Cyber@ANZ - Digital Forensics
Task Description
Suspicious network activity has been detected coming from a user on the ANZ network.
A laptop has been flagged up on our security systems due to suspicious internet traffic, and we need you to investigate the network traffic in order to establish what the user accessed and downloaded.
Your task is to examine their network activity and gather what information you can on what images they viewed and what files they accessed.
You have been provided with a packet capture file (pcap) containing all their recent network activity. There may be a number of artifacts contained within the packet capture file, and you will be expected to identify and report as many as possible.
You must provide a report on everything you found, and document what processes / steps you followed to achieve this.
Download Packet: here.
Solutions
Packet Analyses
I utilized the network analysis tool called Wireshark
to read the provided packet capture file.
Analysing the traffic, I discovered that most communications occurred via HTTP service, so I decided to filter the HTTP traffic using the http.request
query.
As I further investigated the communications, I found out some interesting “GET
” requests demonstrated by the following image.
I then took the next step by downloading those images.
Wireshark
provides a capability to extract the objects in the HTTP traffic.
- From Wireshark, I navigated to File -> Export Objects -> HTTP.
- There is a new Windows popped up -> Click Save All -> Pick a desired folder-> Choose.
Here are the md5
hashes of those images after they were downloaded:
Analysing those images, I was able to spot a few dubious points.
Sub-task 1
anz-logo.jpg
andbank-card.jpg
are two images that show up in the users network traffic. Opened those images with an Image Viewer application, I obtained the following results.anz-logo.jpg
bank-card.jpg
Sub-task 2
- The network traffic for the images
ANZ1.jpg
andANZ2.jpg
is more than it appears. - Employing a tool called
strings
against theANZ1.jpg
, I discovered a hidden message.
I achieved the same result by inspecting the tcp stream 14”
.
The Wireshark filter query is: tcp.stream eq 14
-> Follow TCP Stream
. At the end of the stream, the hidden message showed up.
Open the image with HxD
application, I could also retain the same output.
I followed the same techniques with the ANZ2.jpg
image and managed to allocate the hidden messages shown as below.
Sub-task 3
- The
how-to-commit-crimes.docx
file type isASCII
. I could confirm that with thefile
command.
Here is how the content looks like on the wire.
Sub-task 4
- The user accessed three pdf documents:
ANZ_Document.pdf
,ANZ_Document2.pdf
andevil.pdf
. Inspecting those.pdf
respectively … ANZ_Document.pdf
ANZ_Document2.pdf
- The
evil.pdf
file is suspicious with the following contents.
Sub-task 5
- The
hiddenmessage2.txt
file is actually a JPG image. This could be confirmed with theJFIF
file signature.
By changing the file extension to hiddenmessage2.jpg
. Here is how it looks like.
Sub-task 6
- A hidden image is embedded in the
atm-image.jpg
. I could confirm that by inspecting the file stream withWireshark
.
- Scrolling down a little bit, I found the second
JFIF
file signature.
- Extracting the second image with
foremost
.
- Here is how it looks like.
Sub-task 7
- The
broken.png
file content isbase64-encoded
. I decoded the content, and took a look at the file header, it appears to be aPNG
image.
- I simply redirected the decoded content of
broken.png
tobroken_recover.png
. - Here is how the
broken_recover.png
image looks like when its recovered.
Sub-task 8
- The
securepdf.pdf
is a actually a.zip
file. Once again, I could state that by checking the file type withfile
.
- Extract the zip, I was prompted to enter a password.
- Crack the zip with
fcrackzip
, the yielded password issecure
.
- Extract the
zip
with the password ofsecure
, I managed to recover therawpdf.pdf
.
- Here is how the file looks like when its recovered.