CS Enterprise
// cloudshark.org
Guest upload is turned off
Log In
Grinchident
Public Collection
2 Capture Files
File name
Packets
Size
grinch_activity.pcap
28216
23.4 MB
holiday_chunk_0.pcapng
6
828 B
Public File
### Incident Report #20181224-0003 ##### Filed by: T.A. Ravenscroft It is with deep sadness that I report the Holidays may have to be cancelled. It seems as though our holiday greeting card was stolen right in the middle of uploading it to our photo server. The perpetrator broke the upload into multiple PCAP files, and hid them from us!! If we can’t get it back, then we’ll just have to skip the Holiday season this year. Good news though! We managed to save one of the chunks before it was stolen, but it looks like only the beginning and end of a TCP stream. If we can get all the pieces reassembled, we should be able to restore the stolen image! Regarding the rumors surrounding our new-hire Mr. Grinch, (whom I’m aware many of you consider “a mean one”) - After some suspicious IDS alerts picked up by Threat Assessment, we started a capture with a couple of our ProfiShark 1G taps on the same LAN segment as the suspect’s computer. We’ve made that capture available to you in this collection, and added [this client keylog file](https://gist.github.com/zachad/392dd962215580498728e391103d88e2) to decrypt HTTPS traffic for you. I can only hope that the following PCAPs can shed some light on what happened and where the files have been hidden. We need all hands on deck for this! You should use CloudShark to find clues, discover the missing chunks, and put our greeting card image back together again! Good luck! -TR ----- ## Instructions: 1. Make sure you are [logged into your CloudShark account](/captures) 2. Open the below capture files in CloudShark and use the **Export** -> **New Session** command to copy them into your archive. 3. Find the additional missing chunks of the file, and get the stolen image out! 4. Write up your solution on [Twitter](https://www.twitter.com/cloudshark/) or [LinkedIn](https://www.linkedin.com/feed/update/urn:li:activity:6873624024614866944/)! ### Questions: 1. What’s the name of the song(s) that were played over the network? 2. How many chunks did the Grinch break the upload into? 3. How were each of them hidden? 4. What did the Grinch say in his confession? 5. How did the Grinch hide the final piece of information? 6. What is the SHA1 of the original image upload?
Watch a video of the Zeek Logs analysis tool in action!