Overview | Challenge Details | Results
In early 2009 it came to the attention of investigators that an individual with the nickname “nssal” was using a Sony Playstation3 (PS3) to make illicit images (specifically, certain images depicting Mardi Gras activities) available to other PS3 users. Investigators determined that “nssal” was connecting from an IP address in New Orleans, and they began capturing network traffic with the goal of catching “nssal” red-handed. Based on their initial surveillance, it appeared that “nssal” had advanced knowledge of Linux and digital forensics.
On March 11, 2009 investigators observed “nssal” communicating with another PS3 user and exchanging unknown data. With proper legal authorization, the investigators entered the suspect’s premises and found him in front of a PS3 that was running Linux. They interviewed the suspect and determined that he was a digital forensics researcher who was developing memory acquisition and analysis tools for Linux on the PS3. He denied having exchanged any information with other PS3 users.
Investigators captured physical memory of the Linux system on the PS3 using tools found on the system. This physical memory dump is present in the file nssal-physicalmem.dd.bz2. Investigators also acquired a forensic duplicate of the Linux partition on the PS3 (present in file nssal-linux-side-fs.dd-bz2) and the suspect’s thumbdrive (present in file nssal-thumb-fs.dd-bz2). Several network traces are also available. The first network trace is based on early surveillance of the suspect; this network trace is named nssal-capture-1.pcap.bz2. A second trace, nssal-capture-2.pcap.bz2, contains communication between “nssal” and another machine located at Johns Hopkins University. The network administrator in the lab at Johns Hopkins identified the machine as another PS3. This administrator regularly monitors communication and was able to provide a third network trace, jhuisi-capture-1.pcap.bz2, which contains traffic transmitted between the “nssal” PS3 and the PS3 in the Johns Hopkins lab. The system administrator also obtained a filesystem image of the PS3 at Johns Hopkins (present in jhuisi-linux-side-fs.dd-bz2) but was unable to obtain a physical memory dump.
You have been asked to assist investigators with the following questions:
The data set for this challenge includes:
The files are available for download from this directory.
Note that the two filesystem images (nssal-linux-side-fs.dd-bz2 and jhuisi-linux-side-fs.dd-bz2) are available both “whole” and processed via the Unix split command. You do NOT need to download both. The split files can be combined with cat to produce nssal-linux-side-fs.dd-bz2 and jhuisi-linux-side-fs.dd-bz2.
MD5(jhuisi-capture-1.pcap.bz2)= c1253c1e025876a7e72f513fd7f72181
MD5(jhuisi-linux-side-fs.dd.bz2)= 18ead4e2e923f163bc95912d7362c874
MD5(jhuisi-linux-side-fs.dd.bz2-split-aa)= 9a168c40994c6a6148b859a270f9cc89
MD5(jhuisi-linux-side-fs.dd.bz2-split-ab)= a2e08cf4fbfb01907c7fe8e32e0360e1
MD5(jhuisi-linux-side-fs.dd.bz2-split-ac)= df51a9d7e33742ef8539f0f8bb052197
MD5(jhuisi-linux-side-fs.dd.bz2-split-ad)= 9872978ffb82790d74cf67477c20db3d
MD5(nssal-capture-1.pcap.bz2)= 594cd393f2dfa2ea11022e72a7ed9331
MD5(nssal-capture-2.pcap.bz2)= d895973c216aea504c7b90b6785fe158
MD5(nssal-linux-side-fs.dd.bz2)= cca65ecabcc911d44de083fb9a950910
MD5(nssal-linux-side-fs.dd.bz2-split-aa)= 5c33153309684d7f85b1c449d2ed6d36
MD5(nssal-linux-side-fs.dd.bz2-split-ab)= 51424caaa67ea129f63a0d044092c09f
MD5(nssal-linux-side-fs.dd.bz2-split-ac)= 703629497a0b55b9f146373c7558c5ce
MD5(nssal-linux-side-fs.dd.bz2-split-ad)= cd9b679ab853c7ef35cffe8643a68777
MD5(nssal-linux-side-fs.dd.bz2-split-ae)= 22f63aa1853506408489df2416502423
MD5(nssal-linux-side-fs.dd.bz2-split-af)= 226ccf27ec948ded187fcab3f6fe036a
MD5(nssal-physicalmem.dd.bz2)= 218a2f9fe8ccc31df1551eda75b179ba
MD5(nssal-thumb-fs.dd.bz2)= d31e38fb66a562dd357db41d1687a50b
Submissions should include a detailed analysis in report format that answers the questions posed above and discusses in detail how the answers were determined. The report should also include any other conclusions that appear germane to the case and must outline novel techniques employed in sufficient detail that the results can be reproduced. Reports must be submitted in PDF, ASCII or HTML format.
The submission should also include data that supports the findings and the source code for any analysis tools that were developed for the challenge. The source code can be released under any restrictions and licenses that you choose. The report and supporting files should be bundled into a single compressed archive. All submitted data, with the exception of compiled executables, will be published on the DFRWS website.
Submissions are due by July 12, 2009.
Please submit your report together with any accompanying files in a single compressed archive (zip or gzip, for example) via anonymous FTP to DFRWS-submit.dfrws.org. Use "ftp" (without quotes) as a username and supply your e-mail address as the password. Upload your submission to the "upload/" directory. A confirmation e-mail of your upload will be sent to the address given as a password.
Questions can be sent to dfrws2009-challenge <at> dfrws <dot> org.
Submissions will be judged primarily for the completeness and accuracy of findings, as well as the soundness of the supporting analysis.
The goal of this and past challenges is to spur advances in the state of the art in research and tools. Therefore, we expect that you document your techniques as much as possible. Extra weight will be given for the creation of novel analysis tools that are applicable to broader forensic challenges.
©2001-2016 DFRWS | dfrws [at] dfrws [dot] org
DFRWS is a US 501(c)(3) non-profit organization.