As a result of reading a story about computer forensic competition from one blog, suddenly I have an urge to solve the interesting case from this blog. Another blog said this case was fairly easy and could be done by only utilizing freely available open-source computer forensics tools, such as PyFlag or Autopsy. Based on this statement, I said to myself to try and prove the statement and investigate the case with a conclusive result before the given submission date (20/08/2008).
Since PyFlag was quite new for me, I need to do several tasks before working with the real stuffs. Firstly, of course, I had to install PyFlag into my Ubuntu box. Actually, the installation itself wasn’t so complex or time consuming, nevertheless I still spent some time to fine-tune PyFlag before I was able to use it properly by configuring MySql connection, PyFlag configuration file and later by adding some components into it. Then, I started to download the image file and finally put this file into the ‘upload’ directory.
After thoroughly examined the image file, I was finally able to solve the whole problems and found the associated files within two days.
The following list summarized my findings:
- A network analysis tool.
- A network security tool which could be used as a backdoor.
- A virtual encrypted disk.
- An mp3 file.
- Metasploit documents.
The concluding effort to solve the case is to provide an adequate forensic report. However, since I have a plan this weekend to go abroad with my beloved wife 
, I will postpone the report and will plan to finish it afterward.
In addition, at December 2007, I have also worked with a similar computer forensic challenge during the first semester of my graduate program. Unfortunately, the magazine is no longer providing the information. However I still have the record of the case explanation as follows:
Forensic Challenge
The terror suspect “X” has been captured after a police raid. In his house the police discovered some advanced bomb making equipment, five computers and an extraordinary number of penguin soft toys. The hard drives of the computers all appear to be encrypted and X is maintaining his right to silence. Because of this the investigation is not going much further forward, although it is suspected that a terrorist attack is planned. Then a memory card is discovered in X’s camera but there are no photos on it. The police suspect that there is information on the card which could be used to prevent an attack. For that reason they’ve come to you, the forensic expert. Your job is to retrieve the information from the card as quickly as possible and save many lives.
The challenge (De uitdaging)
The Digital Forensics unit of HB bv. has created a fictional forensics challenge. Your task is to investigate and analyse digital forensic evidence. The evidence is a forensic image of an mmc-card from a camera. What makes this challenge unique is that you are part of a secret police unit that is investigating the threat of a terrorist attack. Before you begin the challenge it is useful to read the police report to gain some background information, just as in other investigations. Finding the answers to the following questions and preventing a terrorist attack will depend on your technical skills.
Questions to be answered (De onderzoeksvragen)
1. Who are the other terrorists and when is the attack planned?
2. What is the target of the attack?
3. For every relevant file explain what X (the suspect) has done to hide the data from others.
4. Explain how you, the forensic expert, obtained the information.IMPORTANT! In order to judge the entries the MD5 hash of the recovered files must be included.
Download the image to be investigated from here.
Judging the entries (Beoordeling van de inzendingen)
Entries need to be sent to forensics @ xxx and info @ themagazine by 23:59 on 31 december 2007.
Even though I was finally able to solve the case, I didn’t actually send the result to the magazine at that time. I only sent the result to my lecturer since it was done as my final project for his course.
To successfully investigate this case, several tools were used during the investigation process. Below are the list of tools and image file:
- Image file (MMC acquired image file). Download at: http://www.filesonic.com/file/ZNtIXwH (Updated on Jan 12, 2012)
- Final report of forensic challenge.
References:
- http://www.shortinfosec.net/2008/07/competition-computer-forensic.html
- http://computer.forensikblog.de/en/2008/07/a_challenge.html
- http://www.shortinfosec.net/2008/07/tutorial-computer-forensics-evidence.html
- http://www.shortinfosec.net/2008/07/tutorial-computer-forensics-process-for.html
- http://www.pyflag.net/cgi-bin/moin.cgi
- http://www.sleuthkit.org/
* If you found that the image file is protected or licensed to one organization, feel free to post a notification in this article.
manteps
keren deh Mas
keep on writing, babe…
menulis adalah mengikat makna
moga2 bisa buat buku ya sayang
Could u please attach the image to be investigate again becoz the link is broken. I’m still new in computer forensic and would like to learn it. thank you
Hi there, sorry for the late response. I’ve just arrived from my trip
. I’ve already updated this article and posted the image file. Plz checked the hash info after downloading the file (see the report for the hash).
Hi Lesky,
i’ve partecipated to this challenge too, i published the report in my blog: http://brainstretching.blogspot.com
Can you help me with the tools used and the commands used for the investigation, kindly mail me the details to torusato0@gmail.com
Can you please provide a link or the hdb1-img.rar to download. The rapidshare link to the file is broken. I want to work and practice. Any help is appreciated even if you could send me an email with the file attached.
Laksh
Could you please update the download link for the image file again? Thank you.