In this project, you will play the role of a forensic analyst who is investigating a murder. The accused is Bob, who has fled the country and disappeared. Officers have seized a disk image of Bob’s computer.
Your job is to conduct a forensic examination of a disk image and document any evidence related to the murder. If you find sufficient evidence, a case can be brought against Bob.
The Forensics VM Instructions document contains step-by-step instructions to set up the virtual machine and analyze the forensics disk image. The precept slides contain summary information of the techniques/tools you may need to use.
You will provide an answer file tokens.txt, together with a directory evidence/ containing all relevant evidence you discover. Your answers should be complete but concise. You may use the directory template that we have provided you here.
tokens.txt As you complete the investigation, findings and major steps will be marked by a set of words normally at the end of the file or text (or in some cases, transaction identifiers or passwords). Place these in tokens.txt, separated by newlines. For each token you find, please also write 2-3 sentences briefly explaining how you obtain the token. This file will be the bulk of your assignment grade. To receive full credit, you'll need to submit the following tokens:
evidence/ You should also include a directory where you place all the evidence that you have
gathered throughout the process. This directory should include any file(s) that you have recovered
on the suspect machine.
Collaboration: Strictly prohibited outside your group. Undergraduates are bound by the
Honor Code while graduate students are bound by the Graduate School’s expectation of
research integrity to not communicate with anyone regarding any aspect of the case or your
investigation (other than within your group or with course staff). The number of pieces of evidence
you find, the techniques you try, how successful said techniques are, the general process you follow,
etc. are all considered part of your solution and must not be discussed with members of other groups.
You may consult published references, provided that you appropriately cite them at the end of tokens.txt, as you would in an academic paper.
Cracking Passwords In this assignment, you will come across situations where you'd need to crack specific passwords. Keep in mind that you're not asked to find vulnerability in these password schemes, but rather just buteforcing the passwords is sufficient. You probably want to use a dictionary for these bruteforcing attacks.
Network Attacks You should not conduct any network attacks, including but not limited to tcpdump, aircrack-ng, nmap, etc. In theory, this whole assignment can be finished while disconnected from the Internet (maybe except for Googling for things and installing tools).
Submit your files as a single zip file to Gradescope. Make sure you select all your group members when submitting. The zip file should contain the files / directories below:
tokens.txt - A plain text file with your discovered tokens and brief explanations of how
you discovered them. evidence/ - A directory containing any recovered file(s).