Background story

You have become a computer incident response team member in a large governmental contractor working in the defense sector. Do not worry, it is only a job for a day and we do not require you to deal with a horrible ticketing system. At the beginning of October, 2014, one of the Data Loss Prevention systems detected an FTP connection. This connection was originating from one the employees private laptops. It was against the company security policy to bring private devices to the workplace or to even connect to the company VPN using them. However, because the project deadline was nearing, it was not an uncommon practice and was generally tolerated.

Tomek, the laptop owner, was an employee widely known in the IT Security department. His ability to click on every link that he received in the spam e-mail was simply astonishing. He regularly attended the security awareness trainings, but he saw them as a colossal waste of his valuable time. However, he was a rather technical user – he knew how to use popular applications as well as a proprietary software dedicated to his everyday work.

FTP connections were not something unusual for this workplace. Employees very often send their projects to the remote server using FTP protocol. However, it was always done trough a VPN or SSH tunnel. This connection was different – there was no secure tunnel and the destination server definitely was not located in the company infrastructure.

The challenge

Your task is to analyze infection of Tomek’s computer. Since Tomek was a known spam-lover, all of his network traffic was routinely recorded to the PCAP files. Unfortunately, Tomek is on a sick leave. Hence, you cannot either inquiry him or analyze his laptop. The Risk Assessment department puts a time pressure on you, so you have to act fast and cannot wait for him to get back to work. You only have a PCAP file (md5 fingerprint of the unpacked file: ` dddee4a69dd4a7bdcd060a258098ecef` ) which was recorded somewhere around the time of infection and you must answer two questions concerning the odd FTP connection.

• What is the SHA256 of the file that was extracted from Tomek laptop? This fingerprint must be of the file as it was on Tomek’s laptop just before the infection.
• What is the name of the file extracted from Tomek’s laptop? Of course, this name must be of the file that was on the Tomek’s computer just before the infection.

You can find the solution here.