Due Date: December 02 2008, 23:59 EST
Deliverables: Analysis Report
This lab is worth 20% of your final grade.
An unknown binary was found on a RedHat Linux machine (same as the forensic workstation VM). Analyze the binary and find out what it does. The file is called "binary" and is available in Blackboard under "Assignments/Lab4." The sha1 checksum for the binary is:
42a503ef1b96b009d8bb4b547822a55dba035bc4 binary
You need to create a full analysis report, where you describe what steps you took to analyze the binary, the result of those steps, and the capabilities of the binary. All your claims must be backed up either by annotated disassembly or decompilation or by an explanation of the relevant traces or other dynamic output. Full disassemblies and full trace data must be placed in the appendix. Only list and explain relevant portions in your analysis.
If you perform any kind of dynamic analysis you must describe in detail how you set up your testing environment.
Furthermore, address the following questions/tasks in your report:
Submit your deliverable in one PDF document. You are encouraged to use tools for this lab, but you need to document how you used them. The FreeIDA disassembler is available under Blackboard (this is an old version, use the link below for a more recent one), as are copies of the Intel assembly code instruction manuals. You are also encouraged to make use of the objdump tool (available on your forensic VMs) -- see "man objdump" for details. Document all your steps. There is a strict 15 page limit on the write-up (not including title page or appendices). You may submit auxiliary files, if you feel they are necessary, and reference them in your analysis. There must be no narrative in the auxiliary files, i.e. only code, program output, and tables are allowed. All auxiliary files must be contained in one single archive (zip or tar), labeled appropriately.