Challenge 3: Computer Forensics

Computer forensics is application of the scientific method to digital media in order to establish factual information for judicial review. This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities. Mostly, computer forensics experts investigate data storage devices, either fixed like hard disks or removable like compact disks and solid state devices.

In many cases, the forensics analysis expert may not exactly know what she is looking for. Furthermore, the analysis task may be complicated by the fact that the analyzed information is fragmented. Typically, good forensic analysis requires special hardware, sophisticated software tools, experience, and patience. This challenge aims to allow participants to gain some hands-on experience with file systems and forensic analysis. Remember, if you delete something, it is not necessarily deleted ;-)

Your task is to write a program in C called csi.c that extracts the deleted files from the root directory of a FAT16 raw disk image. Once you have successfully extracted the deleted files, in the second part of the challenge, you need to analyze the information and obtain the secret message that we have hidden.

Your program has the synopsis:

      csi <image name>
    

where <image name> is the name of the FAT16 image file where the deleted files reside. Your task is to open this image file (e.g., using open()) and extract all deleted files that are in the root directory of the image. That is, you should create a copy of all the deleted files on the image locally in the directory where your application has been started from.

Important: When you read the FAT16 description, you will see that, when a file is deleted,the first character in its name is lost. For example, if the file is called SHOOT.TXT, when it is deleted, the "S" in SHOOT.TXT disappears. Hence, for the sake of simplicity, when creating a local copy of the deleted file, always use the original name in the directory entry and the character "I" as the first character in its name (e.g., SHOOT.TXT would be restored as IHOOT.TXT). Undelete programs typically ask the user interactively what this character should be, but we are simplifying things here.

Here is a gzipped test image (977KB) that you can use while debugging your application. This image contains two deleted files. When you invoke your application on this test image, here is what the directory where you are working in should look like:

      seclab@master:~/inetsec2> ls -la
      total 984
      -rwx------ 1 seclab seclab    8481 Dec  5 21:21 csi
      -rw------- 1 seclab seclab 1000000 Dec  5 21:21 test.img
      seclab@master:~/inetsec2> ./csi test.img
      seclab@master:~/inetsec2> ls -la
      total 1868
      -rwx------ 1 seclab seclab    8481 Dec  5 21:21 csi
      -rw------- 1 seclab seclab  122688 Dec  5 21:21 INSEL.MP3
      -rw------- 1 seclab seclab  760980 Dec  5 21:21 IREEK.MPG
      -rw------- 1 seclab seclab 1000000 Dec  5 21:21 test.img
    

Obviously, the length of csi will be different for your application. The rest should be as you see in the listing. Note that the original files on the image were called BNSEL.MP3 (audio clip from German radio) and GREEK.MPG (short video clip), but as described above, the first characters in their names were lost when they were deleted.

Also, to keep things simple, we are only asking you to extract deleted files from the root directory (see the FAT16 description links in the hints section). That is, you do not need to worry about subdirectories and can assume that all deleted files on the images that you receive are in the root directory. Furthermore, the files on the images are not fragmented, making your job much easier.

We have put your image in your home directory on bandit. It has the name forensicsNNN.img (where NNN is your inetsec account number). It might be a good idea to make a copy before working on it. This allows you to go back when you make a mistake and tamper with the original image.

Finally, remember that you need to discover the hidden message in the deleted files you extract ;-). Once you find it, follow the instructions in it.

Here is the Makefile we will use to compile your sources.

• Here is a good description of the Microsoft's File Allocation Table file system. The relevant sections for you are the ones on FAT16.
• Here is another useful document on FAT16.
• Here is some useful information on undeletion.
• hexedit is your friend. It should prove useful when looking at the FAT sections of the image and understanding things during debugging sessions (if necessary).
• The image you have is not complete. It is actually the first 1,000,000 bytes (i.e., 977KB) of an original 9MB image. We did not give you the complete image in order not to waste resources. If you would like to mount the image at home under Linux, you can use the command:

  	  mount -o loop forensicsNNN.img mnt/ -t msdos
  	

  where mnt/ is the mount point. Note that you cannot do this in the lab environment because you are not root (well, at least, that is what we believe ;-)). If you mount the image, you will see that it does not contain any files.
• file is your friend - but not always ;-)
• File name entries are always padded up with spaces in FAT16 (i.e., the 0x20 character). Do not forget to get rid of these spaces (i.e., trim) when creating a copy of the file.

To submit your challenge solution to us, you need to follow these steps:

1. Copy your csi.c and code.txt (see the hidden message) files to your account.
2. In the directory where your files are located, call /usr/local/bin/submit3
3. Read any error or success messages. Then, wait a couple of minutes and read your e-mails on bandit to view the results of the automatic grading program.

This is an individual project. The project is due on Tuesday, 03.05.2011, 23:59:59 PST.