DFRWS 2015 Forensics Challenge Released!
The DFRWS 2014 Forensics Rodeo was designed as a gentle introduction to the difficulties of quickly analyzing "non-traditional" malware in the context of digital forensics investigations. The scenario includes staged release of additional evidence (as hardware is "repaired", dumpster diving efforts progress, etc.), with each bit of new evidence revealing more about what's actually occurred. By the time the last evidence is released, what's happened is relatively clear--GPU-enhanced malware is present.
The rodeo scenario at DFRWS 2014 was handled by releasing evidence in stages, with passwords to encrypted ZIP files being revealed as the rodeo progressed. The passwords to the various ZIP files and the order in which they should be released are revealed in a presentation called "2014-forensic-rodeo.pdf", which is itself contained in the encrypted ZIP file "dfrws2014rodeosolution.zip". This master file and the staged-release ZIP files are all available below. The password to the master zip file is "youcantcrackthishammertime".
DFRWS 2014 Rodeo Materials:
If you want everything bundled in one (giant) ZIP file, download dfrws2014rodeo-complete.zip. Warning: This file is > 2GB and requires > 12GB of space to decompress. Read on for explanations and download links of the individual components of the rodeo:
dfrws2014rodeo.pdf is the handout that describes the scenario.
Xubuntu1404.zip is a Volatility 2.4 profile for Niles' machine.
niles.lime.zip is a physical memory dump in LiME format, suitable for investigation with Volatility. This file is part of the initially available evidence and the ZIP is not encrypted. Warning: This file is about 1.7GB and decompresses to a 12GB memory image.
The ZIP files below are listed in the order that additional evidence is released in the scenario:
The ZIP file dfrws2014rodeosolution.zip contains complete source code and a presentation that reveals all of the passwords for the additional evidence files.
Please feel free to use the materials in benign ways as long as attribution remains intact. Suggestions and bug reports to firstname.lastname@example.org are welcome.