CSAW 2009 High School Forensics

Please consider this page an archive of the event. Refer to the main CSAW forensics page for full details.

Prelim Challenge: csaw09-hsf-prelim-challenge.pdf

Prelim Solutions: csaw09-hsf-prelim-solutions.pdf

Finals Challenge: csaw09-hsf-final-challenge.pdf

Finals Solutions: csaw09-hsf-final-solutions.pdf

Prilimary Challenge

The NYU-Poly Police (NPP) needs your help to solve a murder. After responding to reports of screaming in the area, the NPP discovered Johnny Muzic dead in his office. Johnny Muzic was the executive at the newly-founded NYU-Poly ISIS Records, and has been seen hanging out with known criminals.

Our investigation revealed that the company was about to release a new album by rock star Taylor Shift. During questioning Taylor told the NPP that Johnny had the latest cut of her new album, but we did not find the album anywhere in the office. Additionally, she told the NPP she believes Johnny and his business partner, Vikram Rekorder, have been arguing over her new role in the company.

Vikram can not be found, and is wanted for questioning.

Vikram's aid, Efstratios Gavas, was questioned, but only produced some network data. He knew nothing else. The network data was taken from two separate machines. Therefore, the two times are not syncronized and the relative time between the two is off. However, both datasets are from October 14.

What the NPP needs from your team is a report, not to exceed 5 pages, about who killed Johnny Muzic and why, what happened to Vikram and the album, and any supporting data.

Below you will find links to the data recovered from Johnny Muzic's office computer, and the network. This is all the data you will need to solve this mystery.

Computer


http://isis.poly.edu/~egavas/csaw2009-forensics/jmuzic.tar.gz.torrent

If you have problems with the torrent, you may use the direct link here:
http://isis.poly.edu/~egavas/csaw2009-forensics/jmuzic.tar.gz

Network Data


http://isis.poly.edu/~egavas/csaw2009-forensics/pcap.evening
http://isis.poly.edu/~egavas/csaw2009-forensics/pcap.morning

Additional Evidence

The NPP has discovered a Twitter account which is associated with Mr. Muzic (http://twitter.com/jmuzic09). The NPP believes this is important new evidence and should be considered in your final report.

*VERY* Important Notes

All of the data you will need is either provided above, or available on ISIS controlled machines. You will NOT need to, NOR should you attempt to log into any non-ISIS machines or accounts used in this challenge. Seriously. We cannot be responsible for what might happen, and you will only be wasting time. If you have any questions about if a machine is within gameplay, or what access is allowed, you may request a "Warrant" from "Judge C. Saw" by e-mailing csaw_forensics@isis.poly.edu.

Thank You

Thanks to Colin Ames from Attack Research and MC from Metasploit for their crucial help developing the exploits. And, of course, Boris Kochergin for being sysadmin to the world. Also, special thanks to Nasir Memon, Beverly Johnson, Erin Newton, Shashikant Tangade, and Joy Colelli for doing all the work to bring this challenge together.