Competition - Computer Forensic Investigation

Shortinfosec is hosting a computer forensics competition.
In the competition, you will have to analyze a submitted disk image for incriminating evidence, as per the scenario below

Scenario
The investigators suspect that the employee was doing the following illegal activities:

  • Sniffing IP traffic on the network
  • Creating back doors to his PC
  • Stole and copied a CD-ROM with confidential content
  • Downloaded copyrighted music
  • Used a specific penetration tutorial document to perform most of his actions
The investigators found his PC turned off. They performed a DD copy of the surviving partition and sent it to you for investigation.

Competition materials
Download the evidence image here (compressed as hdb1-img.rar)

Rules of the competition

  1. Each competitor should submit his summary report (indicating only the number of discovered evidence) as a comment to this post to establish time of solution.
  2. Each competitor should submit a detailed description of the utilized process of to discover the evidence in an email sent to shortinfosec _ at _ gmail dot com.
  3. All solutions must be submitted before midnight (CET) 20th of August 2008.
  4. The ultimate goal is to find one incriminating evidence for each suspicion.
  5. It is fully acceptable to submit a result with less evidence found, if you feel that there is no other evidence to be found or you cannot discover it.
  6. The incriminating evidence may be disguised (renamed, compressed).
  7. Each competitor can withdraw and resubmit a better evidence before the submission deadline
  8. You can use any type of investigative tools that you need, as long as you maintain the integrity of all evidence (proven by a SHA1 or MD5 hash). The utilised tools must be documented in the detailed submission.

Reward

  • Unfortunately, there are no financial rewards to this competition.
  • The first competitor to discover all evidence or the competitor who discovered the most evidence before the deadline will be the winner. His result will be presented as an analyzed solution on Shortinfosec.
  • Also, if the winner owns a blog or a site it will receive a separate detailed review on Shortinfosec.
  • All other submitted results, regardless of discovered evidence will be published in the results as honorable mentions, with links to their respective blogs/sites

We hope to have a good and fruitful competition

Related posts
Tutorial - Computer Forensics Evidence Collection
Tutorial - Computer Forensics Process for Beginners

Talckback and comments are for the competition

12 comments:

Sniffer said...

I think i got two files man. One is an MP3 and one is some type of tutorial. Wasn't too difficult to find them, and all I used was the VDK driver http://chitchat.at.infoseek.co.jp/vmware/vdk.html and some local tools. Will send you mail with details

Lawrence Woodman said...

4 down 1 to go. Mailing you the details now. BTW I've so far managed to use just the most basic tools to add to the challenge.

Fender Bender said...

3 Down, 2 to go... I think I found 2 items connected to the same criminal action. Sending you the details now

Phil said...

Found 1 of 5. Tutorial manual.

Phil said...

Found partial 2 out of 5 Sniffing Prog found.

Anonymous said...

I found evidence for all five scenarios. Email sent last night at 1.11AM PST.

TJS

Bobby B said...

I found 4 out of 5. Email being sent to you now.

snizzsnuzzlr said...

5 of 5
Well done forensic image. A handful of easily found distractions may be misdirecting some participants. Close inspection using other than simple tools reveals more damning evidence than the easily spotted distractions.

Anonymous said...

Hellow !

Have you a software which can open .dd whitout install it on the harddrive like Vmware but free ?

Thanks a lot

Anonymous said...

Find 5 evidence, i think.

Sent email with doc attached.

Snip.

Anonymous said...

Can someone provide a link or the hdb1-img.rar to download. The rapidshare link to the file is broken.

Laksh

juragan swike said...

I Know it's an old challange, but I just getting started in forensic, if it is not too much trouble, could you upload the image again? the link is broken.

thank you very much

Designed by Posicionamiento Web