The Computer Forensic Investigation Competition is closed, and here are the results

What was there to be found:

• Tshark sniffer - part of the wireshark suite in /moodle/enrol/paypal/db
• NetCat tool for backdoor creation - renamed as MyTool.exe - in /moodle/auth/ldap
• An MP3 of Sergio Mendes & Brasil 66 - Mas Que Nada renamed as html document - in /moodle/auth/imap
• A TrueCrypt rescue disk ISO renamed as MyDoc.doc in /moodle/lib/geoip/Documents/
• OSSTMM Penetration Testing Methodology with penetration details in deleted file osstmm.en.2.1.pdf in /moodle/enrol

Finding the above was suffucient to win the competition. Alternatively, instead of OSSTMM you could find the below two items

• A decoy metasploit developers guide pdf in /moodle/lib/geoip/Documents - actually, that document has nothing to do with direct hacking unless you discover the
• metasploit framework remnants of a deleted metasploit framework in /moodle/lib/geoip/Documents
  

Who did the investigation (in chronological order of reporting the findings - earliest first)

• Lawrence Woodman - Found 4 incriminating pieces of evidence. Missed the real penetration tutorial and focused on the dummy - Metasploit.
• Tareq Saade - Found 4 incriminating pieces of evidence. Missed the real penetration tutorial and focused on the dummy - Metasploit.
• Bobby Bradshaw - Found 3 incriminating pieces of evidence. Missed both and the dummy penetration testing documents (Metasploit and OSSTMM) and missed the Truecrypt Recovery CD Iso
• Daniele Murrau - Found all incriminating evidence. The utilized toolset is Autopsy as part of Helix distribution
• Lesky D.S. Anatias - Found all incriminating evidence. The utilized tollset is PyFlag and Sleuthkit
  

Other Participants - did not qualify for final review because they did not send details of methodology nor findings (no particular order)

• Phil (no last name) - reported finding 2 pieces of evidence, but did not send methodology used nor details of findings
• snizzsnuzzlr (obvious nickname) - reported finding 5 pieces of evidence, but did not send methodology used nor details of findings
• Fender Bender (obvious nickname) - reported finding 3 pieces of evidence, but did not send methodology used nor details of findings
• Sniffer (obvious nickname) - reported finding 2 pieces of evidence, but did not send methodology used nor details of findings

And the winner is - Daniele Murrau

Here are his conclusions and methodology as a downloadable PDF

We are also naming two honorary mentions

• For speed - Lawrence Woodman, who produced a nearly full analysis in a tremenduosly short time, but most probably missed the OSSTMM and the metasploit remnants because he was in a hurry
• For thoroughness - Lesky D.S. Anatias, who discovered ALL evidence, including the metasploit remnants

Related posts
Competition - Computer Forensic Investigation
Tutorial - Computer Forensics Evidence Collection
Tutorial - Computer Forensics Process for Beginners

Talckback and comments are most welcome

Shortinfosec is hosting a computer forensics competition.
In the competition, you will have to analyze a submitted disk image for incriminating evidence, as per the scenario below

Scenario
The investigators suspect that the employee was doing the following illegal activities:

• Sniffing IP traffic on the network
  
• Creating back doors to his PC
  
• Stole and copied a CD-ROM with confidential content
  
• Downloaded copyrighted music
  
• Used a specific penetration tutorial document to perform most of his actions

The investigators found his PC turned off. They performed a DD copy of the surviving partition and sent it to you for investigation.

Competition materials
Download the evidence image here (compressed as hdb1-img.rar)

• hdb1-img.rar (rar compressed disk image containing hdb1-img.dd)
  
• Verification sum of hdb1-img.dd:
• SHA1SUM 60642d113d40cb583df0b0654cbc83ffca63f886

Rules of the competition

1. Each competitor should submit his summary report (indicating only the number of discovered evidence) as a comment to this post to establish time of solution.
   
2. Each competitor should submit a detailed description of the utilized process of to discover the evidence in an email sent to shortinfosec _ at _ gmail dot com.
   
3. All solutions must be submitted before midnight (CET) 20th of August 2008.
4. The ultimate goal is to find one incriminating evidence for each suspicion.
5. It is fully acceptable to submit a result with less evidence found, if you feel that there is no other evidence to be found or you cannot discover it.
   
6. The incriminating evidence may be disguised (renamed, compressed).
7. Each competitor can withdraw and resubmit a better evidence before the submission deadline
8. You can use any type of investigative tools that you need, as long as you maintain the integrity of all evidence (proven by a SHA1 or MD5 hash). The utilised tools must be documented in the detailed submission.

Reward

• Unfortunately, there are no financial rewards to this competition.
  
• The first competitor to discover all evidence or the competitor who discovered the most evidence before the deadline will be the winner. His result will be presented as an analyzed solution on Shortinfosec.
  
• Also, if the winner owns a blog or a site it will receive a separate detailed review on Shortinfosec.
  
• All other submitted results, regardless of discovered evidence will be published in the results as honorable mentions, with links to their respective blogs/sites
  

We hope to have a good and fruitful competition

Related posts
Tutorial - Computer Forensics Evidence Collection
Tutorial - Computer Forensics Process for Beginners

Talckback and comments are for the competition