Competition Results - Computer Forensic Investigation

The Computer Forensic Investigation Competition is closed, and here are the results

What was there to be found:

  • Tshark sniffer - part of the wireshark suite in /moodle/enrol/paypal/db
  • NetCat tool for backdoor creation - renamed as MyTool.exe - in /moodle/auth/ldap
  • An MP3 of Sergio Mendes & Brasil 66 - Mas Que Nada renamed as html document - in /moodle/auth/imap
  • A TrueCrypt rescue disk ISO renamed as MyDoc.doc in /moodle/lib/geoip/Documents/
  • OSSTMM Penetration Testing Methodology with penetration details in deleted file osstmm.en.2.1.pdf in /moodle/enrol

Finding the above was suffucient to win the competition. Alternatively, instead of OSSTMM you could find the below two items

  • A decoy metasploit developers guide pdf in /moodle/lib/geoip/Documents - actually, that document has nothing to do with direct hacking unless you discover the
  • metasploit framework remnants of a deleted metasploit framework in /moodle/lib/geoip/Documents

Who did the investigation (in chronological order of reporting the findings - earliest first)

  • Lawrence Woodman - Found 4 incriminating pieces of evidence. Missed the real penetration tutorial and focused on the dummy - Metasploit.
  • Tareq Saade - Found 4 incriminating pieces of evidence. Missed the real penetration tutorial and focused on the dummy - Metasploit.
  • Bobby Bradshaw - Found 3 incriminating pieces of evidence. Missed both and the dummy penetration testing documents (Metasploit and OSSTMM) and missed the Truecrypt Recovery CD Iso
  • Daniele Murrau - Found all incriminating evidence. The utilized toolset is Autopsy as part of Helix distribution
  • Lesky D.S. Anatias - Found all incriminating evidence. The utilized tollset is PyFlag and Sleuthkit

Other Participants - did not qualify for final review because they did not send details of methodology nor findings (no particular order)

  • Phil (no last name) - reported finding 2 pieces of evidence, but did not send methodology used nor details of findings
  • snizzsnuzzlr (obvious nickname) - reported finding 5 pieces of evidence, but did not send methodology used nor details of findings
  • Fender Bender (obvious nickname) - reported finding 3 pieces of evidence, but did not send methodology used nor details of findings
  • Sniffer (obvious nickname) - reported finding 2 pieces of evidence, but did not send methodology used nor details of findings


And the winner is - Daniele Murrau

Here are his conclusions and methodology as a downloadable PDF

We are also naming two honorary mentions

  • For speed - Lawrence Woodman, who produced a nearly full analysis in a tremenduosly short time, but most probably missed the OSSTMM and the metasploit remnants because he was in a hurry
  • For thoroughness - Lesky D.S. Anatias, who discovered ALL evidence, including the metasploit remnants

Related posts
Competition - Computer Forensic Investigation
Tutorial - Computer Forensics Evidence Collection
Tutorial - Computer Forensics Process for Beginners

Talckback and comments are most welcome

No comments:

Designed by Posicionamiento Web