After I read a news about computer forensic competition from an information security blog, suddenly I had an urge to start working with this interesting case. One blog said this case was fairly easy and could be done by only utilizing freely available open-source computer forensics tools, such as PyFlag or Autopsy. Thus I said to myself that I will definitely prove this stimulating statement and finalize the investigation with a conclusive result before the submission date (20/08/2008).
Since PyFlag was quite new for me, I need to do several tasks before I finally started working with the real forensic stuffs. Firstly, of course, I had to install PyFlag into my Ubuntu box. Actually, the installation itself wasn’t complex and time consuming, nevertheless I still spent some time to properly fine-tune PyFlag before I was able to use it by configuring MySql connection, PyFlag configuration file and later by adding some components into it. Then, I started to download the image file and finally put this file into the ‘upload’ directory.
After thoroughly examined the image file, I was finally able to solve the whole problems and found the associated files within two days.
The following list summarized my findings:
- A network analysis tool.
- A network security tool which could be used as a backdoor.
- A virtual encrypted disk.
- An mp3 file.
- Metasploit documents.
The last step to conclude this case is to provide an adequate forensic report. However, since I have a plan this weekend to go abroad with my beloved wife 
, I will postpone the report and will plan to finish it afterwards.
In addition, at December 2007, I also worked with a similar computer forensic challenge during the first semester of my graduate program. Unfortunately, the magazine is no longer providing the information. However I still have the record of the case explanation as follows:
Forensic Challenge
The terror suspect “X” has been captured after a police raid. In his house the police discovered some advanced bomb making equipment, five computers and an extraordinary number of penguin soft toys. The hard drives of the computers all appear to be encrypted and X is maintaining his right to silence. Because of this the investigation is not going much further forward, although it is suspected that a terrorist attack is planned. Then a memory card is discovered in X’s camera but there are no photos on it. The police suspect that there is information on the card which could be used to prevent an attack. For that reason they’ve come to you, the forensic expert. Your job is to retrieve the information from the card as quickly as possible and save many lives.
The challenge (De uitdaging)
The Digital Forensics unit of HB bv. has created a fictional forensics challenge. Your task is to investigate and analyse digital forensic evidence. The evidence is a forensic image of an mmc-card from a camera. What makes this challenge unique is that you are part of a secret police unit that is investigating the threat of a terrorist attack. Before you begin the challenge it is useful to read the police report to gain some background information, just as in other investigations. Finding the answers to the following questions and preventing a terrorist attack will depend on your technical skills.
Questions to be answered (De onderzoeksvragen)
1. Who are the other terrorists and when is the attack planned?
2. What is the target of the attack?
3. For every relevant file explain what X (the suspect) has done to hide the data from others.
4. Explain how you, the forensic expert, obtained the information.IMPORTANT! In order to judge the entries the MD5 hash of the recovered files must be included.
Download the image to be investigated from here.
Judging the entries (Beoordeling van de inzendingen)
Entries need to be sent to forensics @ xxx and info @ themagazine by 23:59 on 31 december 2007.
Even though I was finally able to solve the case, I didn’t actually send the result to the magazine at that time. I only sent the result to my lecturer since it was done as my final project for his course.
To successfully investigate this case, several tools were used during the investigation process. The list of tools and image file are presented as follows:
- Image file (MMC acquired image file). Updated on August 21st, 2008 0:05 CEST*
- Final report of forensic challenge.
References:
- http://www.shortinfosec.net/2008/07/competition-computer-forensic.html
- http://computer.forensikblog.de/en/2008/07/a_challenge.html
- http://www.shortinfosec.net/2008/07/tutorial-computer-forensics-evidence.html
- http://www.shortinfosec.net/2008/07/tutorial-computer-forensics-process-for.html
- http://www.pyflag.net/cgi-bin/moin.cgi
- http://www.sleuthkit.org/
* If someone found that the image file is protected by copyright law and licenced to a specific organization, feel free to post a notification in this article.
Filed under: Computer Forensics | 5 Comments
Tags: autopsy, Computer Forensics, pyflag
Search
-
You are currently browsing the Lesky's Personal Weblog weblog archives.
manteps
keren deh Mas
keep on writing, babe…
menulis adalah mengikat makna
moga2 bisa buat buku ya sayang
Could u please attach the image to be investigate again becoz the link is broken. I’m still new in computer forensic and would like to learn it. thank you
Hi there, sorry for the late response. I’ve just arrived from my trip
. I’ve already updated this article and posted the image file. Plz checked the hash info after downloading the file (see the report for the hash).
Hi Lesky,
i’ve partecipated to this challenge too, i published the report in my blog: http://brainstretching.blogspot.com
Can you help me with the tools used and the commands used for the investigation, kindly mail me the details to torusato0@gmail.com