Digital Forensic Challenge #4

The Case:
A company’s web server has been breached through their website. Our team arrived just in time to take a forensic image of the running system and its memory for further analysis. The files can be found below:
1- System Image: here
2- System Memory: here
3- Hashes: here
4- Passwords = DFChallenge@s4a

To successfully solve this challenge, a report with answers to the tasks below is required:
1- What type of attacks has been performed on the box?
2- How many users has the attacker(s) added to the box, and how were they added?
3- What leftovers (files, tools, info, etc) did the attacker(s) leave behind? (assume our team arrived in time and the attacker(s) couldn’t clean & cover their tracks)
4- What software has been installed on the box, and were they installed by the attacker(s) or not?
5- Using memory forensics, can you identify the type of shellcode used?
6- What is the timeline analysis for all events that happened on the box?
7- What is your hypothesis for the case, and what is your approach in solving it?
8- Is there anything else you would like to add?

Bonus Question:
what are the directories and files, that have been added by the attacker(s)? List all with proof.

Important Note:
The case MUST be solved using open source and free tools only (NO EnCase, FTK, etc) are allowed.

Send your solution to: challenges [at] security4arabs [dot] net

Good luck.

This challenge was originally prepared for our Security4Arabs visitors. The original post (Arabic version) could be found here: here

About [email protected]

[Between Teams of Red and Blue, I'm with the Purple Team]
This entry was posted in Academia, Challenges, Forensics, z0ne and tagged , , , . Bookmark the permalink.

2 Responses to Digital Forensic Challenge #4

  1. Rajai says:

    I will answer it as usual.

  2. hardw0rd says:

    hope you will post many post in english, thx

Comments are closed.