Skip to content
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
Cannot retrieve contributors at this time

This repo contains the files for my Network Forensics Workshop, which was held at CactusCon 2015 and BSides San Francisco 2015.

In the workshop, I walked attendees through how Bechtel’s “Team DOFIR” took 1st place in LMG Security’s Network Forensics Puzzle Contest (NFPC) at DefCon 22 (2014). Each year, LMG holds an awesome contest, and we are proud to show the tech that we used to complete last year’s challenge.

To solve the sucker, we used tools such as Wireshark, tshark, tcpflow, bash, perl (regex one-liners baby!), Python (w/various modules), and others. I cover how we put together some scripts and commands in order to streamline our methodology. My goal: Show off some cool network forensics tech and garner interest for this year’s NFPC. We want some top-notch competition, so check out what we have to offer and be sure to get your game on at DefCon 23 in 2015!

The .txt files are the step-by-step instructions, whereas the .py files are the Python scripts we wrote for the respective challenges.


At CactusCon 2015, we handed out 40 copies of the LMG Security's Network Forensics Puzzle Challenge 2014 DVD. If you received one, great!

At BSides San Francisco 2015, the relevant files were distributed via a private local network share. If you received the files this way ("unencrypted" folder), great!

If you did not receive the associated PCAP files at one of these cons, FEAR NOT! You can obtain the materials directly from LMG Security:


Speaking of the DVD:

The TrueCrypt volumes on the official LMG Security DVD require passwords. Please note that zeroes are often used instead of the letter 'o.'

Round 1: izDEFCONf33ling22?#tSwift

Round 2: #pshth@twaSteh3@$y1#

Round 3: Ib3tuth0ughtQat@r&&

Round 4: h0wd1dug3tth@t1?%

Round 5: ur0nar0lln0w!@

Round 6: gud$luk^^0nth1s1

Round 7: !LA$$t0n3!!

Bonus round: Way-2_1337-4_u!