Forensic Challenge 14 - Weird Python

18 Mar 2015

Your boss John went to a BYOD conference lately. Yeah, he’s that kind of security guy… After some mumble about targeted attacks happening during the event, your team finally got their hands on a PCAP with his traffic. Your colleague Pete Galloway investigated the incident. Yesterday, he casually mentioned that he found some weird Python bytecode, but couldn’t make much sense out of “random” payloads yet. Today, Pete didn’t come to work. Five minutes ago, he sent a company-wide mail with a total of four words: “Fuck you, I quit.“. What has happened!?

Forensic Challenge 13 – A Message in a Picture

08 Apr 2013

Forensic Challenge 13 – “A Message in a Bottle Picture“ (provided by the PNW Chapter) Skill Level: Intermediate Background Communication using hidden channels (steganography) is one way to protect that communication from third parties. You are a law enforcement agent in the forensics unit. In a recent raid, the agency has been able to obtain the three attached packages of images from a suspected command and control server. These images could potentially contain hidden messages that will be relayed to a powerful botnet army that could destroy earth.

Forensic Challenge 12 – Hiding in Plain Sight

16 Oct 2012

Forensic Challenge 12 – “Hiding in Plain Sight" (provided by the Alaska Chapter under the leadership of Lucas McDaniel) Skill Level: Intermediate Background You belong to a company specializing in hosting web applications through KVM-based Virtual Machines. Over the weekend, one VM went down, and the site administrators fear this might be the result of malicious activity. They extracted a few logs from the environment in hopes that you might be able to determine what happened.

Forensic Challenge 11 - Dive Into Exploit

02 Aug 2012

Challenge 11 - Dive Into Exploit (provided by Georg Wicherski from Giraffe Chapter) Skill Level: Advanced What vulnerability is being exploited in the given packet capture? Can you identify the exploit? How does the first stage load the second stage? Elaborate the cryptographic security (or absence thereof) of the second stage. How does it load the third stage? How does the third stage load the last stage? Please reconstruct the original last stage before being loaded.

Forensic Challenge 10 - Attack Visualization

16 Feb 2012

Challenge 10 - Attack Visualization (provided by Ben Reardon from Australia Chapter) Skill Level: Intermediate Forensic Challenge 10 takes us back in time, to revisit one of last year’s popular Forensic Challenges (FC5). Although this time around, the goal is to create a visual representation of the attack. There are no right or wrong answers here, and we are keen to see what can create! If you are constrained by any guidelines, or have ideas that are “out of the box” – that’s fine, we want you to use your imagination and have fun.

Forensic Challenge 9 - Mobile Malware

31 Oct 2011

Challenge 9 - Mobile Malware (provided by Franck Guenichot from French Chapter, Mahmud Ab Rahman and Ahmad Azizan Idris from Malaysia Chapter and Matt Erasmus from South Africa Chapter) Skill Level: Intermediate With the number of smartphone users growing exponentially (1.6 billion mobile devices units sold in 2010, 19% were smartphones) mobile devices are becoming an attractive platform for cybercriminals. As a security researcher or enthusiast, you need to know your enemy and be able to defend yourself against these new kinds of threats.

Forensic Challenge 8 - Malware Reverse Engineering

01 Sep 2011

Challenge 8 - Malware Reverse Engineering (provided by Angelo Dell’Aera and Guido Landi from the Sysenter Honeynet Project Chapter) Skill Level: Difficult The challenge is about reversing a malware sample and deciphering and analyzing its configuration. Please consider this is a real sample captured in the wild so you must be extremely careful in analyzing it. Questions: Provide the common name for the malware family and version (1 point) Describe the mechanism used by the sample in order to be able to restart itself at the next reboot (2 points) Describe how the malware injects itself in the running system.

Forensic Challenge 7 - Analysis of a Compromised Server

02 Mar 2011

Challenge 7 - Forensic Analysis of a Compromised Server - (provided by Guillaume Arcas from the French Honeynet Project Chapter, Hugo Gonzales from the Mexican Honeynet Project Chapter, Julia Cheng from the Taiwan Honeynet Project Chapter) Pls submit your solution using the submission template below by March 30th 2011 Results will be announced around the third week of April. For any questions and inquiries, please contact [email protected]. Skill Level: Beginner

Forensic Challenge 6 - Analyzing Malicious Portable Destructive Files

31 Oct 2010

Challenge 6 - Analyzing Malicious Portable Destructive Files - (provided by Mahmud Ab Rahman and Ahmad Azizan Idris from the Malaysia Honeynet Project Chapter) presents a typical attack using a malicious pdf file. Submission deadline has passed. Results have been posted below. For any questions and inquiries, please contact [email protected]. Skill Level: Intermediate The Challenge: PDF format is the de-facto standard in exchanging documents online. Such popularity, however, has also attracted cyber criminals in spreading malware to unsuspecting users.

Forensic Challenge 5 - Log Mysteries

01 Sep 2010

Challenge 5 - Log Mysteries - (provided by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, Sebastien Tricaud from the French Chapter) takes you into the world of virtual systems and confusing log data. In this challenge, figure out what happened to a virtual server using all the logs from a possibly compromised server. The questions are a more open ended than past challenges. To score highly, we recommend to answer the following way: