Brookes Security Challenge
Based on the
DFRWS 2005 RODEO CHALLENGE
Introduction:
This is your chance to take part in a computer forensics investigation, similar to
what would happen in real life. We’re asking you to play the part of the
investigator and find what information you can about the evidence you have been
given. In particular we’re going to ask you to find specific bits of evidence that
might help the police in their investigations.
Wave your hand if you have a question or get stuck and one of the organizers
will pop over and give you a tip.
Scenario:
The city of New Orleans passed a law in 2004 making possession of ten or more
unique rhinoceros images a serious crime. The network administrator at the
University of New Orleans recently alerted police when his instance of
RHINOVORE flagged illegal rhino traffic. Evidence in the case includes a
computer and USB key seized from one of the University’s labs. Unfortunately,
the computer had no hard drive. The USB key was imaged and a copy of the dd
image is on the CD-ROM you’ve been given.
In addition to the USB key drive image, three network traces are also available—
these were provided by the network administrator and involve the machine with
the missing hard drive. The suspect is the primary user of this machine, who
has been pursuing his Ph.D. at the University since 1972 and is called Mallory.
Your task:
Recover as many rhino pictures from the available evidence as you can and find
out as many usernames and passwords as you can. See if you can also answer
the following questions –
•
•
•
What happened to the hard drive in the computer? Where is it now? Is it
worth spending police time recovering it?
What happened to the USB key?
Is there any evidence that connects the USB key and the network traces?
If so, what?
Evidence record:
Investigators
name
Rhino’s found
(cross each
one off as you
find them)
Usernames and passwords found
Username
Passwords
What happened to the hard drive in the
computer? Where is it now? Is it worth
spending police time recovering it?
What happened to the USB key?
Is there any evidence that connects the
USB key and the network traces? If
so, what?
Date
Getting Started
a) Boot up the backtrack disk and open up a command prompt. Type in the
following commands
cd /
mkdir /brookes
mkdir /root/images
mkdir /root/images2
b) Download the files rhino.log.gz, rhino2.log.gz, rhino3.log.gz, RHINOUSB.dd.gz
and jtr_passwd.txt to your /brookes directory and uncompress the .gz files
c) start autopsy by going to a command prompt and typing the command
autopsy
d) open up a browser pointing to http://localhost:9999/autopsy and minimize it
(we'll come back to it later)
– cracking the passwords:
1) Finding out passwords can take a long time, so let’s do that first. The file
jtr_passwd.txt is a password file showing usernames and encrypted passwords
of Mallory's associates. It would be useful if we could get the passwords used by
these people as they are also suspects and people often use the same password
on different accounts. Fortunately we have a program called John the Ripper
which will help us do this. To start John go to the “Privilege Escalation” menu and
select john. At the command prompt that opens type john
/brookes/jtr_passwd.txt and see what passwords it finds. It will get some
very quickly and others will take much longer. Record the one’s it has retrieved
quickly and leave it running. (Don’t forget to look at the end to see what else it
has found though  )
Looking at the USB stick
2) We copied the USB stick onto a file on our computer (this is known as an
image of the USB stick) and we know need to look at it. Looking at images of
disks, USB sticks, memory cards and even mobile phones is a big part of Digital
Forensics. Fortunately we have a program called Autopsy which can help us.
Maximize the browser that you opened earlier.
3) Click on the "New Case" button - you'll come up with a page with where you
are asked for the case details, fill in the case name, call it "Rhino1", and your
name in the investigators part and then click on "new case".
4) On the next page click "Add host", and on the next page, click "Add host"
again (we only have one computer, so we can accept the default details)
5) Click on the "Add Image" button
6) Click on the "Add Image File" button
7) Where it says “Location", type in "/brookes/RHINOUSB.dd" and press "Next"
8) On the next page, accept the defaults and click on "OK"
9) On the next page click "Add" and then on the page after that click "OK"
10) We're now ready to analyse the image of the USB stick. Click on "Analyse"
and then "Keyword Search" (this is at the top of the page). Search for some
keywords (this may take a bit of time for each search so choose your search
terms carefully). When it’s finished you’ll see a page a bit like this -
To see what the results are, click on the link I’ve highlighted in red and see if you
can find out what happened to the disk drive and the USB stick. You can use the
Previous and Next buttons on the page (not the browser ones!) to look at the text
surrounding your results. If you get stuck, ask for help.
Digging in the network:
11) Another valuable source of information can be the networks logs that the
network administrator helpfully captured for us. A good program to see an
overview of what is happening is Etherape. Click on the K Menu->Backtrack>Privilege Escalation->Sniffers->Etherape.
12) When EtherApe has loaded, click on "File->Open", where it says "File", type
"/brookes/rhino.log" and then click OK. EtherApe will then play back the log file
on the suspects network traffic. Can you notice any patterns?
13) After you've watched EtherApe do it's work for a while (don’t wait too long),
lets see if if we can find any of the FTP traffic that EtherApe showed. Click on the
Console button (It's the one on the task bar, to the right of the FireFox icon and
looks a bit like a DOS prompt) and in the console, type "cd /brookes" and
press the return key.
14) If we type strings rhino.log | grep XXXX where XXXX is what we
want to search for, we can search all the files for keywords. Using this can you
find evidence of an FTP login? (Hint – what do you need to log in to a machine?
Look for those keywords)
15) If we type strings rhino.log > rhino.txt we can create a text file of
all the strings which we can look at in a text editor by typing the command kate
rhino.txt – see if you can find a username and password for your list in this
file (create a New Session when Kate asks you what to do and the Find option is
on the edit menu).
Looking for pictures:
16) We need to find pictures for the real evidence though and once again we
have a tool to help us – this one is called foremost. Click on the K menu>Backtrack->Digital Forensic->File Carving->Foremost. This will open up a
window which we can use to carve up logs to look for files hidden in them.
17) Now we can use foremost to carve up our USB image. To run foremost we
use the command foremost -o /root/images /brookes/RHINOUSB.dd
This will extract any useful files on the USB image.
18) We can use Konqueror to view the images. Click on the “images” on the
desktop and have a look to see what sort of images you’ve found – remember to
cross off any rhino pictures on your evidence sheet.
19) We can even use foremost to look at log files. Click on the K menu>Backtrack->Digital Forensic->File Carving->Foremost again but this time type in
the command prompt the command foremost -o /root/images2
/brookes/rhino*.log – this time we’re looking at the network logs to extract
files! Once again click on the “images2” folder and have a look to see what you
have found.
Looking for pictures – the advanced way
20) The problem with using foremost on network traffic is that pictures may be in
multiple packets and as such not reconstruct properly. However driftnet is a
picture that will sniff network traffic for images. The problem with driftnet is it
won't work with saved network traces like our log files. The program tcpreplay is
a program that allows us to replay network traffic that has been stored in logs.
See if you can work out how to use driftnet and tcpreplay together to see if there
are any more rhino pictures in the traffic. Hint 1, you probably don't want to use a
network interface that goes onto the network. Hint 2, the file rhino.log is very big
so you probably don't want to spend much time on that.
And finally
21) Go back and check to see how John has got on and fill in your evidence
sheet.