Project 5: ForensicsWinter 2020
This project counts for 13% of your course grade. Late submissions will be penalized by 10% plus an additional 10% every 4 hours until received. Late work will not normally be accepted after the start of the next lab (of any section) following the day of the deadline, since we will be reviewing solutions at that time. If you have a medical or personal situation that may necessitate an extension, please email email@example.com.
This is a group project; you will work in teams of two and submit one project per team. Please find a partner as soon as possible. If you have trouble forming a team, post to Piazza’s partner search forum.
Strict no-leaks policy. In this project, you play the role of a computer forensic analyst working to solve a case. Since you don’t want to be fired for jeopardizing an ongoing criminal investigation, you need to follow a strict policy on collaboration. You are bound by the Honor Code not to communicate with anyone regarding any aspect of the case or your investigation (other than within your team or with course staff). The number of pieces of evidence you find, the techniques you try, how successful said techniques are, the general process you follow, etc. are all considered part of your solution and must not be discussed with members of other teams.
Start early. It may be impossible to complete this project before the deadline unless you begin several days beforehand. Please plan accordingly.
Solutions must be submitted electronically via GitHub Classroom and Gradescope following the submission checklist below. Please coordinate carefully with your partner to make sure the correct files are in the repo at the time the project is due.
In this project, you will play the role of a forensic analyst and investigate the theft of company secrets from SuperDuperSketchyCorp (SDSC). SDSC became aware of the theft after The Media ran a story regarding one of their closely guarded secrets.
The case went cold when the leading suspect, Leslie Nielson, fled the country and disappeared. Officers seized their computer, but the hard disk was encrypted and investigators were unable to crack the password. No further evidence could be found. The only other possible lead is Leslie’s Twitter account @LeslieNielson5.
Investigators just recently caught a break when they found the hard disk encryption password on a sticky note in Leslie’s home office. They’ve decrypted the device and made it available for your analysis.
Your job is to conduct a forensic examination of the disk image and document any evidence related to the crime. If you find sufficient evidence, a case can be brought against Leslie.
- Understand how computer use can leave persistent traces and why such evidence is often difficult to remove or conceal.
- Gain experience in using forensic techniques to investigate computer misuse and intrusion.
- Learn how to retrieve information from a disk image without booting the operating system, and understand why this is necessary to preserve forensic integrity.
The tools and techniques you use for your investigation are up to you, but here are some suggestions.
A working knowledge of Linux is helpful for this project. If you don’t have this yet, you may need to spend time Googling and/or experimenting to get up to speed. The TAs will also answer general Linux questions as a last resort. For an excellent reference book, try UNIX and Linux System Administration Handbook by Nemeth, Snyder, Hein, and Whaley. Also, see https://en.wikipedia.org/wiki/Disk_partitioning for some additional background.
Live analysis is a forensic technique in which the investigator examines a running copy of the target system. We suggest using VirtualBox for this purpose.
Download the disk image file (4.6 GB): https://files.eecs388.org/388-proj5-target.vhd.gz
Decompress the file (
Import the disk image into VirtualBox and set it as Immutable, so that any changes you make while running the VM will be stored in a separate file:
VBoxManage modifymedium 388-proj5-target.vhd --type immutable
(This step is important. Otherwise, if you accidentally modify the disk, you’ll need to download the image again, rather than simply removing and recreating the VM!)
Use the VirtualBox GUI to create a new VM. Select Linux / Ubuntu as the machine type. Select “Use an existing virtual hard disk file” and select the VHD you just imported.
Start the VM and explore the system.
In dead analysis, the forensic investigator examines data artifacts from a target system without the system running. We suggest trying dead analysis with the Autopsy open-source forensics tool. Autopsy runs on Windows, Mac OS, and Linux.
Install the Autopsy suite from https://www.autopsy.com/download/. Make sure you have at least version 4.0.
Launch Autopsy. Create a new case. From the “Add Data Source” window, import the VHD disk image. Deselect all the Ingest Modules except “Keyword Search” for now; you can run whichever ones you want later from the Tools menu.
After the disk image has been added, the tree on the left gives you various ways of examining the data. Try expanding “Data Sources” to view the partitions and file system. You can also try running a keyword search using the button in the upper right corner of the window.
In addition to hints dropped elsewhere, here is an incomplete list of things to try:
- Examine the system logs.
- Check for deleted or encrypted files.
- Search for strings that may indicate relevance to your investigation.
Password crackers may be helpful in trying to brute-force decrypt
password-protected files. John the Ripper
(https://www.openwall.com/john/) is the canonical Unix password
cracker. fcrackzip (http://home.schmorp.de/marc/fcrackzip.html) is a
ZIP password cracker, and pdfcrack
(https://sourceforge.net/projects/pdfcrack/) is a PDF password
cracker. John, fcrackzip, and pdfcrack are available in the Debian
package repositories and can be installed with
When using a password cracker, it is wise to first make sure that the password is not susceptible to a dictionary attack and does not use a restricted character set (e.g., lowercase letters, letters only, letters and numbers only) before spending time on a full brute-force crack. It is also a good idea to crack a very vulnerable password first to make sure you are using the tool correctly.
Tasks and Deliverables
The two main deliverables for this project are a list of all the
tokens that you found, and a report where you state your case for
either the guilt or the innocence of the client. In addition, if you
recover files that are relevant to your responses, name them in your
report and include them with your submission in a directory named
To get you started, here are three questions to ask as you begin your investigation:
Try booting the suspect’s machine and using it normally. What behaviors of this machine make this a bad idea?
What is the username of the account typically used by the suspect?
What files and programs appear to be frequently accessed by the suspect?
Be on the lookout for evidence of any other machines or network services or websites that the suspect may have used. These may contain important evidence and raise further questions you’ll need to investigate (hint, hint!).
Before attempting to access any such machines, accounts or websites, contact your supervisor for permission by emailing firstname.lastname@example.org. The subject line should begin with “388 P5 Permission”. Failure to ask permission is guaranteed to be a waste of time and may violate the course ethics policy or result in a grade deduction. Again, start early; headquarters has been known to take up to 24 hours to approve such requests.
This report is the focus of your deliverables and will be a substantial portion of your grade. It should specify whether or not Leslie is guilty of a crime. If so, explicitly state the crime and back up this claim with evidence. The report is not where you should list findings; that is the purpose of the token list. Instead, it should stand alone as a summary of the entire case.
The length limit for the report is one page, at which point we will stop reading. You need to prioritize what evidence you present, much like a prosecutor would have to in court. Your report should be clear and easy to read. We will grade it as a piece of technical communication.
The report must be a one-page single-spaced PDF document, typed in 12-point Times New Roman on letter-size paper with one-inch margins. Failure to comply may result in a formatting deduction of up to 5% of your project grade.
The Token List
The purpose of the token list is to allow us to easily be able to
identify exactly what you found in your investigation. So you should be
on the lookout for tokens in the form
some slight variation of this syntax. All of the tokens must be spelled
exactly as they appear to get credit. Misspelled tokens will receive
no credit with no possibility of a regrade. Including things that are
not tokens in your list will also result lost points. The tokens are
used for grading only and should not be mentioned in your report.
The Evidence Folder
The purpose of the evidence folder is for you to collect all of the important evidence you find. This is so that if we have a question about a finding we can look in the evidence folder and make sure that it is present. You should not refer people to the evidence folder in your report. It’s simply meant as a way to prove that you found everything that you claim, as there may be important pieces of evidence that do not have a token.
Policies and Hints
Collaboration: Strictly prohibited outside your team.
You are bound by the Honor Code not to communicate with anyone regarding any aspect of the case or your investigation (other than within your team or with course staff). The number of pieces of evidence you find, the techniques you try, how successful said techniques are, the general process you follow, etc.are considered part of your solution and must not be discussed with people outside your team. If someone brings up the project, close your eyes, plug your ears, drop to the floor, and start yelling “LALALALA” and refer them to your supervisor to get officially spoken to.
If you get stuck... Requesting Hints
Given the nature of this assignment and its strict collaboration policy, HQ recognizes the need for some hints. If your team gets stuck, email email@example.com with the names of both team members, the question for which you would like a hint, and the progress you have made thus far on that question. In the subject of the email you should start with “388 P5 Question”. If you do not follow these rules, we will not look at the email. Each team is allotted three hints. Please note, that headquarters has been known to take up to 24 hours to get back to agents.
Free Hints :)
To help you get started, hints regarding the three questions provided above are free (and so are requests to access remote machines). After that, each team may receive a maximum of three hints, and we will enforce a one-hour delay between hints for each team. Purely administrative questions or general questions about Linux do not count towards this limit.
Finishing the Project
It is your duty to follow all the leads you can find and to conduct a thorough investigation, and your evidence will be crucial for solving this case and putting the right person behind bars. However, once you collect 30 tokens, you will receive full credit on the token portion of the project grade. You will not receive extra credit for retrieving more than 30 tokens.
Headquarters is unable to answer questions regarding whether a report contains all of the possible findings, since it’s still an ongoing investigation. It is your job as a forensic analyst to draw as complete of a picture of the crime as you can. You should submit when you believe you have conducted a thorough investigation and have enough evidence to acquit or convict Leslie.
Check that your repo contains the starter files. If you have any issues with GitHub Classroom, email
At the deadline, your repository will be cloned automatically for grading.
If you need to submit late, you must report the hash of the commit you want graded using the . The late penalty will apply to the timestamp of the form submission, not the timestamp of the commit.
Upload to GitHub Classroom the files listed below: