In order to maintain sanity and control of time, the most frequently
asked questions about The Honeynet Project's Reverse Challenge
are found here. I hope the answer you're looking for is included.
QUESTIONS:
-
What is reverse engineering?
-
Why are you sponsoring the Reverse Challenge?
-
How did you think of doing this?
-
How do I improve my chances of winning?
- 1. What is reverse engineering?
Reverse engineering is a part of forensics. Computer forensics is
the analyzing of a hacked computer to determine what happened. It is
the process of preserving and recovering evidence to determine who did
what when. This is very similar to the forensic's process law enforcement
uses at a scene of a crime, such as a car accident, murder scene, or
bank robbery. Reverse engineering is a critical component of computer
forensics. It is the process of taking a unknown computer program
that an attacker used, and determining how it works and what it is used
for. One analogy would be law enforcement finding a strange, mechanical
device the size of a watch at a crime scense. Their forensics team
would take the device apart, analzye it, and determine its purpose (perhaps
in this case its a device for criminals to covertly communicate with
each other). We have the same challengs in the computer world, determining
the purpose of hacker tools we find in the wild. Reverse engineering
allows us to determine the tools purpose, who designed it, and teaches
us about the threats we all face.
- 2. Why are you sponsoring the Reverse
Challenge?
- There are several answers to this question.
- Reverse engineering is not a well understood process. Few people
realize what it is, even fewer can actually reverse engineer a binary.
We hope to help solve both of these problems.
- Because one thing the Honeynet Project is not short of is compromised systems.
- Because nobody has ever done anything like this, and people on
various lists (e.g., on forensics@securityfocus.com) have asked for
"in the wild" binaries to analyze.
- Because the Honeynet Project is all about learning about the bad guys
and sharing the lessons learned. This is all about that.
- 3. How did you think of doing this?
- Simple, everyone has been asking us for a new Challenge. We had
so much fun the last time, we decided to do another challenge, but
make this one a little different.
The idea of the Forensic Challenge was to open
this learning process up to the security community at large and allow everyone
to benefit from the experiment.
Part of the challenge in forensic analysis is identifying questions
like this yourself -- devloping hypotheses -- and then finding
evidence to allow you to determine whether your hypothesis is
probable (a theory) or not. The more supporting evidence you can find,
the greater the likelihood your theory is correct. Sometimes you
find evidence that doesn't fit your hypothesis, and it leads you to
a new one, or to a brief AHA!!! moment of enlightenment.
Also, in a real world investigation, you may not have the luxury
of interviewing the system administrator.
- 4. How do I improve my chances of winning?
- Usually most entries are technically correct, they have drawn the
correct conclusions in answering the questions. However, what distinguishes
the top entires is documentation. Specifically, the entry is simple to read,
easy to understand and details HOW you analyzed your data, including tools and
processes used. Take a little extra time in your documentation, and this
VASTLY improves your chances of winnning!
|