DFRWS EU 2019 Forensic Rodeo
Welcome to the DFRWS EU 2019 Forensic Rodeo
The DFRWS Forensic Rodeo is a friendly, but fierce, capture-the-flag style forensics competition held during and after the conference dinner at the DFRWS EU conference. Attendees can participate in teams. This page explains the context, the challenges and the results of the 2019 rodeo.
The rodeo was held on the evening of April 25, 2019 at the DFRWS EU 2019 conference in Oslo, Norway.
Memory forensics, Linux, Lime, evidence tampering, active network connections
The Fictitious Scenario
In October 2018, the German police identifies a server on the Internet with IP address 220.127.116.11. It is a Debian GNU/Linux 9 (stretch) x64. This server runs an illegal website selling drugs. From wiretapping, the police observes a couple of ssh connections and thereby identifies another machine belonging to a person called Werner Weber. The police suspects Werner Weber to be the administrator of the website and obtains a search warrant for his house.
During the search, the police finds Werner’s laptop running Kali Linux 2018.4 x64 which is turned on. The police acquires a main memory dump of that machine using Lime. Directly after, electricity fails on the server and the laptop. Both computers shut down, making their encrypted disks inaccessible. The only evidence remaining is the memory dump of Werner Webers laptop.
Unfortunately, the police officer in charge of handling the evidence turns out to be a personal enemy of Werner Weber.
You are given the memory dump of the laptop. Please investigate that memory dump using any tool you like regarding the question, whether it shows any traces of active network connections between the laptop and the server with the IP address 18.104.22.168.
Because of the situation, there might be the possibility of evidence tampering (i.e., a post-mortem manipulation of the main memory dump).
During the rodeo, you will receive a sequence of “alternative” memory dumps of Werner Weber’s machine that correspond to different things that could have happened in the past. Some of the memory dumps are from a machine that actually had a network connection to the server. These are called “originals”. However, some of the memory dumps are from a machine that did not have a network connection to the server but were tampered post-mortem with the intent to appear that there was a network connection to the server. These are called “forgeries”. With every item you receive, there is equal chance of receiving an original or a forgery.
For every memory dump you analyze, your team needs to give one of two answers:
- Answer YES means that the image is a forgery, i.e., traces of network connections to the server are forged evidence.
- Answer NO means that the image is an original, i.e., traces of network connections to the server are true evidence.
Together with your answer you need to give a brief (1000 characters) justification of your answer.
Every correct answer scores points. The team with the most points wins.
During your analysis you can use the following hints and data, in case it is helpful:
- The Volatility memory profile for Werner Weber’s machine (a Kali Linux 2018.4 x64).
- ssh-key public and private key for accessing the server 22.214.171.124:
- The administrative (sudo) login for the server is admin and password for the server is forensiki1
- The code of the Linux kernel module used to create the memory image on Werner Weber’s machine.
How to Prepare
- Download the memory images beforehand from this location. The file contains 40 images (average size 200 MB, total size 8 GB) that are zipped and encrypted with random keys. During the rodeo you will receive the keys. Images will be available on USB drives before the rodeo. An unzipped image has a size of 2 GB.
- Bring the tools you need to the rodeo. If you are using volatility, you we provide a Volatility memory profile for Werner Weber’s machine.
- Form teams before the rodeo and register your team on the web site distributed at the rodeo. To register, you need to give a team name, the size of your team (number of persons) and an estimation of the expertise of the team.
How do I decrypt a memory image, e.g. file 937.lime.zip.gpg?
Memory images are encrypted using gpg with a symmetric key. The decryption keys will be given to you during the rodeo. As an example, to decrypt the file 937.lime.zip.gpg you can use the following command gpg –output 937.lime.zip -d 937.lime.zip.gpg and enter the key interactively.
Is there a limit on the size of the teams?
No. Teams can be any size. The number of team members has to be given when registering the team.
- How large are the individual memory images?
Memory images are encrypted and zipped. Zipped images have a size of between 250 and 400 MB each. Unzipped memory images have a size of 2 GB.
- Are there any restrictions on the tools used?
No, you can use any tool you like for the analysis.
- I am using Volatility. Where can I find the profile for the memory image of Werner Weber’s machine?
It is provided online here.
- Are there any other hints for the analysis?
Yes, there are for example the ssh keys for accessing the server (public and private key) and the adminstrative (sudo) login (admin) and passwod for the server (forensiki1).
- Are teams allowed to analyze multiple memory images in parallel?
No. One goal of the rodeo is to measure the effort/time it takes to identify a forgery. If teams analyze multiple images in parallel, we have no means to compute this effort.
Congratulations to the group kiki from Switzerland for winning the competition! The runners up were groups froggy and Rene Coty from France. The groups #pwned, This is GDPR compliant and Accidental Cannibal received an honorable mention for their ingenious interpretation of the game rules.
An analysis of the data from the rodeo appeared in the following paper:
- Schneider J., Wolf J., Freiling F.: Tampering with digital evidence is hard: The case of main memory images. Proceedings of DFRWS EU 2020 (Virtual, 25. March 2020 – 28. March 2020). Also appears in Forensic Science International: Digital Investigation 2020, DOI: 10.1016/j.fsidi.2020.300924
Instructors interested in receiving keys and the ground truth to the images are invited to contact Felix Freiling for details.
Thanks go to the students of the course on Advanced Forensic Computing at FAU during the winter term 2018/19 for preparing the forgeries. Thanks also to Julian Wolf and Janine Schneider for supporting activities.