Your organization has become aware of external attempts to gain access to sensitive proprietary information on its computer systems and has stepped up its monitoring in response. Data from this monitoring, in addition to interviews with employees, has focused attention on a single user, who is suspected of collaborating with an outside party.
When escalated monitoring of the user identified suspicious network and system activity, your organization's security team responded. They copied the contents of the user's home directory (this was a Linux desktop system), made a full dump of system memory and preserved a packet capture of network traffic from the system. It's your task to analyze this data and determine what can be established about the activity of the user.
Your organization wants to answer the following questions:
The data set for this challenge contains files copied from the user's home directory, a dump of physical memory and a network packet capture in pcap format.
Submissions should include an analysis report that answers the four questions listed in the challenge scenario and outlines how those answers were determined. The report should also include any other conclusions that appear germane to the case and must outline novel techniques employed in sufficient detail that the results can be reproduced. Reports must be submitted in PDF, ASCII or HTML format.
The submission should also include data that supports the findings and the source code for any analysis tools that were developed for the challenge. The source code can be released under any restrictions and licenses that you choose. The report and supporting files should be bundled into a single compressed archive. All submitted data, with the exception of compiled executables, will be published on the DFRWS website.
Submissions are due by July 10, 2008.
Please submit your Challenge report together with any accompanying files in a single compressed archive (zip or gzip, for example) via anonymous FTP to DFRWS-submit.dfrws.org. Use "ftp" (without quotes) as a username and supply your e-mail address as the password.
Upload your submission to the "upload/" directory. A confirmation e-mail of your upload will be sent to the address given as a password.
PLEASE READ THE FOLLOWING: The FTP server accepts anonymous uploads only and will not provide a directory listing or honor download requests, even for the file you just uploaded. The lack of a directory listing may trigger error messages in some FTP clients (those that automatically request directory listings, for example). You should be able to send your file regardless (be sure you "cd" to the "upload/" directory first). If you experience problems:
Questions can be sent to dfrws2008-challenge <at> dfrws <dot> org.
Submissions will be judged primarily for the completeness and accuracy of findings, as well as the soundness of the supporting analysis.
The goal of this and past challenges is to spur advances in the state of the art in research and tools. Therefore, we expect that you document your techniques as much as possible. Extra weight will be given for the creation of novel analysis tools that are applicable to broader forensic challenges.