Wireshark: A Forensic Investigation
Author Ashlyn Matthews
Ann is a fictitious character created for this exercise.
Where is Ann?
I received a packet capture and was tasked with analyzing it to uncover the whereabouts of an employee, Ann Decover. One of her coworkers reported having spoken to her via email prior to her disappearance. I opened up the pcap file in wireshark.
Because I was looking for an email exchange I filtered the display by searching smtp, which stands for simple mail transfer protocol and is a standard protocol for electronic mail transmission. After filtering the packets, I observed two emails addresses.
I filtered the packet bytes by the string “@aol.com” and found that Ann’s email was firstname.lastname@example.org. I was able to connect her to this email address due to her observable email signature. I followed a few of the streams from the source ip address 192.168.1.159.
I found what appeared to be base64 encrypted username and password and went over to cyberchef and decrypted them. Ann signed in to her email email@example.com
with her password 558r001z. And sent two emails. One to her coworker and another to her lover firstname.lastname@example.org.
It was evident that the recipient of the email was her lover as she referred to him as sweetheart. She told him to bring his fake passport which suggested that they planned to runaway together.
As I further observed the stream, I noticed that the email had an attachment called “secretrendezvous.docx.”
I modified my display filter to include smtp and imf, because imf, internet message format, supports multi media messages. I located the attachments and I exported the .eml files.
Using kmail, I opened the .eml file titled rendezvous. Inside I found the message I had previously observed in the stream and the secretrendezvouz.docx attachment.
I opened up the docx file to find a map indicating where Ann and her lover ran off to.
I just wanted to share an exercise I worked on recently. Wireshark is a versatile tool and can be used to conduct network analysis. It is worth getting familiar with. I’ll continue to play around with it. Look forward to that. Please feel free to follow me if you like what you have read. Thank you for reading.