In order to maintain sanity and control of time, the most frequently asked questions about The Honeynet Project's Forensic Challenge are found here. I hope the answer you're looking for is included.

Dave Dittrich

QUESTIONS:

1. Why are you sponsoring the Forensic Challenge?
2. How did you think of doing this?
3. How did you make images of the compromised system?
4. Is the deadline February 15 or February 19?
5. I noticed XYZ on the system. Can you confirm that you did this, and not the intruder?

1. Why are you sponsoring the Forensic Challenge?

There are several answers to this question.

1. Because one thing the Honeynet Project is not short of is compromised systems.
2. Because not everybody can (or should) set up their own honeypots.
3. Because nobody has ever done anything like this, and people on various lists (e.g., on forensics@securityfocus.com) have asked for "in the wild" compromised disc images to practice on.
4. Because I've done several detailed analyses of compromised systems, but because of the nature of the incidents have never been able to fully disclose the contents of the compromised system's file system or release complete details about the incident. With this system, there are no such privacy or confidentiality concerns.

2. How did you think of doing this?

The idea (despite Lance's insistence otherwise; I have the {black|e}mail to prove it!) came from the Honeynet Project's founder, Lance Spitzner, as a result of the Honeynet Project members' shifting focus from external data (e.g., IDS logs) to local data on the file system itself.

Several members, such as myself, Kevin Mandia, and Lance, had been using The Coroner's Toolkit on Linux and Solaris systems to analyze compromised systems and reconstruct events using information remaining on the system. Kind of like examining a crime scene looking for fingerprints, hair samples, splatters and spills, overturned furniture, broken windows, etc., and trying to reconstruct what caused all those things to be in the state they were found.

The idea of The Forensic Challenge was to open this learning process up to the security community at large and allow everyone to benefit from the experiment.

3. How did you make images of the compromised system?

The file images.tar is an archive containing 6 GNU zip compressed files, taken from each of the systems' active partitions at the time of compromise. It was created 08 November, 2000, at 21:00 CST. The following process was used to take the images, with minimum data pollution as a primary goal. We did not take the system down during the process. The following actions were taken while the system was still live.

1. Mounted cdrom containing forensic analysis tools (all statically compiled).
2. Used static binaries of dd(1M) and netcat(1M) from the cdrom to dd images of the hard drive to a trusted forensic system over the network. This is done by the following:
   • Trusted System: Initiate a listening daemon on port 10000 of the trusted system using netcat:

        nc -l -p 10000 > honeypot.hda8.dd
        

   • Compromised System: Copied the each partition of the hard drive using dd(1), then piped the dd images of the drive over the network to the trusted system (192.168.1.1) listening on port 10000:

        /cdrom/dd bs=1024 < /dev/hda8 | /cdrom/nc 192.168.1.1 10000 -w 3
        

This process was repeated for every partition on the hard drive, including swap. We now had a image of every partition on the trusted forensic system. MD5 checksums were produced at this time to compare against subsequent copies. These images were then combined into a single for ease of transmission, which was also checksummed for the same reason.

Note that using this method does not allow a direct comparison against the original partition contents on the hard drive, since the system (continuing to run) would constantly change bits in the file system as programs are run, buffers flushed, etc. If you are imaging a system for possible prosecution, you may wish to use a different procedure that supports a more clear chain of custody for the bits on the drive. The Honeynet Project chose this method as it allowed the blackhat to return in the future and we could continue our surveillance and information gathering.

4. Is the deadline February 15 or February 19?

Sorry. Typo. Monday is the 19th, not the 15th. The email message I sent out was wrong. The web page is correct.

5. I noticed XYZ on the system. Can you confirm that you did this, and not the intruder?

No. You have all the clues we're going to give you.

Part of the challenge in forensic analysis is identifying questions like this yourself -- devloping hypotheses -- and then finding evidence to allow you to determine whether your hypothesis is probable (a theory) or not. The more supporting evidence you can find, the greater the likelihood your theory is correct. Sometimes you find evidence that doesn't fit your hypothesis, and it leads you to a new one, or to a brief AHA!!! moment of enlightenment.

Also, in a real world investigation, you may not have the luxury of interviewing the system administrator. They may have left the company. You must take your understanding of how Unix (Linux) works, how timestamps are used, look for alternative sources of data, etc. Go re-read the Challenge web page again for references to help you with this process.