FORENSICS CYBER-SECURITY

Transcription

1 FORENSICS CYBER-SECURITY MEIC, METI 2016/ st Semester 1 st Exam January 10, 2017 Duration: 2h00 - Use a pen only; no extra material is allowed, such as calculator, scratch paper, etc. - Write your answers in the free space after each question. - The exam can be answered in Portuguese or in English. - Identify all sheets; unidentified pages will not be graded! I. (2 points) 1. For each of the following statements, indicate whether it is true (T) or false (F). Each correct answer is awarded 0.25 points; each wrong answer is penalized by subtracting 0.10 points. a. : According to the Locard s Exchange Principle, evidence in the physical crime scene implies the existence of evidence in the digital crime scene. b. : On a computer where spyware running on a browser is exfiltrating local documents to a remote site, the following list of relevant artifacts are ordered by increasing level of volatility: document files, browser web cache, browser process, open network connections. c. : Scalpel is more comprehensive than foremost. This statement means that the tool output error of scalpel is smaller that that of foremost. d. : The verifiability of a forensic tool indicates whether or not the forensic tool s software has been formally verified to be error free and was certified by a trusted third party. e. : In cyberstalking, computers are typically used as both tools and targets of crime. f. : Considering the digital forensic legal framework, the exclusionary rule means that irrelevant digital artifacts must be excluded from the case and cannot be considered in trial. g. : If evidence is material then it must be directly related with the case, whereas if evidence is probative it must demonstrate something related with the case. h. : In the USA, the police authorities can intercept voice communications in computer hacking cases without the need of a warrant. Number: Name: 1/8

2 II. ( = 4 points) 1. With regard to the forensic investigation methodology, what is the relation between investigation models and the scientific method? 2. Mr. Ree Volt is under investigation for terrorism offenses. Surveillance cameras have identified him accessing a Windows workstation available at a public library. In the video, he can be seen sitting at the workstation, plugging in an external drive, and operating the computer using the keyboard and mouse. After nearly 20 minutes, he abandoned the computer taking the external drive along with him. An advanced face recognition system installed on the surveillance equipment has automatically issued an alert to the police who arrived at the scene just a few minutes after Mr. Volt had left the building. From a quick noninvasive observation, one could see that: (a) the computer was plugged in to the power socket and to the network, (b) several LEDs of the computer were enabled: the power LED was lit, the hard disk activity LED was blinking, and the network activity LEDs of the network card were blinking, (c) the monitor was enabled and displaying a screensaver. In the quality of a digital forensic expert, you were asked to collect digital evidence from the computer. What steps would you perform and why? Number: Name: 2/8

3 3. Consider a hotel which offers its guests free WiFi connectivity to the Internet. The gateway of the hotel network has a single public IP managed by an ISP. Mandated by the police authorities, the ISP has intercepted outbound HTTP requests destined to illicit web sites originating from the hotel network. How can the ISP try to identify the author of such communications? 4. The figure below represents the fragments of five deleted files (A, B, C, D, and E) that were recovered from unallocated disk space: A 1 A 2 B 1 C 1 C 2 C 3 C 4 D n-1 D n A 3 E 1 s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 8 s 9 s 10 The disk image has 10 sectors numbered s 1 to s 10. The recovery state of each file is as follows: A was entirely recovered, consisting of fragments A 1, A 2, and A 3 located in sectors s 1, s 2, and s 9 ; Regarding B, only the first fragment (B 1 ) was recovered from sector s 3 ; C was entirely recovered, consisting of fragments C 1 4 located in sectors s 4 7 ; The ending of D was recovered, comprising only the fragments D n 1 and D n located in sectors s 7 8 ; E was entirely recovered (E 1 ) and found to fit within a single sector (s 10 ). According to this file fragment disposition, do you agree with the following statements? Justify. a) File C is likely to be older than file D. b) File B is likely to be older than file D. c) File A is likely to be older than file B. d) File E is likely to be older than file A. Number: Name: 3/8

4 III. ( = 8 points) 1. Consider a volume image taken from a 8GB thumb drive (assume 1GB = bytes). The hex dump shown below depicts the last bytes of the MBR retrieved from that image. Analyze the partition layout of the volume by answering the following questions. Justify your answers. 0x01A0: x01B0: A8 E1 A8 E x01C0: FF FF 1F x01D0: x01E0: C x01F0: AA Master Boot Record Format A S Description 0x Bootstrap code area 0x1BE 16 Partition table entry #1 0x1CE 16 Partition table entry #2 0x1DE 16 Partition table entry #3 0x1EE 16 Partition table entry #4 0x1FF 2 Signature (0xAA55) Partition Table Entry Format A S Description 0x0 1 Bootable flag (0x80 active, else 0x0) 0x1 3 Starting CHS address (obsolete) 0x4 1 Partition type (e.g., 0x0: empty, 0x07: NTFS, 0x83: Linux) 0x5 3 Ending CHS address (obsolete) 0x8 4 Starting LBA address 0xC 4 Size (in sectors) A: address (hex), S: field size (bytes) Note: Check out the MBR format as specified in the reference tables above. The multi-byte fields are little-endian, the LBA addressing starts in 0, and the sector size is 512 bytes.. a. How many partitions are there in this volume? b. What is the size of each partition (in bytes)? Tip: 1GB = 0x bytes. c. Identify any possible inconsistencies in the partition table. d. Indicate the boundaries and total size of existing partition slack space. Number: Name: 4/8

5 3. General file system forensic techniques can be applied at different categories. What is the difference between content and metadata categories? Considering the FAT and NTFS file systems, provide examples of file system s data structures that are relevant in each category. 4. Fill in the table below by providing for each Windows artifact a brief description and explaining how it can be useful in forensic investigations: Artifact Description Forensic Relevance UserAssist Last Visited MRU Thumbnails Shell Bags Prefetch Files Number: Name: 5/8

6 5. Mr. R. Salty managed to remotely infiltrate the Honest National Bank (HNB) network over the Internet. However, since the HNB was instrumented to capture full traces of the internal network traffic, Mr. Salty s activities were eventually discovered and analyzed by a forensic team. The HNB network consists of three segments: 1. Internal network: /24 2. DMZ: /24 3. The Internet : /24 By analyzing the network traces, investigators reconstructed the following events: E1. The attacker ( ) conducted a port SYN scan of the DMZ victim ( ) and found that TCP port 22 (SSH) was exposed on the targeted DMZ victim. E2. The attacker ( ) conducted a brute-force password-guessing SSH attack on the DMZ victim. After 8 minutes, this attack was successful, and the attacker logged into the DMZ victim using SSH. E4. From the DMZ victim, the attacker conducted a port ACK scan of the internal network for open port 3389 (RDP). Two systems had port 3389 open: and E5. The attacker, pivoting through the DMZ victim, logged into via RDP. E6. On , the attacker used FTP to connect outbound to and transfer a file from the internal system to Describe a possible sequence of steps taken by the investigators to reconstruct each of these events. Be concrete in explaining what traffic analysis techniques can be employed and how, in order to determine every bit of information described for each event. Number: Name: 6/8

7 IV. ( = 6 points) 1. Consider the following onion-routing circuit established between Alice and Bob. Alice R1 R2 R3 Bob To send message M anonymously through this circuit down to Bob, Alice must send to R3 a ciphertext C M that must be encrypted according to the following general format: C M = {I 1, k 1 } K + 1 {{I 2, k 2 } K + 2 {{I 3, k 3 } K + 3 {{M} K + } k3 } k2 } k1 4 Instantiate this protocol to the concrete scenario of the figure above by indicating: how the identifiers I 1, I 2, and I 3 must each be replaced by one of the party identifiers Alice, Bob, R1, R2, or R3, how the public keys K + 1, K+ 2, K+ 3, and K+ 4 must each be replaced by one of the public keys KA+, KB +, KR1 +, KR2 +, or KR3 + owned by each party. Assume that each relay Ri has a key pair KRi, in which KRi + represents its respective public part. Alice and Bob hold key pairs KA and KB, respectively. 3. What is the specific anonymity property provided by the Tor hidden services when compared to the standard Tor circuits? 4. In the context of Bitcoin investigations, what does the shared spending heuristic consist of, and how can it be used for forensic analysis purposes? Number: Name: 7/8

8 5. Indicate three techniques employed by the botnet systems for trail obfuscation purposes. Describe how these techniques work and why they are hard to defeat. 5. The hex dump listed below represents the pixel values of a greyscale bitmap image. Pixels take 16 bits each and are addressed sequentially, starting with address 0x00. 0x00: d31 2e35 0a25 d0d4 c5d8 0a34 0x10: f 626a 0a3c 3c0a 2f4c 656e x20: 3c b e2e5 5cbe 73a5 70b2 4d70 0x30: 6c f 466c f64 0x40: 650a 3e3e 0a d0a 78da 9d58 Your job is to embed a covert message into this image using 2-bit LSB encoding. The message must be protected by a key, such that the address of the first pixel to be encoded is given by p 0 = key mod 3, and the next pixel address p i is calculated by p i = p i (p i 1 mod 3). (A mod B finds the remainder after division of A by B.) Considering the covert message = 0xF1 and key = 2, determine which pixels will suffer a change and indicate their new values. Number: Name: 8/8