Due Date: November 02, 2007, 23:59 EST
Deliverables: Analysis Report
This lab is worth 15% of your final grade.
The ACME company recently developed a breakthrough software tool that is almost guaranteed to dramatically increase the company's profits. The company has recently started building up a web presence and offering some information and demo versions online. Much to his dismay, ACME's director, Dr. B., has received a blackmail notice this morning (Monday, October 6th, 2008), stating that the source code for the tool was stolen and asking for a high ransom amount or the source will be published. Dr. B. needs you to investigate.
The ACME company has two employees: Alice (web administrator) and Bob (programmer). They share a common Linux workstation for their work, which also serves as the development platform and the web server. The source code for the software tool is also present on the machine in the '/acme/source_code/secret' directory, to which only members of the 'trusted' group have any access. Dr. B. is the administrator for the machine, logging in as the 'drb' user. Only Dr. B. had physical access to the machine.
When Dr. B. was informed about the blackmail, he immediately yanked the power cord on the machine. Your task is to analyze the ACME Linux workstation, try to determine what happened, and (if possible) find out if and how the source code has been leaked out and by whom.
You need to create a full analysis report, where you need to describe what could be recovered/reconstructed, what events took place on the system, as well as your conclusions. I need to be able to see how you reach your conclusions from the report. You also have to explain how you acquired the evidence from the workstation.
Furthermore, answer the following questions in your full report:
You are encouraged to use tools for this lab. You may use any tool you like, but you need to document how you used it. The Sleuthkit and Autopsy are installed on your forensic workstation (see http://www.sleuthkit.org for documentation). The ACME VM image has been placed on the VM server for you. It is called lab3-<your user ID>.
Submit your deliverables a single PDF document. Name your PDF document "<your last name>-lab3.pdf" and submit this. If you need to submit auxiliary files for supporting your report, place all your files (including your report PDF) in a directory "<your last name>-lab3", and zip (or tar/gzip) the entire directory to a file called "<your last name>-lab3.zip" (or .tgz).
Sleuthkit and Autopsy: http://www.sleuthkit.org
The VM image contains copyrighted material. The image is available for the purpose of performing this lab exercise only, and the copyrights of the respective owners need to be observed.