Discover LinuxSecurity Features
The Honeynet Forensic Challenge
Enter the Honeynet Project. One of the primary goals of the Honeynet Project is to find order in chaos by letting the attackers do their thing, and allowing the defenders to learn from the experience and improve. The latest challenge, inspired by the Honeynet Project's founder Lance Spitzner, is the Forensic Challenge. Only this time, we're opening it up to anyone who wants to join in.
On the law enforcement side, they are hampered by a flood of incidents and a lack of good data. A victim trying to keep a system running or doing a "quickie" job of cleanup usually means incidents are underreported and inadequate handling of the evidence leads to no evidence, or tainted evidence. There has to be a better way to meet the needs of incident handlers and system administrators, as well as law enforcement, if Internet crime is going to be managed and not run amok. One possible answer is effective forensic analysis skills -- widespread knowledge of tools and techniques -- to preserve data, analyze it, and produce meaningful reports and damage estimates to your organization's management, to other incident response teams and system administrators, and to law enforcement.
To get you started, here are the basic facts about the compromise.
The images were edited to anonymize the system. Only the hostname was modified. Everyone is using the same data, so any anomalies caused by this editing will be identical. You can find the "dd" format disc images at:
The image files can be mounted on Linux systems using the loopback interface like this:
# mkdir /t # mount -o ro,loop,nodev,noexec honeypot.hda8.dd /t # mount -o ro,loop,nodev,noexec honeypot.hda1.dd /t/boot [ etc... ]
To summarize (and standardize) the deliverables, please produce the following:
File Contents --------------------------------------------------------------------- index.txt Index of files/directories submitted (including any not listed below) timestamp.txt Timestamp of MD5 checksums of all files listed and submitted (dating when produced -- see deadline information below) costs.txt Incident cost-estimate evidence.txt Time line and detailed (technical) analysis. (Use an Appendix, and/or mark answers to questions above with "[Q1]", etc.) summary.txt Management and media (non-technical) summary advisory.txt Advisory for consumption by other system administrators and incident handlers within your organization files.tar Any other files produced during analysis and/or excerpts (e.g., strings output or dissassembly listings) from files on the compromised file system, which are referenced in the previous files
- You are free to use any tools or techniques that you choose, provided
that the judges are able to readily interpret your results and duplicate
or verify their accuracy using publicly available means (i.e., don't
expect us all to have a copy of your favorite "Law Enforcement Only" or
multi-hundred dollar commercial Windows-only tool). A good publicly
available free forensic toolkit is Dan Farmer and Wietse Venema's
Coroner's Toolkit (TCT). If you want examples of the use of TCT, or
other tools/techniques, see the Forensics section of the following web page:
No matter what tools/methods you choose, please make sure you explain them in your analysis and cite references to resources (e.g., RFCs, CERT or SANS "how to" documents) to help others learn by example. Don't forget: this is a Honeynet Project brainchild, so learning is what it's all about. And fun. It's all about learning and fun. Oh yeah, and security. Learning, fun, AND security. ;)
- You may work in as a team, but if your entry is selected as a Top 20, you'll have to fight over one copy of the book.
- Deliver the results of the analysis in such a way that the judges can
quickly and easily consume the information, and such that its authenticity,
time of production, and integrity can be verified independently. (e.g.,
ISO 9660 CD-ROM or .tar archive, with digital time stamps, and
PGP signatures and/or MD5 checksums.)
Please DO NOT SEND COPIES OF COMPLETE FILES FROM THE FILE SYSTEM. We already have a copy of the file system and its contents. Just note the path (e.g., "[See file /bin/foo]").
- All submissions MUST be time stamped prior to 00:00 GMT on
Monday, February 19, 2001, and delivery to the judges initiated later that
same day. (This is to accommodate submissions on IS0 9660 format CD-ROM,
which should be postmarked by this time. The digital time stamps and
postmarks will be used to determine the 20 "Hacking Exposed" book winners.)
One free digital time stamping service you can use is
- All submissions should be sent (or shipping address arranged, if CD-ROMs
are being produced) to
- The person who hacked the box is NOT eligible, nor are members of the
Honeynet Project. Members of the companies employing Honeynet Project
members are eligible (and encouraged!) to enter, but their entries (even
if Top 20) will not receive copies of "Hacking Exposed." The books go to
- Entries must be written in English (UK and Aussie English accepted, but
go light on the regional slang, please! I only have a copy of "Best of
Aussie Slang," and the other judges don't live in Seattle.)
- Only one entry per household, please. Must be sentient to enter. Sorry,
no Ginsu Knives come with this offer!
Submissions will be judged by a panel of experts and a winner selected and announced on Monday, March 19, 2001. All decisions of the judges are final (no recounts or legal challenges by teams of grossly overpaid lawyers will be tolerated!).
After the winners are announced, all entries will be posted for the security community to review. We hope that the community can better learn from and improve from all the different techniques that different people and organizations use.
Also, we wouldn't be the Honeynet Project if we didn't capture all of the blackhat's keystrokes as he exploited, accessed, and modified the honeypot! We will release the Honeypot Project's analysis of the hacked system, as well as the blackhat's keystrokes, along with the results of the Challenge on March 19.
Good luck, and have fun!
(Thanks to Lance Spitzner, members of the Honeynet Project, Dan Farmer, Wietse Venema, SecurityFocus.com, linuxsecurity.com, Foundstone, Ali Ritter, and anyone else who helped develop or support the Forensic Challenge whose name I may have left out.)