. There is no need to use the same groups you had in
past assignments - you may chose new partners.
In this project you will investigate the murder of Hapless Victim, a
well-known campus personality, who was killed while working in the CS building
sometime between midnight and 6 a.m. Officers recovered a projectile known
as a "nerf blaster dart" which appears, inexplicably, to have been the cause
of death.
Officers have arrested the leading suspect, Nefarious Criminal, and seized
his computer. An image of his hard drive is available for investigation
(3.2
gigabye download; SHA1 Hash:
84ed06ce5fb8461b72511ce2ed391f8d1e5656f2 ('sha1sum -b filename' on
Linux)). Your job is to conduct a forensic examination of this hard
drive image and document any evidence relating to the murder.
Tasks and deliverables
The deliverables for this project are your answers to the numbered
questions below. Your
answers should be complete but concise. None of the questions should require
more than one or two paragraphs to answer.
For each prompt, explain the investigatory methods you used and the evidence
that supports your conclusion. Submit your answers in HTML or PDF format,
in a file called index.html or homework8.pdf. You may include recovered
files in your submission,
but your report should clearly indicate which of these files are relevant to
each response.
As you investigate, be on the lookout for evidence of any other machines
or network services that the suspect may have used. These may contain
important evidence and raise further questions you'll need to investigate.
Per Section 4.1, be sure to contact your supervisor (i.e., the teaching
assistants) before attempting
to access any such machines or accounts. Again, start early; management
has been known to take up to 24 hours to respond on weekdays and longer
on weekends, although we try to respond promptly.
- Try booting the suspect's machine and using it normally. What
specific behaviors of this machine make this a bad idea? We strongly
recommend that you mount the suspect's drive from a safe system before
continuing (see the hints on creating a raw image later in this section).
- What operating system does the suspect use? Be careful and specific; e.g.,
say "Windows 2000" instead of just "Windows." (No attachment necessary.)
- What is the username of the account typically used by the suspect?
(No attachment necessary.)
- Do you have any evidence that the suspect had an accomplice who was
physically present on the night of the crime?
- Were there any suspicious-looking encrypted files on the machine? If so,
please attach their contents and a brief description of how you obtained the
contents.
- What evidence do you have that the suspect owned or was researching
weapons of the kind involved in the murder? Please attach the specific
evidence and a brief explanation.
- Did the suspect try to delete any files before his arrest? Please attach
the name(s) of the file(s) and any indications of their contents that you
can find. (Hint: We will be impressed enough to give extra credit if you
manage to recover the original contents of a particular incriminating
file, but we do not expect you to do so.)
- Is there anything else suspicious about the machine?
Submitting
You should write up your answers to the above questions as you have
for previous assignments. Include these answers as well as any files
from the image which you wish to use as exhibits to support those
answers and submit them as a zip file here.
Hints and resources
In addition to the hints we've dropped elsewhere, here is an incomplete list
of some things you may want to try:
- Examine the system logs.
- Check for deleted or encrypted files.
- Search the drive image itself (e.g., using grep -a or strings) for strings
that may indicate relevance to your investigation. You'll need to convert the
disk image to a "raw" binary image; see the help for the VBoxManage
clonehd command.
Some additional resources that may help you:
- http://darkdust.net/writings/diskimagesminihowto explains how to find
the partitions in a disk image and mount one of them, albeit in a different
context than forensics. http://en.wikipedia.org/wiki/Disk_partitioning
provides some background that you may be missing.
- John the Ripper (http://www.openwall.com/john/) is the canonical Unix
password cracker. Cain and Abel (http://oxid.it/cain.html) and Hydra
(http://www.thc.org/thc-hydra/) are two other well-known general-purpose
password crackers, frackzip (http://home.schmorp.dc/marc/fcrackzip.html) is
a ZIP password cracker, and pdfcrack
(http://sourceforge.net/projects/pdfcrack/) is a PDF password cracker.
John, fcrackzip, and pdfcrack are conveniently available in the Debian
package repositories and may be available for other Linux distros as well.
When using a password cracker, it is wise to make sure that the password is
not susceptible to a dictionary attack and does not use a restricted
character set (e.g., lowercase letters, letters only, letters and numbers
only) before spending time on a full brute-force crack. It is also
a good idea to crack a very vulnerable password first to make sure you are
using the tool correctly.
- "Deleted files recovery howto"
(http://e2undel.sourceforge.net/recovery-howto.html) explains how to recover
deleted files on the ext2 filesystem using e2undel and
debugfs. http://www.xs4all.nl/~carlo17/howto/undelete_ext3.html
explains how to attempt to recover deletes files on the ext3 filesystem.
- A general working knowledge of Linux is probably helpful for this
project as well. If you don't have this yet, you may need to spend a little
time Googling and/or experimenting to get up to speed. The TAs will also
answer general Linux questions as a last resort.
Policies and mechanics
Ethics
In this project you will be investigating the use of computers as part of
an entirely fictitious crime scenario. You may access Web pages and other
obviously-public computer services in a read-only fashion, but you must
not attempt to log into any computers or accounts over which you do not
already have sole control, even if you recover authentication credentials
for those accounts from your analysis. If you think that doing so is
necessary (hint, hint), you must first email the teaching assistants.
Collaboration
As usual, you may not collaborate outside your group. The number of
pieces of evidence you find, the techniques you try, how successful those
techniques are, the general process you follow, etc., are considered
part of your solution and must not be shared between groups.
If you get stuck
Given the nature of the assignment and its strict collaboration policy, we
recognize the need for some hints. We have developed standard hints for each
question we have asked in the assignment; if your group gets stuck, you may
email the teaching assistants with the names of your group members, the
question for which you would like a hint, and the progress you have made
thus far on that question. Each group may receive up to three hints in
total, and we will enforce a one-hour delay between hints for each group.
Requesting access to a remote machine does not count as a hint request, nor
does asking for help with the first three questions, which are intended to
help you get started.
We will respond to hint requests in a best-effort, first-come first-served
fashion. In particular, you will not necessarily receive a hint before the
homework deadline if you request one within 24 hours of the deadline. Start
early!
Copyright 2010, J. Alex Halderman and Edward W. Felten.