Competition for the investigation of IT incidents

Together with Group-IB, we hold a competition in computer forensics. The winner will have the opportunity to work in the Group-IB Laboratory and to do interesting work on investigating IT incidents in an excellent company.

Two images of information carriers were received for examination and only you can shed light on the incidents that occurred. Answer the questions and provide other information that will help in the investigation of information security incidents.

Task # 1: Malware on a flash drive

Director of Group-IB, IK Sachkov
from the head of the Information Security Department
ZAO Picatinny S.V. Arkadieva
')
Dear Ilya Konstantinovich!
On November 2, 2011, the Information Security Department (DIB) of Picatinny CJSC registered an information security incident related to the loss of information constituting a commercial secret of an enterprise. As part of an internal investigation, a USB Flash drive belonging to one of the employees, allegedly associated with the incident, was discovered. Employees DIB was created forensic image of the drive in the format dd (raw). In view of the foregoing, I ask you to conduct a forensic investigation of the image of the information carrier and establish what information relevant to the incident is recorded on it.

Forensic questions:

1. Is there any malware in the image provided?
2. If so, on what grounds were they recognized as such?
3. What are their functional capabilities and ongoing network interactions?
4. What are the circumstances of the installation and operation of these programs?

Task # 2: Broken Linux

Incident Type: Hacking
Location of the incident: Swallow Tail LLC
Incident Date: November 3, 2011

On November 3, 2011, the information security incident related to the “hacking” of a virtual server running a Linux-based operating system was registered by the system administrator of Swallowtail LLC. On the same day, the specified server was disconnected and sent for forensic investigation.

Forensic questions:

1. Does the provided image contain traces of unauthorized access to the system under study? If so, which ones?
2. What data was compromised in the system under study? Based on what signs was this conclusion made?

The decision of the assignment should be issued in the form of an electronic document, taking into account the requirements for the preparation of forensic reports and using legislatively fixed terminology. Describe the research process in as much detail as possible with an indication of the software used and the characteristics of their application.

Before December 31, send your expert opinion to contest@group-ib.ru with the note “Competition” and get the opportunity to work with the best criminologists in Russia.

Subscribe to "Hacker"

• 1 999 . for 12 numbers of paper version
• 1249r. for an annual subscription to iOS / iPad (Android'a release soon!)
• "Hacker" on Android