In this project, you will play the role of a forensic analyst who is investigating a murder. The accused is Bob, who has fled the country and disappeared. Officers have seized a disk image of Bob’s computer.
Your job is to conduct a forensic examination of a disk image and document any evidence related to the murder. If you find sufficient evidence, a case can be brought against Bob.
The Forensics VM Instructions for x86 document contains step-by-step instructions to set up the virtual machine and analyze the forensics disk image. If your device uses an ARM chip like the M1 Mac, you should follow the instructions in the Forensics VM Instructions for M1 Macs document.
You will provide an answer file tokens.txt, together with a directory evidence/
containing all relevant evidence you discover. Your answers should be complete but concise. You may
use the directory template that we have provided you here.
tokens.txt As you complete the investigation, you will encounter "tokens" that represent major steps
or important files. Most of the tokens are a string of words at the end of a file, separated by a single character each.
Other tokens are simply passwords or monetary transaction identifiers. Place these in tokens.txt, separated by newlines.
For each token you find, please also write 2-3 sentences briefly explaining how you obtain the token.
This file will be the bulk of your assignment grade. To receive full credit, you'll need to submit the following tokens:
evidence/ Whenever you find a piece of evidence (e.g., a token), you must include a file or screenshot
demonstrating where you found it. This directory should contain things like files containing tokens, screenshots of where you
found a token, programs you wrote to crack passwords, etc. You should not need more than one file in this directory per token you found.
Collaboration outside of your group is strictly limited to conceptual topics discussed in lecture. Much of this assignment is focused on a group exploring possibilities and trying things themselves. The number of pieces of evidence you find, the techniques you try, how successful said techniques are, the general process you follow, etc. are all considered part of your solution and must not be discussed with members of other groups. You are free to search online for generic techniques and tutorials so long as you respect the collaboration policy of this course and cite all sources.
Cracking passwords is a required task in this project. It is sufficient to bruteforce these passwords (i.e., guess and check). It is highly recommended you use this dictionary for these bruteforcing attacks. Any bruteforcing you do in this assignment should not take more than a few hours. If anything you run exceeds this, let us know on Ed and we can confirm whether you are on the right track.
Network attacks are not required in this project. You should not conduct any network attacks. Other than using online informational resources, you do not even need an internet connection to complete this project.
Submit your files as a single zip file to Gradescope. Make sure you select all your group members when submitting. The zip file should contain the files / directories below:
tokens.txt - A plain text file with your discovered tokens and brief explanations of how
you discovered them. evidence/ - A directory containing any recovered file(s).