Assignment 6: Forensics (Group Assignment)

• Download Files ⇓
• Submit Files ⇑

Introduction

In this project, you will play the role of a forensic analyst who is investigating a murder. The accused is Bob, who has fled the country and disappeared. Officers have seized a disk image of Bob’s computer.

Your job is to conduct a forensic examination of a disk image and document any evidence related to the murder. If you find sufficient evidence, a case can be brought against Bob.

Objectives

• Understand how computer use can leave persistent traces and why such evidence is often difficult to remove or conceal.
• Gain experience applying the security mindset to investigate computer misuse and intrusion.
• Learn how to retrieve information from a disk image without booting the operating system, and understand why this is necessary to preserve forensic integrity.

Getting Started

The Install Instructions document contains step-by-step instructions to set up the virtual machine and analyze the forensics disk image. The slides from the Preparation Session contain summary information of the techniques/tools you may need to use.

Tasks and Deliverables

You will provide an answer file tokens.txt, together with a directory evidence/ containing all relevant evidence you discover. Your answers should be complete but concise. You may use the directory template that we have provided you here.

tokens.txt As you complete the investigation, findings and major steps will be marked by a set of words normally at the end of the file or text (or in some cases, transaction identifiers or passwords). Place these in tokens.txt, separated by newlines. For each token you find, please also write 2-3 sentences briefly explaining how you obtain the token. This file will be the bulk of your assignment grade. To receive full credit, you'll need to submit the following tokens:

• At least 1 password
• At least 6 (out of 8) two-word tokens
• At least 3 (out of 4) three-word tokens
• At least 2 (out of 3) transaction ID (limit 1) or four-word tokens

evidence/ You should also include a directory where you place all the evidence that you have gathered throughout the process. This directory should include any file(s) that you have recovered on the suspect machine.

Useful Links

• COS 432 VM
• Forensics Suspect VM
• VM Install Instructions
• Preparation Session

Policies and Hints

Collaboration: Strictly prohibited outside your group. Undergraduates are bound by the Honor Code while graduate students are bound by the Graduate School’s expectation of research integrity to not communicate with anyone regarding any aspect of the case or your investigation (other than within your group or with course staff). The number of pieces of evidence you find, the techniques you try, how successful said techniques are, the general process you follow, etc. are all considered part of your solution and must not be discussed with members of other groups. You may consult published references, provided that you appropriately cite them at the end of tokens.txt, as you would in an academic paper.

Cracking Passwords In this assignment, you will come across situations where you'd need to crack specific passwords. Keep in mind that you're not asked to find vulnerability in these password schemes, but rather just buteforcing the passwords is sufficient. You probably want to use a dictionary for these bruteforcing attacks.

Network Attacks You should not conduct any network attacks, including but not limited to tcpdump, aircrack-ng, nmap, etc. In theory, this whole assignment can be finished while disconnected from the Internet (maybe except for Googling for things and installing tools).

Submission Checklist

Submit your files as a single zip file to Gradescope. Make sure you select all your group members when submitting. The zip file should contain the files / directories below:

• □ tokens.txt - A plain text file with your discovered tokens and brief explanations of how you discovered them.
• □ evidence/ - A directory containing any recovered file(s).