Difference between pages "Sim Filesystem" and "NSF DUE-0919593"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(EF_IMSI)
 
 
Line 1: Line 1:
''Under Construction''
+
This page includes links to digital forensics resources produced under NSF DUE-0919593, "Creating Realistic Forensic Corpora for Undergraduate Education and Research"
  
The [[SIM Card]] is the basic memory device inside of many mobile phones in use today. This small piece of hardware has been key to solving many cases in the world of [[SIM Card Forensics]]. However, without the proper knowledge of the SIM card's filesystem, the user will be missing out on all the valuable information the [[SIM Card]] holds.
+
'''EDUCATIONAL DATA SETS'''
  
 +
'''1. 2009-M57 "Patents" scenario'''
  
== Getting Started ==
+
This scenario involves a small company called M57 which was engaged in prior art searches for patents. The fictional company is contacted by the local police in November 2009 after a person purchases a computer from Craigslist and discovers "kitty porn" on the computer. The police trace the computer back to the M57 company.
  
[[File:What_you_need.jpg|250px|thumb|Items you need]]
+
The scenario actually involves three separate criminal activities:
 +
      1 - Exfiltration of proprietary information by an M57 employee.
 +
      2 - Stealing of M57's property and selling it on Craigslist.
 +
      3 - The possession of "kitty porn" photos by an M57 employee.
  
This is a list of items to get you started on reading SIM Cards and their information:
+
This is an involved scenario which has the following information available to students trying to "solve" the case:
 +
      1 - Disk image of the computer that was sold on Craigs List
 +
      2 - Disk images of the firm's five computers when the police show up.
 +
      3 - Disk images of the four USB drives that were found on-site belonging to M57 employees
 +
      4 - The RAM image of each computer just before the disk was imaged.
  
# [[SIMCon]]
+
There are approximately 2-4 weeks of use on each computer.
#* Program used to read SIM Cards
+
# [[SIM Cards]]
+
# SIM Card Reader
+
  
 +
'''2. Nitroba University Harassment Scenario'''
  
== Quick Guide for SIMCon ==
+
This scenario involves a harassment case at the fictional Nitroba University.
  
# Make sure the SIM Card Reader with SIM Card is connected
+
Nitroba's IT department has received an email from Lily Tuckrige, a teacher in the Chemistry Department.  Tuckrige has been receiving harassing emails and she suspects that they are being sent by a student in her class Chemistry 109, which she is teaching this summer. The email was received at Tuckridge's personal email account, lilytuckrige@yahoo.com. She took a screenshot of the web browser and sent it in.
# Open [[SIMCon]]
+
# Click File > Read SIM or Click [[File:Simcon.png]] in the upper left corner of [[SIMCon]]
+
# Click OK when the next dialog box pops up
+
#* '''Note''', some SIM cards are locked. This is where the PIN needs to be entered if known.
+
#* If the PIN is unknown, the SIM cannot be read.
+
# Click OK again when the next dialog box pops up
+
  
== Definitions ==
+
The system administrator who received the complaint wrote back to Tuckridge that Nitroba needed the full headers of the email message. Tuckridge responded by clicking the "Full message headers" button in Yahoo Mail and sent in another screen shot, this one with mail headers.
  
=== MF ===
+
The mail header shows that the mail message originated from the IP address 140.247.62.34, which is a Nitroba student dorm room. Three women share the dorm room. Nitroba provides an Ethernet connection in every dorm room but not Wi-Fi access, so one of the women's friends installed a Wi-Fi router in the room. There is no password on the Wi-Fi.
* Only '''one''' MF
+
* The Master File (MF)
+
* Root of the SIM Card file system
+
* Equivalent to the root directory or "/" in the Linux filesystem
+
  
=== DF ===
+
Because several email messages appear to come from the IP address, Nitroba decides to place a network sniffer on the ethernet port. All of the packets are logged. On Monday 7/21 Tuckridge received another harassing email. But this time instead of receiving it directly, the perpetrator sent it through a web-based service called
* Dedicated Files (DF)
+
"willselfdestruct.com."  The website briefly shows the message to Tuckridge, and then the website reports that the "Message Has Been Destroyed."
* Equivalent to a folder in a Windows/Linux filesystem
+
* Usually three DF's
+
** DF_GSM / DF_DCS1800 / DF_TELECOM
+
  
==== DF_DCS1800 / DF_GSM ====
+
Students are provided with the screen shots, the packets that were collected from the Ethernet tap, and the Chem 109 roster. Their job is to determine if one of the students in the class was responsible for the harassing email and to provide clear, conclusive evidence to support your conclusion.
* Contains network related information
+
* Specifying data in DF_GSM writes only to DF_GSM on the SIM
+
* The SIM is expected to mirror GSM and DCS1800
+
  
==== DF_TELECOM ====
+
'''3. M57 Jean'''
* Contains the service related information
+
  
=== EF ===
+
The M57-Jean scenario is a single disk image scenario involving the exfiltration of corporate documents from the laptop of a senior executive. The scenario involves a small start-up company, M57.Biz. A few weeks into inception a confidential spreadsheet that contains the names and salaries of the company’s key employees was found posted to the “comments” section of one of the firm’s competitors. The spreadsheet only existed on one of M57′s officers—Jean.
* Elementary Files (EF)
+
Jean says that she has no idea how the data left her laptop and that she must have been hacked.
* Holds one to many records
+
* Represent the leaf node of the filesystem
+
* EF's sit below the DF's in the filesystem hierarchy
+
  
== Information ==
+
Students are given a disk image of Jean’s laptop. Their job is to figure out how the data was stolen—or if Jean isn’t as innocent as she claims.
  
=== EF_ICCID ===
+
'''RESEARCH DATA SETS'''
  
This displays the ID or Card Identity of the SIM Card, this can also be found on the SIM card itself.
+
We are also making available an enlarged "research data set" which contains a wealth of information that can be used by students interested in RAM, Network, or Disk Forensics.
  
[[File:Ef_iccid.png|350px|thumb]]
+
The research data set was created at the same time as the 2009-M57 Patents dataset but contains substantially more information:
 +
  * All of the IP packets in and out of the M57 test network.
 +
  * Daily disk images and RAM captures of each computer on the network.
  
=== DF_GSM ===
+
This data is not needed to "solve" the scenario, but it might be interesting for students that are:
  
==== EF_IMSI ====
+
  * Interested in learning about RAM analysis and needs a source of RAM images.
 +
  * Interested in network forensics and wants packets.
 +
  * Interested in writing software that does "disk differencing" or can detect the installation of malware.
 +
  * Wants examples of how a Windows registry is modified over time with use.
  
[[File:Ef_imsi.png|350px|thumb]]
+
'''OBTAINING THE DATA'''
  
* International Mobile Subscriber Identity (IMSI)[http://en.wikipedia.org/wiki/IMSI]
+
You can obtain our data at the following addresses:
* 310 -  260  -  653235860
+
 
* MCC  -  MNC  -  MSIN
+
The M57 Corpus:
** MCC[http://en.wikipedia.org/wiki/List_of_mobile_country_codes] (3 Digits)
+
  * http://torrent.ibiblio.org/doc/187/torrents (bit torrent form)
*** Mobile Country Code
+
  * http://domex.nps.edu/corp/scenarios/2009-m57/  (individual files)
** MNC[http://en.wikipedia.org/wiki/Mobile_Network_Code] (2 Digits EU / 3 Digits NA)
+
 
*** Mobile Network Code
+
Please download from the iBiblio bittorrent server if possible. There are a number of torrents available for your convenience. If you examine the manifests, you will notice that the files overlap (some disk images appearing in more than one torrent).
** MSIN[http://en.wikipedia.org/wiki/MSIN] (Remaining Digits)
+
 
*** Mobile Subscription Identification Number
+
Each torrent will place files into:
*** Within the network's customer base
+
 
 +
          [YOUR_LOCAL_DIRECTORY]/torrent_name/corp/scenarios/2009_m57/
 +
 
 +
Please seed if possible! The "police materials" torrent references only those materials that would be captured in a raid (e.g. the final day of the scenario).
 +
 
 +
 
 +
The 2008-Nitroba corpus:
 +
  * http://domex.nps.edu/corp/scenarios/2008-nitroba/

Revision as of 16:07, 16 May 2011

This page includes links to digital forensics resources produced under NSF DUE-0919593, "Creating Realistic Forensic Corpora for Undergraduate Education and Research"

EDUCATIONAL DATA SETS

1. 2009-M57 "Patents" scenario

This scenario involves a small company called M57 which was engaged in prior art searches for patents. The fictional company is contacted by the local police in November 2009 after a person purchases a computer from Craigslist and discovers "kitty porn" on the computer. The police trace the computer back to the M57 company.

The scenario actually involves three separate criminal activities:

     1 - Exfiltration of proprietary information by an M57 employee.
     2 - Stealing of M57's property and selling it on Craigslist.
     3 - The possession of "kitty porn" photos by an M57 employee.

This is an involved scenario which has the following information available to students trying to "solve" the case:

     1 - Disk image of the computer that was sold on Craigs List
     2 - Disk images of the firm's five computers when the police show up.
     3 - Disk images of the four USB drives that were found on-site belonging to M57 employees
     4 - The RAM image of each computer just before the disk was imaged.

There are approximately 2-4 weeks of use on each computer.

2. Nitroba University Harassment Scenario

This scenario involves a harassment case at the fictional Nitroba University.

Nitroba's IT department has received an email from Lily Tuckrige, a teacher in the Chemistry Department. Tuckrige has been receiving harassing emails and she suspects that they are being sent by a student in her class Chemistry 109, which she is teaching this summer. The email was received at Tuckridge's personal email account, lilytuckrige@yahoo.com. She took a screenshot of the web browser and sent it in.

The system administrator who received the complaint wrote back to Tuckridge that Nitroba needed the full headers of the email message. Tuckridge responded by clicking the "Full message headers" button in Yahoo Mail and sent in another screen shot, this one with mail headers.

The mail header shows that the mail message originated from the IP address 140.247.62.34, which is a Nitroba student dorm room. Three women share the dorm room. Nitroba provides an Ethernet connection in every dorm room but not Wi-Fi access, so one of the women's friends installed a Wi-Fi router in the room. There is no password on the Wi-Fi.

Because several email messages appear to come from the IP address, Nitroba decides to place a network sniffer on the ethernet port. All of the packets are logged. On Monday 7/21 Tuckridge received another harassing email. But this time instead of receiving it directly, the perpetrator sent it through a web-based service called "willselfdestruct.com." The website briefly shows the message to Tuckridge, and then the website reports that the "Message Has Been Destroyed."

Students are provided with the screen shots, the packets that were collected from the Ethernet tap, and the Chem 109 roster. Their job is to determine if one of the students in the class was responsible for the harassing email and to provide clear, conclusive evidence to support your conclusion.

3. M57 Jean

The M57-Jean scenario is a single disk image scenario involving the exfiltration of corporate documents from the laptop of a senior executive. The scenario involves a small start-up company, M57.Biz. A few weeks into inception a confidential spreadsheet that contains the names and salaries of the company’s key employees was found posted to the “comments” section of one of the firm’s competitors. The spreadsheet only existed on one of M57′s officers—Jean. Jean says that she has no idea how the data left her laptop and that she must have been hacked.

Students are given a disk image of Jean’s laptop. Their job is to figure out how the data was stolen—or if Jean isn’t as innocent as she claims.

RESEARCH DATA SETS

We are also making available an enlarged "research data set" which contains a wealth of information that can be used by students interested in RAM, Network, or Disk Forensics.

The research data set was created at the same time as the 2009-M57 Patents dataset but contains substantially more information:

 * All of the IP packets in and out of the M57 test network.
 * Daily disk images and RAM captures of each computer on the network.

This data is not needed to "solve" the scenario, but it might be interesting for students that are:

 * Interested in learning about RAM analysis and needs a source of RAM images.
 * Interested in network forensics and wants packets.
 * Interested in writing software that does "disk differencing" or can detect the installation of malware.
 * Wants examples of how a Windows registry is modified over time with use.

OBTAINING THE DATA

You can obtain our data at the following addresses:

The M57 Corpus:
 * http://torrent.ibiblio.org/doc/187/torrents  (bit torrent form)
 * http://domex.nps.edu/corp/scenarios/2009-m57/  (individual files)

Please download from the iBiblio bittorrent server if possible. There are a number of torrents available for your convenience. If you examine the manifests, you will notice that the files overlap (some disk images appearing in more than one torrent).

Each torrent will place files into:

         [YOUR_LOCAL_DIRECTORY]/torrent_name/corp/scenarios/2009_m57/

Please seed if possible! The "police materials" torrent references only those materials that would be captured in a raid (e.g. the final day of the scenario).


The 2008-Nitroba corpus:
 * http://domex.nps.edu/corp/scenarios/2008-nitroba/