After the Banquet at the annual conference, a "forensics rodeo" is held. The rodeo is a challenge where conference attendees form teams to solve a digital forensics problem.
The DFRWS is making the materials from the DFRWS 2008 Forensic Rodeo available for educational purposes and to support further research in memory analysis and file carving. The results were not published until after DFRWS 2009.
The scenario, files, and results are listed below.
The scenario, images, and any other supporting materials are distributed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.
On 8 August 2008, the Saraquoit Corporation received an anonymous tip that one of their employees, Steve Vogon was disgruntled and may be attempting to cause harm to the company’s computer systems and/or network. After an initial interview with Human Resources, Mr. Vogon became very agitated and stormed out of the office. Upon his departure, the IT department was asked to perform a memory capture of Vogon’s computer system. At the completion of the capture, the IT department also confiscated a 128 MB USB thumb drive and Canon digital camera, both residing in Mr. Vogon’s desk drawer. It should be noted that the USB thumb drive is owned by the Saraquoit Corporation and the digital camera is owned by Steve Vogon.
Kal Dalil of the IT department felt that a complete forensics analysis was necessary in order to answer the below questions. A quick review of the memory capture revealed what appeared to be some suspicious activities occurring on the computer system assigned to Steve Vogon. Feeling overwhelmed, overworked and underappreciated, Mr. Dalil has contacted you, requesting your assistance. Specially, Mr. Dalil is providing you with the memory image, as well as a complete bit for bit image of the USB drive in question. You have agreed to perform a forensic analysis and are expected to answer the following questions, to include a full explanation for each answer. Remember, an answer alone is not sufficient.
The scenario and its contents are completely fictitious and are not based on any actual scenarios. Any coincidences are completely coincidence.
dfrws2008-rodeo.tar.gz (190 MB)
Image MD5 values:
The solution is available in PDF form.
The DFRWS2008 Rodeo was created by Eoghan Casey and Dan Kalil.