From 358145792c92a848402c5567a5c9865f8863169b Mon Sep 17 00:00:00 2001 From: "Daniel A. Quist" Date: Thu, 15 Oct 2009 11:54:29 -0600 Subject: [PATCH] Added Kevin Nauer's forensics puzzles --- puzzles/forensics/forensic100/index.html | 13 +++++++++++++ puzzles/forensics/forensic100/key | 1 + puzzles/forensics/forensic150/index.html | 11 +++++++++++ puzzles/forensics/forensic150/key | 1 + .../forensic200/eff21d462a07b09b0cb34f9255baa768 | Bin 0 -> 512 bytes puzzles/forensics/forensic200/index.html | 13 +++++++++++++ puzzles/forensics/forensic200/key.txt | 1 + .../forensic300/eff21d462a07b09b0cb34f9255baa768 | Bin 0 -> 512 bytes puzzles/forensics/forensic300/index.html | 11 +++++++++++ puzzles/forensics/forensic300/key | 1 + .../forensic350/eff21d462a07b09b0cb34f9255baa768 | Bin 0 -> 512 bytes puzzles/forensics/forensic350/index.html | 12 ++++++++++++ puzzles/forensics/forensic350/key | 1 + 13 files changed, 65 insertions(+) create mode 100644 puzzles/forensics/forensic100/index.html create mode 100644 puzzles/forensics/forensic100/key create mode 100644 puzzles/forensics/forensic150/index.html create mode 100644 puzzles/forensics/forensic150/key create mode 100644 puzzles/forensics/forensic200/eff21d462a07b09b0cb34f9255baa768 create mode 100644 puzzles/forensics/forensic200/index.html create mode 100644 puzzles/forensics/forensic200/key.txt create mode 100644 puzzles/forensics/forensic300/eff21d462a07b09b0cb34f9255baa768 create mode 100644 puzzles/forensics/forensic300/index.html create mode 100644 puzzles/forensics/forensic300/key create mode 100644 puzzles/forensics/forensic350/eff21d462a07b09b0cb34f9255baa768 create mode 100644 puzzles/forensics/forensic350/index.html create mode 100644 puzzles/forensics/forensic350/key diff --git a/puzzles/forensics/forensic100/index.html b/puzzles/forensics/forensic100/index.html new file mode 100644 index 0000000..1c7433c --- /dev/null +++ b/puzzles/forensics/forensic100/index.html @@ -0,0 +1,13 @@ + + +Forensic 100 + +The FBI has asked for your team's assistance in conducting a forensic analysis of a seized hacker's drive. +The FBI tells you that the suspect is a known terrorist and may be using encryption on his disk. +They have put their best agent on the job, but he has been unsuccessful in mounting and analyzing the drive on +their forensic tool. Where do you tell Special Agent Dumas to begin looking to determine what type of filesystem +is being used and whether disk encryption may be employed? +

+Enter the key in all lower case letters + + diff --git a/puzzles/forensics/forensic100/key b/puzzles/forensics/forensic100/key new file mode 100644 index 0000000..8481b71 --- /dev/null +++ b/puzzles/forensics/forensic100/key @@ -0,0 +1 @@ +master boot record diff --git a/puzzles/forensics/forensic150/index.html b/puzzles/forensics/forensic150/index.html new file mode 100644 index 0000000..9653228 --- /dev/null +++ b/puzzles/forensics/forensic150/index.html @@ -0,0 +1,11 @@ + + +Forensic 150 + +Special Agent Dumas has looked for the structure you told him but can't find it. He thinks the +subject has taken evasive measures to hide the data on his drive. What signature should he look for to +identify the structure? +

+Enter the key as a set of hex characters. (E.g. 0xde 0xad 0xbe 0xef) + + diff --git a/puzzles/forensics/forensic150/key b/puzzles/forensics/forensic150/key new file mode 100644 index 0000000..3693c14 --- /dev/null +++ b/puzzles/forensics/forensic150/key @@ -0,0 +1 @@ +0x55 0xaa diff --git a/puzzles/forensics/forensic200/eff21d462a07b09b0cb34f9255baa768 b/puzzles/forensics/forensic200/eff21d462a07b09b0cb34f9255baa768 new file mode 100644 index 0000000000000000000000000000000000000000..626b02751f439b2e528a082d5f035ad69cb359c4 GIT binary patch literal 512 zcmaFuF(JS`z&+G4$c2G)z|8cYk6}#;SmUo(0W}N^h6nm?^j+A)pzwQvLygV<5~hwr zLHlxQU+6P_JJe9(vBh!ss?f8-Q9(tvjlV-zm74EktvTlMpYb@00K;(?CPs#|ZaJr# zw9Xg~Aj1vB;5qKX#!z5*pwoqAi_=-*BG%mu1+QzjaGVt`<^meY-}0Z~Wj_PN7=|>% z105e6(tv6WFLj(c_=u_FMaLJ1P8SZK_=N*6n9@2~(iQ^EH@uYg-J~Og3(P2C=?LNO zbm6gf;i$Fi3gJEQh^@)%0+i(NT9QC%h6KpXoG8{Xc*$ON=sr|0la29Cai3359b z82fG;elz_4=krqe#8(Ur3=I3qYhSoByyn|iQ~Sb};WgX7w%Qk_4Ewr){%3goFDXC2 zB)v4TC`Ez6JvBd + +Forensic 200 + +Special Agent Dumas is still stumped. He has looked where you told him but is unable to decipher +what filesystem is on the disk. He has extracted the portion of the disk you pointed him to and has +
+

+eff21d462a07b09b0cb34f9255baa768 +

+Provide the answer in all capital letters + + diff --git a/puzzles/forensics/forensic200/key.txt b/puzzles/forensics/forensic200/key.txt new file mode 100644 index 0000000..4412524 --- /dev/null +++ b/puzzles/forensics/forensic200/key.txt @@ -0,0 +1 @@ +NTFS \ No newline at end of file diff --git a/puzzles/forensics/forensic300/eff21d462a07b09b0cb34f9255baa768 b/puzzles/forensics/forensic300/eff21d462a07b09b0cb34f9255baa768 new file mode 100644 index 0000000000000000000000000000000000000000..626b02751f439b2e528a082d5f035ad69cb359c4 GIT binary patch literal 512 zcmaFuF(JS`z&+G4$c2G)z|8cYk6}#;SmUo(0W}N^h6nm?^j+A)pzwQvLygV<5~hwr zLHlxQU+6P_JJe9(vBh!ss?f8-Q9(tvjlV-zm74EktvTlMpYb@00K;(?CPs#|ZaJr# zw9Xg~Aj1vB;5qKX#!z5*pwoqAi_=-*BG%mu1+QzjaGVt`<^meY-}0Z~Wj_PN7=|>% z105e6(tv6WFLj(c_=u_FMaLJ1P8SZK_=N*6n9@2~(iQ^EH@uYg-J~Og3(P2C=?LNO zbm6gf;i$Fi3gJEQh^@)%0+i(NT9QC%h6KpXoG8{Xc*$ON=sr|0la29Cai3359b z82fG;elz_4=krqe#8(Ur3=I3qYhSoByyn|iQ~Sb};WgX7w%Qk_4Ewr){%3goFDXC2 zB)v4TC`Ez6JvBd + +Forensic 300 + + +Special Agent Dumas really appreciates your team's assistance. If you can just tell him the cylinder:head:sector +of the partition you identified for him, he thinks he can get started in analyzing this disk. +

+eff21d462a07b09b0cb34f9255baa768 + + diff --git a/puzzles/forensics/forensic300/key b/puzzles/forensics/forensic300/key new file mode 100644 index 0000000..1737e34 --- /dev/null +++ b/puzzles/forensics/forensic300/key @@ -0,0 +1 @@ +0:32:33 \ No newline at end of file diff --git a/puzzles/forensics/forensic350/eff21d462a07b09b0cb34f9255baa768 b/puzzles/forensics/forensic350/eff21d462a07b09b0cb34f9255baa768 new file mode 100644 index 0000000000000000000000000000000000000000..626b02751f439b2e528a082d5f035ad69cb359c4 GIT binary patch literal 512 zcmaFuF(JS`z&+G4$c2G)z|8cYk6}#;SmUo(0W}N^h6nm?^j+A)pzwQvLygV<5~hwr zLHlxQU+6P_JJe9(vBh!ss?f8-Q9(tvjlV-zm74EktvTlMpYb@00K;(?CPs#|ZaJr# zw9Xg~Aj1vB;5qKX#!z5*pwoqAi_=-*BG%mu1+QzjaGVt`<^meY-}0Z~Wj_PN7=|>% z105e6(tv6WFLj(c_=u_FMaLJ1P8SZK_=N*6n9@2~(iQ^EH@uYg-J~Og3(P2C=?LNO zbm6gf;i$Fi3gJEQh^@)%0+i(NT9QC%h6KpXoG8{Xc*$ON=sr|0la29Cai3359b z82fG;elz_4=krqe#8(Ur3=I3qYhSoByyn|iQ~Sb};WgX7w%Qk_4Ewr){%3goFDXC2 zB)v4TC`Ez6JvBd + +Forensic 350 + + +Special Agent Dumas is really grateful you were able to provide him the Cylinder:Head:Sector of the partition +but he just realized that his forensic tool requires a LBA instead of C:H:S. Please give SA Dumas the +information he needs. +

+eff21d462a07b09b0cb34f9255baa768 + + diff --git a/puzzles/forensics/forensic350/key b/puzzles/forensics/forensic350/key new file mode 100644 index 0000000..f3e53ee --- /dev/null +++ b/puzzles/forensics/forensic350/key @@ -0,0 +1 @@ +2048 \ No newline at end of file