Submission Instructions
Name
Type
Description
Cover sheet
Compulsory
One pdf file
Technical
Report
Compulsory
One PDF (.pdf) or Word file (.doc/.docx)
A technical report describing how you went about your investigation, the tools you used and how you used them.
Court Report
Compulsory
One PDF (.pdf) or Word file (.doc/.docx)
A short summary showing your results and findings that could be used in court.
Screenshots
Compulsory
One PDF (.pdf) or Word file (.doc/.docx)
Screenshots showing the content of the hackers script.
Staff reserve the right to invite students to a meeting to discuss coursework submissions.
1 Assignment 1.1 Scenario
Around 22nd January 2004, a new machine, was deployed on BETTER- BUY’s DMZ to become a new DNS. Apparently, the system administrator did not properly secure the machine prior to deploying it.
On 22nd March 2004 around 18:45, your IDS picks up what could be a possible compromise. You are part of a first response team in the company and have been called in to help with the investigation.
A senior investigator has already acquired the data from the compro- mised machine and has given you the task of analysing all the acquired data.
The machine was on when the data was acquired so a live capture was performed taking into account the volatility of data. They have given you:
• The output from the lsof -i and lsof -n commands. (Network and Processes)
• A timeline was created and you have the output from mactime.
• An image of the Hard Drive.
He also tells you that only one account named Dana was created on the system.
2
They also said that the Company has two networks • External network on IP 172.18.0.1
• Internal network on IP 192.168.2.10
The IDS capture has already been examined and provides you with the following information. From the IDS capture it appears that a port scan was being performed. In addition there appeared to be an active connec- tion between the compromised machine and an IP in the Asian Pacific, it appeared that data was being sent to the compromised machine and that the Application on the compromised machine was using PORT 5.
1.2 Your tasks
Using the information you have been given so far, can you extract evidence showing (Mark allocation in red):
1. The name of the application that is listening on PORT 5. [1]
2. Using the output from the timeline.txt file and using March 22, 2004 of notification of the incident determine the exact time of initial hacker activity on the system? [1]
3. What is the first command the hacker ran on the system? [1]
4. What directories are they using to hide their tools on the system? [1]
5. What files did they replace with Trojans? [4]
6. Did the hacker manually install their tools or was it scripted? How can you tell? [2]
7. Createalistofwordsbasedontheinformationyouhavesofarobtained and add it to your “dirty word list” [1]
8. Are there any other users on the system apart from Dana? [1]
9. Use Autopsy to examine the image of the disk. [4]
(a) Can you find the hackers script.
(b) What is the name of the zip file that originally held all of the malware?
3
(c) What happened to the zip file at the end of the install?
10. Technical report outlining your investigation. [4]
1.3 Supplied materials:
• lsof-i.txt (Output from lsof -i command)
• lsof-n.txt (Output from lsof -n command)
• timeline.txt (output from MACTIME)
• harddiskdump.dd (Image of HardDrive from compromised system.
• HardDrive MD5 hash (DD8AE095C2351E2BD2CDD64AFFC8BEE1)
1.4 Learning Outcomes Assessed
LO3, LO6
1.5 Deliverables
A technical report describing how you went about your investigation, the tools you used and how you used them. A short summary showing your results. Screenshots showing the content of the hackers script.
1.6 Criteria for assessment
Credit will be awarded against the following criteria.
• Properly structured Scientific Report
• Use of appropriate tools.
• DemonstratethatyouusedBestPracticeinyourforensicinvestigation. • Evidence identified during your investigation.
4