Shortinfosec is hosting a computer forensics competition.
In the competition, you will have to analyze a submitted disk image for incriminating evidence, as per the scenario below
The investigators suspect that the employee was doing the following illegal activities:
- Sniffing IP traffic on the network
- Creating back doors to his PC
- Stole and copied a CD-ROM with confidential content
- Downloaded copyrighted music
- Used a specific penetration tutorial document to perform most of his actions
Download the evidence image here (compressed as hdb1-img.rar)
- hdb1-img.rar (rar compressed disk image containing hdb1-img.dd)
- Verification sum of hdb1-img.dd:
- SHA1SUM 60642d113d40cb583df0b0654cbc83ffca63f886
Rules of the competition
- Each competitor should submit his summary report (indicating only the number of discovered evidence) as a comment to this post to establish time of solution.
- Each competitor should submit a detailed description of the utilized process of to discover the evidence in an email sent to shortinfosec _ at _ gmail dot com.
- All solutions must be submitted before midnight (CET) 20th of August 2008.
- The ultimate goal is to find one incriminating evidence for each suspicion.
- It is fully acceptable to submit a result with less evidence found, if you feel that there is no other evidence to be found or you cannot discover it.
- The incriminating evidence may be disguised (renamed, compressed).
- Each competitor can withdraw and resubmit a better evidence before the submission deadline
- You can use any type of investigative tools that you need, as long as you maintain the integrity of all evidence (proven by a SHA1 or MD5 hash). The utilised tools must be documented in the detailed submission.
- Unfortunately, there are no financial rewards to this competition.
- The first competitor to discover all evidence or the competitor who discovered the most evidence before the deadline will be the winner. His result will be presented as an analyzed solution on Shortinfosec.
- Also, if the winner owns a blog or a site it will receive a separate detailed review on Shortinfosec.
- All other submitted results, regardless of discovered evidence will be published in the results as honorable mentions, with links to their respective blogs/sites
We hope to have a good and fruitful competition
Tutorial - Computer Forensics Evidence Collection
Tutorial - Computer Forensics Process for Beginners
Talckback and comments are for the competition