• CSNP

Wireshark: A Forensic Investigation


Author Ashlyn Matthews


Ann is a fictitious character created for this exercise.


Where is Ann?


I received a packet capture and was tasked with analyzing it to uncover the whereabouts of an employee, Ann Decover. One of her coworkers reported having spoken to her via email prior to her disappearance. I opened up the pcap file in wireshark.


Because I was looking for an email exchange I filtered the display by searching smtp, which stands for simple mail transfer protocol and is a standard protocol for electronic mail transmission. After filtering the packets, I observed two emails addresses.



I filtered the packet bytes by the string “@aol.com” and found that Ann’s email was sneakyg33k@aol.com. I was able to connect her to this email address due to her observable email signature. I followed a few of the streams from the source ip address 192.168.1.159.


I found what appeared to be base64 encrypted username and password and went over to cyberchef and decrypted them. Ann signed in to her email sneakyg333@aol.com


with her password 558r001z. And sent two emails. One to her coworker and another to her lover mistersecretx@aol.com.


It was evident that the recipient of the email was her lover as she referred to him as sweetheart. She told him to bring his fake passport which suggested that they planned to runaway together.


As I further observed the stream, I noticed that the email had an attachment called “secretrendezvous.docx.”


I modified my display filter to include smtp and imf, because imf, internet message format, supports multi media messages. I located the attachments and I exported the .eml files.


Using kmail, I opened the .eml file titled rendezvous. Inside I found the message I had previously observed in the stream and the secretrendezvouz.docx attachment.



I opened up the docx file to find a map indicating where Ann and her lover ran off to.


Final Comments


I just wanted to share an exercise I worked on recently. Wireshark is a versatile tool and can be used to conduct network analysis. It is worth getting familiar with. I’ll continue to play around with it. Look forward to that. Please feel free to follow me if you like what you have read. Thank you for reading.


About the Author: Ashlyn Matthews is a Technical Writer at LogRhythm. She assists in the creation and modernization of internal and public-facing documentation. She is still continuing her cyber security studies with the help of Hackthebox and tryhackme. She is also currently working on building her CTF and scripting skills.


236 views0 comments