Latest Blog Post

read more

Upcoming Events

September 16, 2015 - LMG will teach "Digital First Responder Training" at our World Headquarters in Missoula, MT. Sign up now!

September 22, 2015 - LMG will teach "Digital First Responder Training" in Billings, MT. Sign up now!


Congratulations to all the teams that participated in the Network Forensics Puzzle Contest at DEF CON 23! View contest results, hints, and passwords here.

We're pleased to announced that Network Forensics Puzzle DVDs from 2011, 2012, and 2014 are all available on BytePuzzles!

LinkedIn Reddit Delicious Technorati Twitter Digg Stumbleupon

Join our Email Newsletter

Send your cybersecurity questions to for the chance to have them answered in our newsletter!

Class and Book

Want "Network Forensics" (the class) taught privately at your facilities? Request an Onsite

Order Network Forensics: Tracking Hackers Through Cyberspace!

Need Expert Consulting?

Request a Quote

Email Us an RFP

Network Forensics Puzzles

Play with real packet captures and learn about network forensics! From time to time, LMG releases forensics puzzles on the Network Forensics Puzzle Contest site. Follow the exploits of Ann Dercover, Dr. Clearwater and their hacker friends. Analyze packet captures that contain VOIP, SMTP, Apple TV, the Operation Aurora exploit, Android traffic, and more.

Going to DEF CON? Join us for our annual DEF CON Network Forensics Puzzle Contest!

Puzzle Description Details Links
Puzzle #1: Ann's Bad AIM

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.

AIM and the OSCAR File Transfer Protocol.

Puzzle #2: Ann Skips Bail

After being released on bail, Ann Dercover disappears! Fortunately, investigators were carefully monitoring her network activity before she skipped town. "We believe Ann may have communicated with her secret lover, Mr. X, before she left," says the police chief. "The packet capture may contain clues to her whereabouts."


Puzzle #3: Ann's AppleTV

Ann and Mr. X have set up their new base of operations. While waiting for the extradition paperwork to go through, you and your team of investigators covertly monitor her activity. Recently, Ann got a brand new AppleTV, and configured it with the static IP address Here is the packet capture with her latest activity.

HTML (AppleTV)

Puzzle #4: The Curious Mr. X

While a fugitive in Mexico, Mr. X remotely infiltrates the Arctic Nuclear Fusion Research Facility’s (ANFRF) lab subnet over the Interwebs. Virtually inside the facility (pivoting through a compromised system), he conducts some noisy network reconnaissance. Sadly, Mr. X is not yet very stealthy.

Port scan traffic
Puzzle #5: Ms. Moneymany’s Mysterious Malware
(By Lenny Zeltser)

Our latest forensics puzzle has a malware twist to it, and was written by Lenny Zeltser. Lenny teaches the reverse-engineering malware (REM) course at SANS Institute.

Malware traffic

Puzzle #6: Ann's Aurora

Ann Dercover is after SaucyCorp's Secret Sauce recipe. She's been trailing the lead developer, Vick Timmes, to figure out how she can remotely access SaucyCorp’s servers. One night, while conducting reconnaissance, she sees him log into his laptop ( and VPN into SaucyCorp’s headquarters.

Leveraging her connections with international hacking organizations, Ann obtains a 0-day exploit for Internet Explorer and launches a client-side spear phishing attack against Vick Timmes. Ann carefully crafts an email to Vick containing tips on how to improve secret sauce recipes and sends it. Seeing an opportunity that could get him that Vice President of Product Development title (and corner office) that he’s been coveting, Vick clicks on the link. Ann is ready to strike...

Operation Aurora exploit

Puzzle 7: Ann's Dark Tangent (DEFCON 2010)

Ann has arranged a rendezvous with Dark Tangent. You are the forensic investigator. Can you figure out their destination?

WEP-encrypted wireless traffic

Apple iPad Traffic

Puzzle #8: HackMe, Inc.

Inter0ptik is on the lam and is pinned down. The area is crawling with cops, and so he must stay put. But he also desperately needs to be able to get a message out to Ann and Mr. X. Lucky for him he detects a single wireless access point (WAP) in the building next door that he might be able to use, but it is using encryption and there are no other opportunities available. What is Inter0ptik to do?

WEP-encrypted wireless traffic and HTML

Puzzle #9: Ann's Deception (DEFCON 2011)

The lead chemist of a high-profile pharmaceutical company was involved in a serious accident, leaving him in a coma days before the release of the company’s highly publicized “133t pill.” The chemist was the only person in possession of the list of ingredients required to produce the wonder drug, and it is not known if he will ever recover. All chemical evidence of the drug has been destroyed, but the company believes that the missing ingredients may have been stored electronically. You have been hired as a forensic investigator, to recover the final ingredient of their 133t pill. Can you find the missing ingredient?