Task Description

Suspicious network activity has been detected coming from a user on the ANZ network.

A laptop has been flagged up on our security systems due to suspicious internet traffic, and we need you to investigate the network traffic in order to establish what the user accessed and downloaded.

Your task is to examine their network activity and gather what information you can on what images they viewed and what files they accessed.

You have been provided with a packet capture file (pcap) containing all their recent network activity. There may be a number of artifacts contained within the packet capture file, and you will be expected to identify and report as many as possible.

You must provide a report on everything you found, and document what processes / steps you followed to achieve this.

Download Packet: here.

Solutions

Packet Analyses

I utilized the network analysis tool called Wireshark to read the provided packet capture file.

Analysing the traffic, I discovered that most communications occurred via HTTP service, so I decided to filter the HTTP traffic using the http.request query.

As I further investigated the communications, I found out some interesting “GET” requests demonstrated by the following image.

I then took the next step by downloading those images.

Wireshark provides a capability to extract the objects in the HTTP traffic.

1. From Wireshark, I navigated to File -> Export Objects -> HTTP.
2. There is a new Windows popped up -> Click Save All -> Pick a desired folder-> Choose.

Here are the md5 hashes of those images after they were downloaded:

Analysing those images, I was able to spot a few dubious points.

Sub-task 1

• anz-logo.jpg and bank-card.jpg are two images that show up in the users network traffic. Opened those images with an Image Viewer application, I obtained the following results.

• anz-logo.jpg

• bank-card.jpg

Sub-task 2

• The network traffic for the images ANZ1.jpg and ANZ2.jpg is more than it appears.
• Employing a tool called strings against the ANZ1.jpg, I discovered a hidden message.

I achieved the same result by inspecting the tcp stream 14”.

The Wireshark filter query is: tcp.stream eq 14 -> Follow TCP Stream. At the end of the stream, the hidden message showed up.

Open the image with HxD application, I could also retain the same output.

I followed the same techniques with the ANZ2.jpg image and managed to allocate the hidden messages shown as below.

Sub-task 3

• The how-to-commit-crimes.docx file type is ASCII. I could confirm that with the file command.

Here is how the content looks like on the wire.

Sub-task 4

• The user accessed three pdf documents: ANZ_Document.pdf, ANZ_Document2.pdf and evil.pdf. Inspecting those .pdf respectively …
• ANZ_Document.pdf

• ANZ_Document2.pdf

• The evil.pdf file is suspicious with the following contents.

Sub-task 5

• The hiddenmessage2.txt file is actually a JPG image. This could be confirmed with the JFIF file signature.

By changing the file extension to hiddenmessage2.jpg. Here is how it looks like.

Sub-task 6

• A hidden image is embedded in the atm-image.jpg. I could confirm that by inspecting the file stream with Wireshark.

• Scrolling down a little bit, I found the second JFIF file signature.

• Extracting the second image with foremost.

• Here is how it looks like.

Sub-task 7

• The broken.png file content is base64-encoded. I decoded the content, and took a look at the file header, it appears to be a PNG image.

• I simply redirected the decoded content of broken.png to broken_recover.png.
• Here is how the broken_recover.png image looks like when its recovered.

Sub-task 8

• The securepdf.pdf is a actually a .zip file. Once again, I could state that by checking the file type with file.

• Extract the zip, I was prompted to enter a password.

• Crack the zip with fcrackzip, the yielded password is secure.

• Extract the zip with the password of secure, I managed to recover the rawpdf.pdf.

• Here is how the file looks like when its recovered.