DFRWS 2008 Rodeo

After the Banquet at the annual conference, a "forensics rodeo" is held. The rodeo is a challenge where conference attendees form teams to solve a digital forensics problem.

The DFRWS is making the materials from the DFRWS 2008 Forensic Rodeo available for educational purposes and to support further research in memory analysis and file carving. The results were not published until after DFRWS 2009.

The scenario, files, and results are listed below.

License

The scenario, images, and any other supporting materials are distributed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.
Creative Commons License

Scenario

On 8 August 2008, the Saraquoit Corporation received an anonymous tip that one of their employees, Steve Vogon was disgruntled and may be attempting to cause harm to the company’s computer systems and/or network. After an initial interview with Human Resources, Mr. Vogon became very agitated and stormed out of the office. Upon his departure, the IT department was asked to perform a memory capture of Vogon’s computer system. At the completion of the capture, the IT department also confiscated a 128 MB USB thumb drive and Canon digital camera, both residing in Mr. Vogon’s desk drawer. It should be noted that the USB thumb drive is owned by the Saraquoit Corporation and the digital camera is owned by Steve Vogon.

Kal Dalil of the IT department felt that a complete forensics analysis was necessary in order to answer the below questions. A quick review of the memory capture revealed what appeared to be some suspicious activities occurring on the computer system assigned to Steve Vogon. Feeling overwhelmed, overworked and underappreciated, Mr. Dalil has contacted you, requesting your assistance. Specially, Mr. Dalil is providing you with the memory image, as well as a complete bit for bit image of the USB drive in question. You have agreed to perform a forensic analysis and are expected to answer the following questions, to include a full explanation for each answer. Remember, an answer alone is not sufficient.

  • In regards to the USB thumb drive image that you have been provided with, were there any steps taken or actions performed to conceal the drive’s contents? If so, what were they?
  • What files were found on this disk? How did you recover them?
  • Please provide a full explanation for each file found on the USB thumb drive to include file type, contents and purpose.
  • Did memory contain any references to remote systems, filenames, or data associated with the thumb drive? How did you recover this information?
  • Based on your previous findings, please determine what Steve Vogon’s intentions were?
  • Did Steve Vogon act on his intentions? If so, what did he do? How can you prove this?
  • While the above information is necessary, it is of no value if it cannot be tied to a specific individual. Saraquoit Corporation suspects that Steve Vogon was a disgruntled employee and may have performed malicious acts against the company. However, they need proof of this. Please provide detailed information based on your findings that would tie Steve Vogon (or others) to the contents on this thumb drive as well as the memory image.

The scenario and its contents are completely fictitious and are not based on any actual scenarios. Any coincidences are completely coincidence.

Image Files

dfrws2008-rodeo.tar.gz (190 MB)
Image MD5 values:

  • Laptop memory image (MD5: 6a6f0bebca7ad6f75f106ea504e55ab1)
  • Thumbdrive image (MD5: 82012ccc9b5817ed14ccc1199fa7cf12)

Solution

The solution is available in PDF form.

Authors

The DFRWS2008 Rodeo was created by Eoghan Casey and Dan Kalil.

©2001-2014 DFRWS   |   dfrws [at] dfrws [dot] org  

DFRWS is a US 501(c)(3) non-profit organization.