Challenge 3: Computer ForensicsIntroductionComputer forensics is application of the scientific method to digital media in order to establish factual information for judicial review. This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities. Mostly, computer forensics experts investigate data storage devices, either fixed like hard disks or removable like compact disks and solid state devices. In many cases, the forensics analysis expert may not exactly know what she is looking for. Furthermore, the analysis task may be complicated by the fact that the analyzed information is fragmented. Typically, good forensic analysis requires special hardware, sophisticated software tools, experience, and patience. This challenge aims to allow participants to gain some hands-on experience with file systems and forensic analysis. Remember, if you delete something, it is not necessarily deleted ;-) Detailed DescriptionYour task is to write a program in C called csi.c that extracts the deleted files from the root directory of a FAT16 raw disk image. Once you have successfully extracted the deleted files, in the second part of the challenge, you need to analyze the information and obtain the secret message that we have hidden. Your program has the synopsis: csi <image name> where <image name> is the name of the FAT16 image file where the deleted files reside. Your task is to open this image file (e.g., using open()) and extract all deleted files that are in the root directory of the image. That is, you should create a copy of all the deleted files on the image locally in the directory where your application has been started from. Important: When you read the FAT16 description, you will see that, when a file is deleted,the first character in its name is lost. For example, if the file is called SHOOT.TXT, when it is deleted, the "S" in SHOOT.TXT disappears. Hence, for the sake of simplicity, when creating a local copy of the deleted file, always use the original name in the directory entry and the character "I" as the first character in its name (e.g., SHOOT.TXT would be restored as IHOOT.TXT). Undelete programs typically ask the user interactively what this character should be, but we are simplifying things here. Here is a gzipped test image (977KB) that you can use while debugging your application. This image contains two deleted files. When you invoke your application on this test image, here is what the directory where you are working in should look like: seclab@master:~/inetsec2> ls -la total 984 -rwx------ 1 seclab seclab 8481 Dec 5 21:21 csi -rw------- 1 seclab seclab 1000000 Dec 5 21:21 test.img seclab@master:~/inetsec2> ./csi test.img seclab@master:~/inetsec2> ls -la total 1868 -rwx------ 1 seclab seclab 8481 Dec 5 21:21 csi -rw------- 1 seclab seclab 122688 Dec 5 21:21 INSEL.MP3 -rw------- 1 seclab seclab 760980 Dec 5 21:21 IREEK.MPG -rw------- 1 seclab seclab 1000000 Dec 5 21:21 test.img Obviously, the length of csi will be different for your application. The rest should be as you see in the listing. Note that the original files on the image were called BNSEL.MP3 (audio clip from German radio) and GREEK.MPG (short video clip), but as described above, the first characters in their names were lost when they were deleted. Also, to keep things simple, we are only asking you to extract deleted files from the root directory (see the FAT16 description links in the hints section). That is, you do not need to worry about subdirectories and can assume that all deleted files on the images that you receive are in the root directory. Furthermore, the files on the images are not fragmented, making your job much easier. We have put your image in your home directory on bandit. It has the name forensicsNNN.img (where NNN is your inetsec account number). It might be a good idea to make a copy before working on it. This allows you to go back when you make a mistake and tamper with the original image. Finally, remember that you need to discover the hidden message in the deleted files you extract ;-). Once you find it, follow the instructions in it. Here is the Makefile we will use to compile your sources. Hints
DeliverablesTo submit your challenge solution to us, you need to follow these steps:
Administrative Information and DeadlineThis is an individual project. The project is due on Tuesday, 03.05.2011, 23:59:59 PST. |