Memory analysis was one of the primary themes of DFRWS 2005. In an effort to motivate discourse, research and tool development in this area, the Organizing Committee created the intrusion/intellectual property theft scenario detailed below. This memory challenge was open to all, and team efforts were encouraged. An award was given to the people (below) who extracted the most information from the memory dumps, and the quality of documentation and novelty of techniques were considered when choosing the winners. Network traffic associated with this intrusion was made available during the workshop (below).
|Chris Betz||Developed memparser to reconstruct process list and extract information from process memory.||Report & Answers|
|George M. Garner Jr. & Robert-Jan Mora||Developed kntlist to interpret structures in memory and maintain an audit log and integrity checks.||Preliminary Analysis and Answers|
For several years, Professor Goatboy has been performing secret research that is of great interest to a certain foreign government. In May 2005, rumors spread that he had written several papers detailing key aspects of his work but that he was being pressured not to publish them. To escape these pressures, the professor moved to a new research facility where he would be permitted to continue his work without interference.
In the last week of May, Professor Goatboy settled into his new office and moved his work onto the new laptop he had been assigned. Unfortunately, he was too busy during the first week at his new job to get much work done, and did not have time to secure the fresh installation of Windows 2000 on his laptop.
On Sunday June 5th, the research lab's incident response coordinator, Tom "Blackout Jack" Daniels, was examining network logs from the previous night and noticed unusual traffic coming from Professor Goatboy's computer. He promptly located the laptop in the professor's office, and used Helix 1.6 to dump physical memory (dfrws2005-physical-memory1.dmp) (MD5 = 2d767dbc338075f7c7594894716f3290). He attempted to find signs of intrusion on the system but had difficulty executing some of his tools. Specifically, the system would not run "pslist.exe" or "fport.exe" to gather information about running processes. In addition, while he was attempting to create forensic duplicate of the drive, the system rebooted unexpectedly.
When the system came back up, Daniels acquired the physical memory again (dfrws2005-physical-memory2.dmp) (MD5 = dbca88eeb7b8dbd42f406a405e6f56cf), and again tried to acquire an image of the disk using Helix 1.6 under Windows without success. Finally, he rebooted the system using the Helix CD and acquired the drive using Grab 1.2.2.
The lab administration is seeking help in determining what occurred. In addition to the memory dumps, the following information is available:
Specific files from the system can be requested from challenge (at) dfrws (dot) org. Provide the names of the file in your request. For instance, "ntoskrnl.exe," the kernel module from the original system containing various memory management functions may be useful for your analysis.