Scenario:

You have been contacted by management at "Compromise.com". Complaints have been made to various spam-reporting services that spam has been seen from the outfacing NAT IP number for "Compromise.com". The company suspects that one or both of their webservers has been compromised.

You have been given internal access to their LAN (192.168.128.*). The two webservers' IP numbers in the LAN are 192.168.128.10 and 192.168.128.11.

The company would prefer that you do a clean investigation without talking to their technical people, so you don't know anything about the actual hardware or software involved.

Your task is to investigate and observe from today until Wednesday, February 9th at noon for any compromises or other anomalous behavior by either of the servers; if you find any compromise, further investigate it and determine what has occurred and what can be done to remediate the situation. However, you are not to actually fix the situation, only record your findings.

Ground Rules:

• Your investigation is to be done only from your assigned machine.
• Do not discuss this assignment with other students.
• Do not make any changes that would block the investigation of other students, such as modifying or removing evidence of any compromises.
• Do not change any system-level state, such as modifying existing system binaries, or truncating system logs.
• Do not change any system settings, and do not enable any new services.

Your Work Product:

1. Create a short narrative of your experiences, and make sure to describe each program that you used. If you see anything anomalous, be sure to also highlight those anomalies in a separate section of your writeup.
2. Document everything that you do, including all of your futile activities.
3. You should try to capture state, such as personality information for the servers.
4. Don't forget that you can use scripting to make your task easier now and in the future. Investigative scripts do not necessarily need to exist on a remote machine, although it is usually easiest to put them there.
5. While your report is required to be hardcopy handed to me at the beginning of class on February 10, you may email me any bulk items that exceed a few pages in length (examples would include items such as the raw results of lsof.) Please put all of your bulk items into a single file called "results.txt", and it should be a flat text file (not Word or other word processor document.) Make sure that you include your name in "results.txt".

Bear in mind that with live forensics that both computer state and cybercrime activity are dynamic; whether or not you have had any success in the early part of the investigation week, you will want to recheck the state of the servers at various times to see if there are changes. Also remember that there 27 other people attempting the same investigation, so you most likely will see their footprints also.

(1) Email the "results.txt" file to me at "langley AT cs.fsu.edu".

(2) Print out the write-up of your experiences, and give that to me at the beginning of class on Feburary 10th.