$25
EECS388-Project 5 Forensics Solved
In this project, you will play the role of a forensic analyst and investigate a murder mystery. On
Thanksgiving 2009, a terrible crime occurred on campus. Hapless Victim, a leading figure in the university community, was shot while working in the EECS building. Victim was last seen alive on November 25, 2009, shortly before midnight, and was discovered dead at approximately 6 a.m. the next morning. Officers recovered the projectile shown below (Exhibit A), which appears, inexplicably, to have been the cause of death.
The case went cold on December 1, when the leading suspect, Nefarious Criminal, fled the country and disappeared. Officers seized their computer, but the hard disk was encrypted and investigators
were unable to crack the password. No further evidence could be found.
There was finally a break in the case last week, when Nefarious Criminal was picked up by authorities on a beach in South America. Among their possessions was a Post-It note with the hard disk password on it. We have decrypted the drive and made it available for your analysis.
Your job is to conduct a forensic examination of the disk image and document any evidence related to the murder. If you find sufficient evidence, Nefarious Criminal will be extradited and face trial.
Exhibit A—Projectile recovered at the crime scene. Ballistics experts have identified it as a “Nerf blaster dart.”
Objectives:
• Understand how computer use can leave persistent traces and why such evidence is often difficult to remove or conceal.
• Gain experience applying the security mindset to investigate computer misuse and intrusion.
• Learn how to retrieve information from a disk image without booting the operating system, and understand why this is necessary to preserve forensic integrity.
Getting Started
The tools and techniques you use for your investigation are up to you, but here are some suggestions to help you get started.
General Knowledge A general working knowledge of Linux is undoubtedly helpful for this project. If you don’t have this yet, you may need to spend time Googling and/or experimenting to get up to speed. The TA will also answer general Linux questions as a last resort. For an excellent reference book, try UNIX and Linux System Administration Handbook by Nemeth, Snyder, Hein, and Whaley. See http://en.wikipedia.org/wiki/Disk_partitioning for some additional background.
Live Analysis Live analysis is a forensic technique in which the investigator examines a running copy of the target system. We suggest using VirtualBox for this purpose.
1. Download the raw disk image (1.2 GB): https://eecs388.org/*/forensics_release_w17.raw.gz
2. Decompress the disk image. Note: some browsers seem to automatically decompress after having downloaded the file. Check to see if the file size is about 4.3 GB; if so, it has been decompressed already. Otherwise, decompress the image.
3. Convert the raw disk image to a VirtualBox disk image:
VBoxManage convertdd forensics_release.raw forensics.vdi –format VDI
4. Use the VirtualBox GUI to create a new VM. Select Linux / Ubuntu as the machine type. Select “Use an existing virtual hard disk file” and select the VDI you just created.
5. Start the VM and explore the system.
Dead Analysis In dead analysis, the forensic investigator examines data artifacts from a target system without the system running. We suggest trying dead analysis with the Autopsy open-source forensics tool. The procedure below assumes you are working on Ubuntu Linux. (If you like, you can reuse the VM from the previous project.) Autopsy will also run on Windows and OS X.
1. Install the Autopsy digital forensics suite:
$ sudo apt-get install autopsy
2. Launch Autopsy in the background and open the browser-based GUI:
$ sudo autopsy &
In a browser on the local machine, go to the URL http://localhost:9999/autopsy.
3. Create a new case and add the disk image:
(a) Click New Case. Enter a case name and click New Case.
(b) Go back to http://localhost:9999/autopsy and open the case you created.
(c) Click Add Host. Enter a host name and click Add Host.
(d) Click Add Image. Click Add Image File. Enter the path to the decompressed raw disk image. Make sure you select Type=Disk and Import Method=Symlink. Click Next.
(e) Leave the Image File Details and File System Details as the defaults. (Note that the disk image contains 3 partitions, which Autopsy will allow you to examine separately.) Click Add. Click OK.
(f) Select a partition to examine and click Analyze. The buttons at the top give you several analysis tools. Try File Analysis and Keyword Search to get started.
4. In addition to hints dropped elsewhere, here is an incomplete list of things to try:
• Examine the system logs.
• Check for deleted or encrypted files.
• Search the drive image for strings that may indicate relevance to your investigation.
Password Cracking Password crackers may be helpful in trying to brute-force decrypt passwordprotected files. John the Ripper (http://www.openwall.com/john/) is the canonical Unix password cracker. Hydra (http://www.thc.org/thc-hydra/) is a tool used to brute force remote login passwords, fcrackzip (http://home.schmorp.de/marc/fcrackzip.html) is a ZIP password cracker, and pdfcrack (http://sourceforge.net/projects/pdfcrack/) is a PDF password cracker. John, fcrackzip, and pdfcrack are conveniently available in the Debian package repositories and can be installed with apt-get.
When using a password cracker, it is wise to make sure that the password is not susceptible to a dictionary attack and does not use a restricted character set (e.g., lowercase letters, letters only, letters and numbers only) before spending time on a full brute-force crack. It is also a good idea to crack a very vulnerable password first to make sure you are using the tool correctly.
Tasks and Deliverables
The deliverables for this project are your answers to the questions below. Your answers should be complete but concise. None of the questions should require more than 1–2 paragraphs to answer.
For each prompt, explain the investigatory methods you used and the evidence that supports your conclusion. Place your responses in a plain text file called report.txt. If you recover files that are relevant to your responses, mention them by name and include them with your submission in a directory named evidence/.
1. Try booting the suspect’s machine and using it normally. What specific behaviors of this machine make this a bad idea? Attach relevant evidence.
2. What operating system does the suspect use? Be careful and specific; e.g., say “Windows 2000” instead of just “Windows.”
3. What is the username of the account typically used by the suspect?
4. Are there any indications that the suspect had an accomplice who was physically present on the night of the crime? Attach relevant evidence.
5. Were there any suspicious-looking encrypted files on the machine? If so, please attach them and their decrypted contents as evidence and briefly describe how you obtained the contents.
6. Are there any indications that the suspect owned or was researching weapons of the kind involved in the murder? Attach the specific evidence and give a brief explanation.
7. Did the suspect try to delete any files before their arrest? Please attach the name(s) of the file(s) and any indications of their contents that you can find. (Hint: We will be impressed if you manage to recover the original contents of a particular incriminating file, but we do not expect you to do so.)
8. Reconstruct the timeline of actions by the suspect that may be relevant to the investigation. (Make a list in this format: <date> <time>: <event description>.) Include any activities related to your other responses, if you can identify when they occurred. Include each time the suspect logged in to or booted the machine to do something interesting. When was the last activity before the suspect fled the country?
9. Is there anything else on the computer that would imply the suspect had malicious intents? Attach relevant evidence as appropriate.
