COEN
252
Final Examination
Final Examination
|
|
COEN
252 Final Examination |
The final examination consists of two parts. One is a practical exam, for which you need either to download the files or use the CD handed out on Saturday, Dec. 4, 2004. The other part is in class, on December 11, 2004.
Scenario: You assume that a computer at SCU has been broken into and that the attacker is maintaining access to the computer. Before you do a forensic examination, you decide to capture traffic to the affected computer.
Task: You have a capture file cap5. Use ethereal or any other tool to figure out what is going on here.
Hint: Read up on netcat. The first part of the file is interesting. The second part is a rather silly attack.
Deliverables: Give a short history of what the attacker is doing on the attacked machine. Finally, what secrets have been transferred here?
You are given a dd-image of a thumb drive. Search the drive for a text file that gives a secret relating to the course. Once you found the file, tell me as much as possible about the file (what type of file, created when, ... ) and restore its contents.
Decipher the following FAT 32 directory entry:
E5 |
32 |
35 |
32 |
20 |
20 |
20 |
20 |
44 |
4F |
43 |
20 |
18 |
2E |
CD |
89 |
83 |
31 |
83 |
31 |
00 |
00 |
CE |
89 |
83 |
31 |
DF |
17 |
00 |
50 |
00 |
00 |
Verify that the email with the following header is probably not spoofed:
MIME-Version: 1.0
Received: from cidmail.services.dauphine.fr ([193.49.169.33]) by mc2-f34.hotmail.com
with Microsoft SMTPSVC(5.0.2195.6824); Mon, 8 Mar 2004 02:36:46 -0800
Received: from dell11 (experech02.experech.dauphine.fr [193.51.91.2]) by cidmail.services.dauphine.fr
(8.12.9/jtpda-5.3.2) with SMTP id i28AaiCX016939 ; Mon, 8 Mar 2004 11:36:44
+0100 (MET)
X-Message-Info: JGTYoYF78jExgVBn8cXpWh35xsi9rgnE
Message-ID: <003201c40545$0c4cd260$0b01010a@dell11>
References: <DPEAJOPPAIDDEIKHINBIIECODHAA.litwin.witold@wanadoo.fr>
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Return-Path: rim.moussa@dauphine.fr
X-OriginalArrivalTime: 08 Mar 2004 10:36:47.0130 (UTC) FILETIME=[41D89FA0:01C404F9]
Deliverables: Determine all the way-points of this message. Use Sam Spade or a similar utility to ascertain that all IP addresses and their respective names match. Draw a timeline (in Universal Standard Time) of when SMTP servers passed the message on.
| ©2004 Thomas Schwarz, S.J., COEN, SCU | SCU | COEN | COEN252 | T. Schwarz |