Forensic Challenge

Forensic Challenge 2010/3 - "Banking Troubles" has been posted

Challenge 3 of the Honeynet Project Forensic Challenge - titled "Banking Troubles" - is now online and we invite you to participate. Challenge 3 - provided by Josh Smith and Matt Cote from The Rochester Institute of Technology Chapter, Angelo Dell'Aera from the Italian Chapter and Nicolas Collery from the Singapore Chapter - is a bit different from our previous challenges in that we do not ask you to analyze a pcap network trace, but rather a memory image from a virtual machine. This should make for an interesting challenge!

Submission deadline is April 18th and results will be released on Wednesday, May 5th 2010. Small prizes will be awarded to the top three submissions.

Enjoy!

Share:


Challenge 3 of the Forensic Challenge 2010 - Banking Troubles

Challenge 3 - Banking Troubles - (provided by Josh Smith and Matt Cote from The Rochester Institute of Technology Chapter, Angelo Dell'Aera from the Italian Chapter and Nicolas Collery from the Singapore Chapter) is to investigate a memory image of an infected virtual machine.

The challenge has been completed on May 12th 2010.
Skill Level: Difficult

The Challenge:

Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an email from a fellow co-worker that pointed to a PDF file. Upon opening, the employee did not seem to notice anything, however recently they have had unusual activity in their bank account. Company X was able to obtain a memory image of the employee’s virtual machine upon suspected infection. Company X wishes you to analyze the virtual memory and report on any suspected activities found. Questions can be found below to help in the formal report for the investigation.

  1. List the processes that were running on the victim’s machine. Which process was most likely responsible for the initial exploit? (2pts)
  2. List the sockets that were open on the victim’s machine during infection. Are there any suspicious processes that have sockets open? (4pts)
  3. List any suspicious URLs that may be in the suspected process’s memory. (2pts)
  4. Are there any other processes that contain URLs that may point to banking troubles? If so, what are these processes and what are the URLs? (4pts)
  5. Were there any files that were able to be extracted from the initial process? How were these files extracted? (6pts)
  6. If there was a file extracted from the initial process, what techniques did it use to perform the exploit? (8pts)
  7. List suspicious files that were loaded by any processes on the victim’s machine. From this information, what was a possible payload of the initial exploit be that would be affecting the victim’s bank account? (2pts)
  8. If any suspicious files can be extracted from an injected process, do any anti-virus products pick up the suspicious executable? What is the general result from anti-virus products? (6pts)
  9. Are there any related registry entries associated with the payload? (4pts)
  10. What technique was used in the initial exploit to inject code in to the other processes? (6pts)

Download:
hn_forensics.tgz Sha1: 8178921fd065ad2de9c6738fe062d2b37402c04a

Sample Solution:
Forensic_Challenge_3_-_Banking_Troubles_Solution.pdf - Sha1: 986752a9aa4b832951dfa6319cb5e16256a9b3c9

This work by Josh Smith, Matt Cote, Angelo Dell'Aera and Nicolas Collery is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

The Winners:

  1. Mario Pascucci (Italy) - Mario's submission - Sha1: ad6e08bd0bff8a65e5ea8865e63addf9d6324212
  2. Tyler Hudak (USA) - Tyler's submission - Sha1: 226e15990dac263402670d5976c8b63f241864c7
  3. Carl Pulley (UK)- Carl's submission - Sha1: 2d20203403cf33bd565dbf81a54dbe414a17a597

Share:

Forensic Challenge 2010/2 - "browsers under attack" - and the winners are ....

Nicolas and Guillaume have been judging your submissions of the FC2010/2 relentlessly over the last few days and we now have the results in: We had a total of 32 submissions and a very tight race at the top. In the end, four submissions tied for first place:

  • Franck Guenichot (France)
  • Mario Pascucci (Italy)
  • Rani Hod (Israel)
  • Vos (Russia)

Congratulations to the winners!!! Each winner will receive a signed book from one of our Honeynet Project authors. We have posted the submissions of the winners and sample solution on the FC2010/2 web page. All participants of the challenge should have also received an email today with information about their individual score as well as placement.

Forensic Challenge 2010/2 - "browsers under attack" - update

Folks, its a frosty Tuesday morning in Seattle and the deadline for submissions to the forensic challenge 2010/2 "browsers under attack" has passed. We received a total of 34 for submissions from folks all over the world. Nicolas from the Singapore chapter will be judging the submissions in the next few days. We will announce the top three winners on Monday, 22nd of March 2010. Alongside, we will post their submissions as well as our sample solution. Since we were using a web form for this challenge, we will not acknowledge receipt of each submission. If you are unsure whether submission was successful, please email forensicchallenge2010@honeynet.org and we can check the submission database.) Also, if you have any suggestions on how to improve the forensic challenge, please let us know.

Christian Seifert
Chief Communications Officer
The Honeynet Project

PS: Forensic Challenge 2010/3 is currently being prepared. In this challenge, a memory dump needs to be analyzed...so a bit different from our past couple of challenges that focus on network traces....I hope to see many submissions on it. We expect to post it Tuesday, 23rd of March 2010...

Forensic Challenge 2010/2 - "browsers under attack" - submission deadline extended to Monday, 8th of March 2010

We have decided to extend the submission deadline for our second forensic challenge - "browsers under attack" to Monday, 8th of March 2010. This gives you another week to participate in our latest challenge. Subsequently, the announcement of the results will also move another week to Monday, 22nd of March 2010.

I have contacted all the folks that have already submitted their solution to us about this change. They, of course, have the opportunity to resubmit their solution, if they so wish, until the new submission deadline on the 8th. (If you have submitted and did not receive an email from me, please contact us at forensicchallenge2010@honeynet.org)

Challenge 2 focuses on browser attacks and can be accessed at Forensic Challenge 2010/2. The top 3 submissions will be awarded prizes.

Forensic Challenge 2010/2 - "browsers under attack" is now online

Challenge 2 of the Honeynet Project Forensic Challenge has just been posted. The challenge has been provided by Nicolas Collery from the Singapore Chapter and Guillaume Arcas from the French Chapter and is titled browsers under attack.

Submission deadline is March 1st and results will be released on Monday, March 15th 2010. Small prizes will be awarded to the top three submissions.

Have fun!

Forensic Challenge 2010 - Challenge 1 - Announcement of Winners

I am very pleased to announce the winners to the 1st Honeynet Project Forensic Challenge 2010 - pcap attack trace. We had a total of 91 submissions and the top three submissions are true rock star submissions. The winners are:

  • 1st Place: Ivan Rodriguez Almuina (Switzerland)
  • 2nd Place: Franck Guenichot (France)
  • 3rd Place: Tareq Saade (USA)

Congratulations to the winners!!! Each winner will receive a signed book from one of our Honeynet Project authors.

A sample solution (created by Tillmann, Markus, Hugo and Cameron) is available on the forensic challenge web site at FC 2010 - Challenge 1 - Pcap attack trace. On that page you will also find the submissions of the three winners. Tillmann, who single handedly judged all submissions, will be summarizing highlights from various submissions in a blog post shortly.

All folks that have submitted a solution should have received an email with information about their individual score as well as placement.

Nicolas Collery from the Singapore Honeynet Chapter and Guillaume Arcas are finalizing the second forensic challenge.The challenge will be 'browsers under attack' and I personally am very excited about this challenge. I hope we will receive many submissions from all who participated in challenge 1 (and hopefully more.) I will post to our web site honeynet.org in the next few days.

Thanks again - looking forward to the next challenge!
Christian

Forensic Challenge 2010 - Challenge 1 update

Monday, February 1st, the submission deadline for challenge 1 of the Forensic Challenge 2010 has passed. We have received 88 submissions and Tillmann who has been judging them mentioned there were some excellent submissions in the mix. Tillmann will be highlighting some answers when we announce the results on the 15th of February.

I have acknowledged receipt of each submission received via email. If you have not received a confirmation mail from me, please contact me at forensicchallenge2010@honeynet.org and I will check whether we have received it.

Christian

Announcing the Honeynet Project Forensic Challenge 2010

I am very happy to announce the Honeynet Project Forensic Challenge 2010. The purpose of the Forensic Challenges is to take learning one step farther. Instead of having the Honeynet Project analyze attacks and share their findings, Forensic Challenges give the security community the opportunity to analyze attacks and share their findings. In the end, individuals and organizations not only learn about threats, but also learn how to analyze them. Even better, individuals can access the write-ups from other individuals, and learn about new tools and techniques for analyzing attacks. Best of all, the attacks of the Forensic Challenge are attacks encountered in the wild, real hacks, provided by our members.
It has been several years since we provided Forensic Challenges and with the Forensic Challenge 2010, we will provide desperately needed upgrades. The Forensic Challenge 2010 will include a mixture of server-side attacks on the latest operating systems and services, attacks on client-side attacks that emerged in the past few years, attacks on VoiP systems, web applications, etc. At the end of challenge, we will provide a sample solution created by our members using the state-of-the-art tools that are publicly available, such as libemu and dionaea.
The first challenge (of several for 2010) will be posted on our Forensic Challenges web site on Monday, January 18th 2010. We will be open to submissions for about two weeks and announce the winners by February 15th 2010. This year, we will also award the top three submissions with prizes! Please check the web site on Monday, January 18th 2010 for further details...

Christian Seifert

Chief Communications Officer
The Honeynet Project

Syndicate content