The Australian Government and Tesltra sponsored the 2014 Cyber Security Challenge Australia competition.  They posted the virtual machine, which hosts most of the challenges, here.  I followed the setup instructions for VirtualBox.  This is a short writeup, but contains some cool things that you can do with Wireshark and the carving tool foremost. Lab setup:

I will be working with the Network Forensics challenge titled “Not Enough Magic” : 1   The .pcap file can be opened in WireShark for analysis: 2   I noticed that in packet #28, a host (10.0.0.103) is requesting a .gz file from another host (172.16.1.80).  By right clicking on the packet and selecting “Follow TCP Stream”, I was able to view the entire communication between the two hosts. I then used the option to view only the packets that were sent from 172.16.1.80 to 10.0.0.103 (this will give me the data that 10.0.0.103 requested)(1020897 bytes), and selected “Save As” to save the raw data.  I simply saved it as “file1”: 3 We now have some raw data saved, and need a way to extract some formatted files from that data.  I used an extremely handy tool called “foremost.”  Foremost is built into Kali Linux and is  “a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving.”(foremost.sourceforge.net).  In this case, we can use foremost’s basic functionality to see what is inside the raw data file: 4 With foremost, the -i specifies the file we want to process.  We can specify an out directory with -o, but for now I will just the default output directory that gets created, “output.”  The contents are listed below; there is a “jpg” folder with 2 .jpg images: 5   What other details can I find out about these files?  I used the file command to do just that: 6   There is a comment in the first .jpg, which I confirmed as being the flag for this challenge (“Reveal Flag” in the Challenges panel will show you the flag)