sans 사이트를 보다 네트워크 포렌직 문제가 올라와 있어 한번 풀어 봅니다. 문제는 아래 사이트에서 확인하실 수 있습니다.
문제 : http://forensicscontest.com/2009/12/28/anns-appletv
1. What is the MAC address of Ann’s AppleTV?
Source: Apple_fe:07:c4 (00:25:00:fe:07:c4)
2. What User-Agent string did Ann’s AppleTV use in HTTP requests?
User-Agent: AppleTV/2.4
3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)?
h, ha, hac, hack
Filter : http.request.uri contains "/WebObjects/MZSearch.woa/wa/incrementalSearch?media=movie"
4. What was the title of the first movie Ann clicked on?
hacker
Filter : http.request.uri contains "/WebObjects/MZStore.woa/wa/viewMovie"
http://ax.itunes.apple.com/WebObjects/MZStore.woa/wa/viewMovie?id=333441649&s=143441
5. What was the full URL to the movie trailer (defined by “preview-url”)?
http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v
4번에서 처음 클릭한 후 바로 다음에 받은 데이터(309번째)를 [TCP Follow Stream] 메뉴를 통해 받은 데이터만 필터 하여 뽑아서 output 으로 저장 후 아래 코드로 gzip 파일을 뽑아낼 수 있다.
#!/usr/bin/python
pcap = open('output', 'rb')
data = pcap.read()
output1 = open('output1.gz', 'wb')
output2 = open('output2.gz', 'wb')
count = 0
flag = 0
for x in range(len(data)):
# 1F 8B (gzip header)
if hex(ord(data[x])) == '0x1f':
if hex(ord(data[x+1])) == '0x8b':
flag += 1
# HTT
elif hex(ord(data[x])) == '0x48':
if hex(ord(data[x+1])) == '0x54':
if hex(ord(data[x+1])) == '0x54':
flag += 1
if flag == 2:
output1.write(data[x])
if flag == 4:
output2.write(data[x])
뽑아 낸 후 확인을 하면 아래와 같다.
6. What was the title of the second movie Ann clicked on?
Sneakers
Filter : http.request.uri contains "/WebObjects/MZStore.woa/wa/viewMovie"
http://ax.itunes.apple.com/WebObjects/MZStore.woa/wa/viewMovie?id=283963264&s=143441
7. What was the price to buy it (defined by “price-display”)?
$9.99
5번과 마찬가지로 Sneakers를 클릭한 다음 받은 데이터(1183 번째)를 [TCP Follow Stream] 메뉴를 통해 뽑아 받은 데이터만 필터 후 5번에서의 코드로 확인하면 아래와 같다.
8. What was the last full term Ann searched for?
iknowyourewatchingme
Filter : http.request.uri contains "/WebObjects/MZSearch.woa/wa/incrementalSearch?media=movie"