Linux System Investigation [100 points]
The ACME corporation is an industry leader in producing and seling Roadrunner traps
and similar items. The company has recently started building up a web presence, offering
product information online. Much to his dismay, ACME's director, Dr. B., received a
blackmail notice on February 11th, 2015, stating that the company's trade secrets have
been stolen and asking for a high ransom amount or they wil be published, almost
guaranteing that the company loses its competitive advantage. Dr. B. needs you to
investigate.
The ACME corporation has two employees: Alice (web administrator) and Bob (product
designer). They share a common Linux workstation for their work, which also functions
as the company web server. The trade secrets are also present on the machine in the
'/acme/' directory, to which Dr. B. and Bob have aces. Dr. B. is the administrator for the
machine, and he asures you that the secrets are encrypted so that only he has aces.
Having only taken a forensics course with a leser program, when Dr. B. was informed
about the blackmail, he imediately yanked the power cord on the machine, inserted a
forensics disc, and used it to boot the system and made an image of the machine’s hard
drive. However, he does not know how to proced with his investigation. Your task is to
secure the evidence and analyze the ACME Linux workstation, try to determine what
happened, and (if possible) find out if and how the trade secrets have been leaked out and
by whom. Furthermore, you ned to investigate any additional ilegal activities you
may encounter.
The 5 GB image that Dr. B. created is available on your forensics VM in the
/home/elvis/proj2 folder. Its SHA256 checksum is:
7c1528e452c776390717c2e01c0ce6f2f0bff6d6546ebe727927c5ba6dc731fb acme-workstation.d
If you are not using the forensics VM provided, you can also download the image from
Canvas.
You need to create a full analysis report, where you describe what events took place on
the system, as wel as your conclusions. I need to be able to se how you reach your
conclusions from the report. You also have to create a timeline of important user
activity on the system and support the timeline with evidence from as many sources as
possible. This timeline needs to be structured as follows: high-level events (e.g. "Dr. B.
logs in to the server" or "Alice edits the index.html file") need to be put into a cohesive
timeline (timestamped events in a list or a table) and you need to describe the events on
the system on a higher level in writing in your report. The high-level events in your
timeline need to be supported by low-level evidence, preferably correlated from multiple
sources (system log files, file system timestamps, browser logs, data on the system, etc.).
Al supporting evidence and their source needs to be included in an appendix and
referenced in your high-level timeline. The report needs to describe how the supporting
evidence in the appendix was correlated.
The description of the events in your timeline should look somewhat like this: "On
Tuesday, Bob logged in at 5pm and started browsing the web. He visited mostly popular
gossip sites, but at 5:21pm he also visited a hacking web site (URL: ...) and downloaded
an exploit tool into his home directory. He then proceded doing creative work, until he
logged out at 7:14pm."
Furthermore, answer the following questions / addres the following tasks in your full
report:
1. Did the trade secrets leak out? If so, who did it and how was it acomplished?
2. If the secrets leaked out, how could the incident have been avoided?
3. How should a criminal investigation now continue given the information learned
from your analysis?
Structure your report as follows:
1. Executive summary. This should be a short description of your most important
findings (including times when major events happened and principals involved).
This should not be much longer than half a page.
2. User profiles. For each user on the system describe what sort of activities she or
he pursues, using evidence on the system to characterize the user. This should
include perceived skil levels, habits, and/or possible motives for actions.
3. The high-level timeline of the system events along with the description on how it
was derived and the high-level writen overview.
4. Conclusions and answers to the questions.
5. Appendix containing the supporting evidence. If you include non-timestamped
evidence in the report, you should try as best as possible to time-bound those
events through correlation with timestamped evidence.
You are encouraged to use tools for this lab. You may use any tool you like, but you need
to document how you used it. Autopsy (http:/ww.sleuthkit.org/autopsy/) and the
Sleuthkit (http:/ww.sleuthkit.org/) are already instaled the forensics VM. If you are
not using the forensics VM you wil need to instal these tools on the machine you are
using.
Submit your report on Canvas as a single PDF document named -
lab2.pdf
Useful links:
Firefox History file format:
http:/ww.forensicswiki.org/wiki/Mozila_Firefox_3_History_File_Format
Note:
The disk image contains copyrighted material. The image is available for the educational
purpose of performing this lab exercise only, and the copyrights of the respective owners
need to be observed.