Frequently asked questions about the Reverse Challenge
Last Updated: 17 May, 14:42 GMT

In order to maintain sanity and control of time, the most frequently asked questions about The Honeynet Project's Reverse Challenge are found here. I hope the answer you're looking for is included.

QUESTIONS:

1. What is reverse engineering?
2. Why are you sponsoring the Reverse Challenge?
3. How did you think of doing this?
4. How do I improve my chances of winning?

1. What is reverse engineering?

Reverse engineering is a part of forensics. Computer forensics is the analyzing of a hacked computer to determine what happened. It is the process of preserving and recovering evidence to determine who did what when. This is very similar to the forensic's process law enforcement uses at a scene of a crime, such as a car accident, murder scene, or bank robbery. Reverse engineering is a critical component of computer forensics. It is the process of taking a unknown computer program that an attacker used, and determining how it works and what it is used for. One analogy would be law enforcement finding a strange, mechanical device the size of a watch at a crime scense. Their forensics team would take the device apart, analzye it, and determine its purpose (perhaps in this case its a device for criminals to covertly communicate with each other). We have the same challengs in the computer world, determining the purpose of hacker tools we find in the wild. Reverse engineering allows us to determine the tools purpose, who designed it, and teaches us about the threats we all face.

2. Why are you sponsoring the Reverse Challenge?

There are several answers to this question.

1. Reverse engineering is not a well understood process. Few people realize what it is, even fewer can actually reverse engineer a binary. We hope to help solve both of these problems.
2. Because one thing the Honeynet Project is not short of is compromised systems.
3. Because nobody has ever done anything like this, and people on various lists (e.g., on forensics@securityfocus.com) have asked for "in the wild" binaries to analyze.
4. Because the Honeynet Project is all about learning about the bad guys and sharing the lessons learned. This is all about that.

3. How did you think of doing this?

Simple, everyone has been asking us for a new Challenge. We had so much fun the last time, we decided to do another challenge, but make this one a little different.

The idea of the Forensic Challenge was to open this learning process up to the security community at large and allow everyone to benefit from the experiment. Part of the challenge in forensic analysis is identifying questions like this yourself -- devloping hypotheses -- and then finding evidence to allow you to determine whether your hypothesis is probable (a theory) or not. The more supporting evidence you can find, the greater the likelihood your theory is correct. Sometimes you find evidence that doesn't fit your hypothesis, and it leads you to a new one, or to a brief AHA!!! moment of enlightenment. Also, in a real world investigation, you may not have the luxury of interviewing the system administrator.

4. How do I improve my chances of winning?

Usually most entries are technically correct, they have drawn the correct conclusions in answering the questions. However, what distinguishes the top entires is documentation. Specifically, the entry is simple to read, easy to understand and details HOW you analyzed your data, including tools and processes used. Take a little extra time in your documentation, and this VASTLY improves your chances of winnning!