[prev in list] [next in list] [ prev in thread ] [ next in thread ] List: sleuthkit-users Subject: [sleuthkit-users] forensic corpora available From: Simson Garfinkel <simsong () acm ! org> Date: 2011-01-07 13:02:13 Message-ID: 11CB5C85-D4C2-4C10-8338-8508301C6BB0 () acm ! org [Download RAW message or body] [Attachment #2 (multipart/alternative)] Greetings. You may remember that I am working on project sponsored by the National Science Foundation to create computer forensic materials for use in computer forensics education. I am writing to tell you that we have a number of corpora for you to download immediately. We are creating ancillary materials for these corpora; in some cases the materials are available too, in other cases they are still under development. We are very interested in helping you and other educators and researchers make use of these materials. The following materials are available now: ================================================================ EDUCATIONAL DATA SETS 1. 2009-M57 "Patents" scenario This scenario involves a small company called M57 which was engaged in prior art searches for patents. The fictional company is contacted by the local police in November 2009 after a person purchases a computer from Craigslist and discovers "kitty porn" on the computer. The police trace the computer back to the M57 company. The scenario actually involves three separate criminal activities: 1 - Exfiltration of proprietary information by an M57 employee. 2 - Stealing of M57's property and selling it on Craigslist. 3 - The possession of "kitty porn" photos by an M57 employee. This is an involved scenario which has the following information available to students trying to "solve" the case: * Disk image of the computer that was sold on Craigs List * Disk images of the firm's five computers when the police show up. * Disk images of the four USB drives that were found on-site belonging to M57 employees * The RAM image of each computer just before the disk was imaged. There are approximately 2-4 weeks of use on each computer. 2. Nitroba University Harassment Scenario This scenario involves a harassment case at the fictional Nitroba University. Nitroba's IT department has received an email from Lily Tuckrige, a teacher in the Chemistry Department. Tuckrige has been receiving harassing emails and she suspects that they are being sent by a student in her class Chemistry 109, which she is teaching this summer. The email was received at Tuckridge's personal email account, lilytuckrige@yahoo.com. She took a screenshot of the web browser and sent it in. The system administrator who received the complaint wrote back to Tuckridge that Nitroba needed the full headers of the email message. Tuckridge responded by clicking the "Full message headers" button in Yahoo Mail and sent in another screen shot, this one with mail headers. The mail header shows that the mail message originated from the IP address 140.247.62.34, which is a Nitroba student dorm room. Three women share the dorm room. Nitroba provides an Ethernet connection in every dorm room but not Wi-Fi access, so one of the women's friends installed a Wi-Fi router in the room. There is no password on the Wi-Fi. Because several email messages appear to come from the IP address, Nitroba decides to place a network sniffer on the ethernet port. All of the packets are logged. On Monday 7/21 Tuckridge received another harassing email. But this time instead of receiving it directly, the perpetrator sent it through a web-based service called "willselfdestruct.com." The website briefly shows the message to Tuckridge, and then the website reports that the "Message Has Been Destroyed." Students are provided with the screen shots, the packets that were collected from the Ethernet tap, and the Chem 109 roster. Their job is to determine if one of the students in the class was responsible for the harassing email and to provide clear, conclusive evidence to support your conclusion. ================================================================ RESEARCH DATA SETS We are also making available an enlarged "research data set" which contains a wealth of information that can be used by students interested in RAM, Network, or Disk Forensics. The research data set was created at the same time as the 2009-M57 Patents dataset but contains substantially more information: * All of the IP packets in and out of the M57 test network. * Daily disk images and RAM captures of each computer on the network. This data is not needed to "solve" the scenario, but it might be interesting for students that are: * Interested in learning about RAM analysis and needs a source of RAM images. * Interested in network forensics and wants packets. * Interested in writing software that does "disk differencing" or can detect the installation of malware. * Wants examples of how a Windows registry is modified over time with use. ================================================================ OBTAINING THE DATA You can obtain our data at the following addresses: The M57 Corpus: * http://torrent.ibiblio.org/doc/187/torrents (bit torrent form) * http://domex.nps.edu/corp/scenarios/2009-m57/ (individual files) Please download from the iBiblio bittorrent server if possible. There are a number of torrents available for your convenience. If you examine the manifests, you will notice that the files overlap (some disk images appearing in more than one torrent). Each torrent will place files into: [YOUR_LOCAL_DIRECTORY]/corp/scenarios/2009_m57/ avoiding multiple downloads of the same materials. Please seed if possible! The "police materials" torrent references only those materials that would be captured in a raid (e.g. the final day of the scenario). The 2008-Nitroba corpus: * http://domex.nps.edu/corp/scenarios/2008-nitroba/ Please feel free to share these links with others. We are interested in having this material widely distributed and used. We will have teaching materials available shortly. Please let us know if you make use of these materials by sending us an email. Also, if you have any publications regarding these materials, please reference NSF \ DUE-0919593 in your publication, so that we can find it with a web search. Regards, Simson Garfinkel [Attachment #5 (unknown)] <html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \ -webkit-line-break: after-white-space; ">Greetings.<br><br>You may remember that I am \ working on project sponsored by the<br>National Science Foundation to create computer \ forensic materials for<br>use in computer forensics education. <br><br>I am \ writing to tell you that we have a number of corpora for you to<br>download \ immediately. We are creating ancillary materials for these<br>corpora; in some cases \ the materials are available too, in other cases<br>they are still under \ development.<br><br>We are very interested in helping you and other educators and \ researchers <br>make use of these materials.<br><br>The following materials are \ available now:<br><br>================================================================<br>EDUCATIONAL \ DATA SETS<br><br>1. 2009-M57 "Patents" scenario<br><br> This scenario \ involves a small company called M57 which was engaged<br> in prior art \ searches for patents. The fictional company is<br> contacted by the local \ police in November 2009 after a person<br> purchases a computer from \ Craigslist and discovers "kitty porn" on<br> the computer. The police \ trace the computer back to the M57<br> company. \ <br><br> The scenario actually involves three separate criminal \ activities:<br> 1 - Exfiltration of proprietary \ information by an M57 employee.<br> 2 - Stealing \ of M57's property and selling it on \ Craigslist.<br> 3 - The possession of "kitty porn" \ photos by an M57 employee.<br><br><br><br> This is an involved scenario \ which has the following information<br> available to students trying to \ "solve" the case:<br> * Disk image of the computer that \ was sold on Craigs List<br> * Disk images of the firm's \ five computers when the police show up.<br> * Disk \ images of the four USB drives that were found \ on-site<br> belonging to M57 \ employees<br> * The RAM image of each computer just \ before the disk was imaged.<br><br><br> There are approximately 2-4 weeks of use \ on each computer.<br><br>2. Nitroba University Harassment \ Scenario<br><br> This scenario involves a harassment case at the fictional \ Nitroba<br> University. <br><br> Nitroba's IT department \ has received an email from Lily Tuckrige, a<br> teacher in the Chemistry \ Department. Tuckrige has been receiving<br> harassing emails and she \ suspects that they are being sent by a<br> student in her class Chemistry \ 109, which she is teaching this<br> summer. The email was received \ at Tuckridge's personal email<br> account, <a \ href="mailto:lilytuckrige@yahoo.com">lilytuckrige@yahoo.com</a>. She took a \ screenshot of the web<br> browser and sent it in.<br><br> The \ system administrator who received the complaint wrote back \ to<br> Tuckridge that Nitroba needed the full headers of the \ email<br> message. Tuckridge responded by clicking the "Full message \ headers"<br> button in Yahoo Mail and sent in another screen shot, this \ one with<br> mail headers.<br><br> The mail header shows that \ the mail message originated from the IP<br> address 140.247.62.34, which \ is a Nitroba student dorm room. Three<br> women share the dorm room. \ Nitroba provides an Ethernet connection in<br> every dorm room but not \ Wi-Fi access, so one of the women's friends<br> installed a Wi-Fi router \ in the room. There is no password on \ the<br> Wi-Fi. <br><br> Because several email messages \ appear to come from the IP address,<br> Nitroba decides to place a network \ sniffer on the ethernet port. All<br> of the packets are logged. On Monday \ 7/21 Tuckridge received another<br> harassing email. But this time instead \ of receiving it directly, the<br> perpetrator sent it through a web-based \ service called<br> "willselfdestruct.com." The website briefly shows \ the message to<br> Tuckridge, and then the website reports that the \ "Message Has Been<br> Destroyed."<br><br> Students are provided \ with the screen shots, the packets that were<br> collected from the \ Ethernet tap, and the Chem 109 roster. Their job<br> is to determine if \ one of the students in the class was responsible<br> for the harassing \ email and to provide clear, conclusive evidence<br> to support your \ conclusion.<br><br><br>================================================================<br>RESEARCH \ DATA SETS<br><br>We are also making available an enlarged "research data set" \ which<br>contains a wealth of information that can be used by students<br>interested \ in RAM, Network, or Disk Forensics.<br><br>The research data set was created at the \ same time as the<br>2009-M57 Patents dataset but contains substantially more \ information:<br><br> * All of the IP packets in and out of the M57 test \ network. <br> * Daily disk images and RAM captures of each computer \ on the network.<br><br>This data is not needed to "solve" the scenario, but it might \ be<br>interesting for students that are:<br><br> * Interested in learning \ about RAM analysis and needs a source of<br> RAM \ images.<br><br> * Interested in network forensics and wants \ packets.<br><br> * Interested in writing software that does "disk \ differencing" or<br> can detect the installation of \ malware. <br><br> * Wants examples of how a Windows registry is \ modified over time<br> with \ use.<br><br>================================================================<br>OBTAINING \ THE DATA<br><br>You can obtain our data at the following addresses:<br><br>The M57 \ Corpus:<br> * <a \ href="http://torrent.ibiblio.org/doc/187/torrents">http://torrent.ibiblio.org/doc/187/torrents</a> (bit \ torrent form)<br> * <a \ href="http://domex.nps.edu/corp/scenarios/2009-m57/">http://domex.nps.edu/corp/scenarios/2009-m57/</a> (individual \ files)<br><br> Please download from the iBiblio bittorrent server if \ possible.<br> There are a number of torrents available for your \ convenience. <br> If you examine the manifests, you will notice that \ the files <br> overlap (some disk images appearing in more than one \ torrent). <br> Each torrent will place files \ into:<br> [YOUR_LOCAL_DIRECTORY]/corp/scenarios/2009_m57/<br> avoiding \ multiple downloads of the same materials. Please seed <br> if \ possible! The "police materials" torrent references only \ those<br> materials that would be captured in a raid (e.g. the final day \ of<br> the scenario).<br><br><br>The 2008-Nitroba \ corpus:<br> * <a \ href="http://domex.nps.edu/corp/scenarios/2008-nitroba/">http://domex.nps.edu/corp/scenarios/2008-nitroba/</a><br><br><br>Please \ feel free to share these links with others. We are interested<br>in having this \ material widely distributed and used. We will have<br>teaching materials available \ shortly. <br><br>Please let us know if you make use of these materials by \ sending us an email.<br><br>Also, if you have any publications regarding these \ materials, please reference NSF DUE-0919593 in your publication, so that we can find \ it with a web search.<br><br>Regards,<br><br><br>Simson \ Garfinkel<br><br></body></html> ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org [prev in list] [next in list] [ prev in thread ] [ next in thread ]