#!/usr/bin/python
import os
def prima():
#a=os.system('tshark -r evidence.pcap -R "ip.src == 192.168.1.158" -T fields -e ip.dst | sort | uniq -c')
#b=os.system('tshark -r evidence.pcap -R "ip.addr == 192.168.1.158 && ip.addr == 64.12.24.50" -d tcp.port==443,aim')
print "\n1. What is the name of Ann's IM buddy?"
c=os.system('tshark -r evidence.pcap -R "ip.addr == 192.168.1.158 && ip.addr == 64.12.24.50" -d tcp.port==443,aim -T fields -e "aim.buddyname" | sort | uniq -c')
def seconda():
#a=os.system('tshark -r evidence.pcap -R "ip.addr == 192.168.1.158 && ip.addr == 64.12.24.50" -d tcp.port==443,aim -T fields -e frame.number -e "ip.src" -e "aim.messageblock.message"')
print '\n2. What was the first comment in the captured IM conversation?'
b=os.system('tshark -r evidence.pcap -R "frame.number==25" -d tcp.port==443,aim -T fields -e "aim.messageblock.message"')
def terza():
print '\n3. What is the name of the file Ann transferred?'
#a=os.system('tshark -r evidence.pcap -R "ip.addr == 192.168.1.158 && ip.addr == 64.12.24.50" -d tcp.port==443,aim -V | grep -i send')
#b=os.system('tshark -r evidence.pcap -R "ip.addr == 192.168.1.158 && ip.addr == 64.12.24.50 && (tcp contains 09:46:13:43)" -d tcp.port==443,aim -T fields -e frame.number')
#c=os.system('tshark -r evidence.pcap -R "frame.number==92" -d tcp.port==443,aim -V')
#d=os.system('tshark -r evidence.pcap -R "ip.addr == 192.168.1.158 && tcp.port == 5190 && tcp.len>80" -d tcp.port==443,aim')
e=os.system('tshark -r evidence.pcap -R "frame.number==112" -d tcp.port==443,aim -V')
def quarta():
print '\n4. What is the magic number of the file you want to extract (first four bytes)?'
#a=d=os.system('tshark -r evidence.pcap -R "ip.addr == 192.168.1.158 && tcp.port == 5190" -d tcp.port==443,aim -T fields -e frame.number -e data.data')
b=os.system('tshark -r evidence.pcap -R "frame.number==119" -d tcp.port==443,aim -V')
def quinta():
print '\n5. What was the MD5sum of the file?'
a=os.system('tshark -r evidence.pcap -R "ip.addr == 192.168.1.158 && tcp.port == 5190" -d tcp.port==443,aim -w new.pcap')
b=os.system('tcpflow -r new.pcap')
c=os.system('dd if=192.168.001.158.05190-192.168.001.159.01272 of=new skip=256 bs=1')
d=os.system('md5sum new')
def sesta():
print '\n6. What is the secret recipe?'
a=os.system('unzip new')
b=os.system('cat word/document.xml')
prima()
seconda()
terza()
quarta()
quinta()
sesta()