Computer forensics challenge

From Inforail
Jump to: navigation, search

Puzzle.png

Keywords

security, file-carving, data recovery, wiping, data acquisition, chain of custody, data sanitization, forensics

Objectives

  • Understand the basics of digital forensics
  • Apply your skills by analyzing the obtained evidence
  • Extract as much useful information as you can
  • Connect the dots and build a portrait of the suspect

Workflow

You're given an image of a partition of a flash memory card. It was extracted from an apartment in London, in the aftermath of a counter-terrorist operation. It is assumed that it belongs to the owner of the apartment, but it could be the case that it was stolen from somebody else.

We have reasons to believe the card was formatted minutes before the police got there, perhaps in a desperate attempt to destroy evidence.

You must analyze the data and gather as much intel as you can. Document your findings and understand who owned the flash card and whether they're involved in any illegal activities.

evidence.bin SHA1: 3c2094f2d62cb530ac642591c34ad86ab15fe88b

  1. Retrieve the file
  2. Verify its integrity
  3. Mount it to your system in read-only mode
  4.  ???
  5. PROFIT!!


Challenges

Find out the following details about the owner of the flash card:

  • their name, profession and country of residence
  • mobile phone brand and model owned
  • operating system most likely used
  • list of locations they have possibly been to
  • details about people they interacted with (phone numbers, photos, email addresses, names)
  • list of visited web-sites
  • has the suspect ever visited the Kingdom of Jvompihia?
  • were they hiding anything on that flash disk on purpose?

Based on the above, determine if the owner of the flash card is the mastermind of a terrorist cell, or if they are a target themselves.

Grading policy

  • 6 - run any file recovery tool and produce a report
  • 8 - handle half of the challenges
  • 9 - tackle all the challenges
  • 10 - formally prove whether the flash disk contains TrueCrypt images or not, explain your rationale

Remember that collecting data is easy, but making sense of it is much more challenging. Keep this in mind when writing your report and think about the most appropriate way to visualize your findings.

What is the best way to represent

  • the suspect's social connections?
  • the suspect's whereabouts?

Self-test questions

  • What is steganography used for?
  • What kind of information can be revealed from the metadata of:
    • a JPEG photo taken by a digital camera
    • a PDF received via email?
  • What is plausible deniability?
  • What is the chain of custody?
  • What methods can be used to ensure the evidence wasn't tempered with?
  • What is subliminal messaging?
  • How is file carving different from other file recovery methods?


Tools


References

  • http://forensicswiki.org/
  • List of items you can recover on is shown in the source of this page (accessible to the editor only)

Alternative challenges

Entropy visualizer

Write a tool that analyzes raw data (e.g. a file, a dump of a partition or an entire storage device) and visualizes the level of entropy in different regions of that file.

  • The visualization must be in the form of a heatmap, where red corresponds to high entropy and blue to low entropy
  • On mouse-over, display the corresponding offset in the image
  • The analysis process must be accompanied by a progress indicator

Other methods of visualization can be applied as well, as long as they provide a clear answer to these questions:

  • are there any suspicious areas in the file?
  • where exactly are they?

If you can do that using a text-mode interface, for example with ncurses, then go ahead.


Metadata sanitizer

A lot of traces can be recovered from a file's metadata. If a whistleblower submits some documents, they might inadvertently compromise themselves. Write a program that

  • analyzes files given to it and produces a report indicating the metadata it found
  • automatically removes that metadata


Help the media

Set up a "whistleblower submission platform" on a web-site; it could be that of a newspaper, a popular blog, or a TV channel. Have a look at SecureDrop and follow their installation instructions.

A successful completion of the task requires:

  • setting up the system on an actual site
  • demonstrating that information received by a journalist does not point to the IP address of the original sender.

Note

That's right, the hash on top is wrong and you spotted that when verifying the integrity of the image. The real SHA1 of it is 759011725c2805b9ff7e6de898d63364968475fb. Good catch! ;-)

Retrieved from "https://info.railean.net/index.php?title=Computer_forensics_challenge&oldid=422"