Been there, done that! Along with the depression of Covid-19 disease, people concentrated on the skill development. I was one of them, too. As a prospective IT employee, i got numerous certificates, skills, internships under my belt. Internships were restricted or cancelled but with a little research, i found out that the internships also got ‘’Virtual’’ like everything else.
The first one was about a Digital Investgation. It had 8 tasks, starting off with our beloved Wireshark as usually and ending up with a report request.
1:
· anz-logo.jpg and bank-card.jpg are two images that show up in the users network traffic.
· Extract these images from the pcap file and attach them to your report.
2:
· The network traffic for the images “ANZ1.jpg” and “ANZ2.jpg” is more than it appears.
· Extract the images, include them and mention what is different about them in your report.
3:
· The user downloaded a suspicious document called “how-to-commit-crimes.docx”
· Find the contents of this file and include it in your report.
4:
· The user accessed 3 pdf documents: ANZ_Document.pdf, ANZ_Document2.pdf, evil.pdf
· Extract and view these documents. Include images of them in your report.
5:
· The user also accessed a file called “hiddenmessage2.txt”
· What is the contents of this file? Include it in your report
6:
· The user accessed an image called “atm-image.jpg”
· Identify what is different about this traffic and include everything in your report.
7:
· The network traffic shows that the user accessed the image “broken.png”
· Extract and include the image in your report.
8:
· The user accessed one more document called securepdf.pdf
· Access this document include an image of the pdf in your report. Detail the steps to access it.
Packet Analysis:
I have analysed the provided packet capture file using the free network analysis tool Wireshark. The pcap file’s name was Digital Investigation Task
I was able to put “http” into the filter field in order to filter the network traffic to only see HTTP packets.
This view let me see some interesting http GET requests, which indicate that the user specifically requests information, including one for hackers.jpg
To investigate this image download further, I viewed its TCP stream to see what I could find.
Looking through the data in the TCP stream showed that this get request actually downloaded two images, as the data contained two headers and two footers for a .jpg image. The header/footer is FFD8 — FFD9 in hex and the images are also recognizeable in ASCII by the string ‘JFIF’ near the start.
The ASCII view shows that the second image is called Radeon_city.jpg.
The next step taken was carving out the images from the tcp stream, which I did by taking all the hex from FFD8 to FFD9 and copying it into the hex editor program HxD. I then saved the file as a jpg and opened it, resulting in the image below. HxD did quite a good job.
I followed the same process for the second image.
I analyzed the network traffic using Wireshark pcap file and HxD tool. I filtered the http traffic in order to analyze all the suspicious traffic.
1:
I extracted the images using Wireshark HTTP filter and ‘’Follow TCP Stream’’ feature (who does not?). The GET requests were suspicious. I clicked follow TCP Stream and converted the file into Raw file. I tried to find ‘’ffd8’’ where the jpg file begins and ‘’ffd9’’ where the jpg file ends. Then i selected and copied the codes between ‘’ffd8’’ and ‘’ffd9’’ to HxD tool. I then saved this as a jpg image. The jpg image i found for
anz-logo.jpg is:
bank-card.jpg:
2:
The same process as i did in Sub-task1. (over… and over… and over again)
ANZ1.jpg:
The file had a message:
You have found a hidden message in this file! Include it in your write up.
ANZ2.jpg:
It had a message:
‘’You have found the hidden message! Images are sometimes more than they appear’’
3:
Viewed TCP stream and there was a note:
Step 1: Find target
Step 2: Hack them
This is a suspicious document. (mmmmkay?)
4:
ANZ_Document.pdf:
ANZ_Document2.pdf:
evil.pdf:
5:
hiddenmessage2:
6:
File one is:
7:
I then tried base64 encode because everything is about base64, everything. I decoded it, used the HxD tool and then saved as png file. Wow, what a tool is HxD!
broken.png:
8:
There was a zip file. There was a message at the end of the TCP Stream: Password is “secure”
Then i used the hex dump and HxD tool, saved the file as zip file. I then open the zip file and saw a pdf file named rawpdf.pdf. I tried to open the file but it asked a password. I used ‘’secure’’ as password and found out these images:
All in all, the internship was more like CTF 101 but it was so fun. HxD tool is very useful to use for this kind of tasks. I continued on the virtual internships later on.
