL

You may or may not realise that parts of the communication are base64 encoded. Lets take a look at some information encoded at the beginning of this communication again.

 AUTH LOGIN
 334 VXNlcm5hbWU6
 c25lYWt5ZzMza0Bhb2wuY29t
 334 UGFzc3dvcmQ6
 NTU4cjAwbHo=
 235 AUTHENTICATION SUCCESSFUL

Here Ann is authenticating with the service. Her responses are shown in red, and as you can see they’re a bit cryptic; however, they look like they are encoded in base64. So we run the following two commands.

$ echo "c25lYWt5ZzMza0Bhb2wuY29t" | openssl base64 -d
sneakyg33k@aol.com
$ echo "NTU4cjAwbHo=" | openssl base64 -d
558r00lz

Note: $ is the command prompt, what follows it is the command with output in green.

So we find Ann’s email password is 558r00lz. This the answer to question 2.

Next we have a look at the attachment which is base64 encoded. We copy all the blue text above and paste into a file called attachment.b64 and issue the following commands.

$ openssl base64 -d < attachment.b64 > secretrendezvous.docx
$ md5 secretrendezvous.docx
MD5 (secretrendezvous.docx) = 9e423e11db88f01bbff81172839e1923

This decodes the data and outputs to secretrendezvous.docx. We can open the file, verifying it is good and thus the md5 sum of 9e423e11db88f01bbff81172839e1923 is the answer to question 6. When we open the file we see an image like the one below.

This tells us that Ann was off to Playa del Carmen in Mexico. This is the answer to question 7. We only now need to get the md5 sum of the image in the document. This is easy enough as we can just do the following:

$ unzip secretrendezvous.docx -d attachment
Archive: out-1.docx
inflating: attachment/[Content_Types].xml
inflating: attachment/_rels/.rels
inflating: attachment/word/_rels/document.xml.rels
inflating: attachment/word/document.xml
extracting: attachment/word/media/image1.png
inflating: attachment/word/theme/theme1.xml
inflating: attachment/word/settings.xml
inflating: attachment/word/webSettings.xml
inflating: attachment/word/styles.xml
inflating: attachment/docProps/core.xml
inflating: attachment/word/numbering.xml
inflating: attachment/word/fontTable.xml
inflating: attachment/docProps/app.xml 

The only image file in there is attachment/word/media/image1.png. Open it up to verify it is the business and then just do

$ md5 attachment/word/media/image1.png
MD5 (attachment/word/media/image1.png) = aadeace50997b1ba24b09ac2ef1940b7

This is the answer to question 8, and we’re finished. That was quick! The answers have been published so you can verify. Now that person has turned up and is dragging me away from my computer so that’s all for now.