CY 2550 - Foundations of Cybersecurity
Description and DeliverablesIn this project, you will play the role of digital forensic analyst. You will be given a bootable disk image that was captured from a server that may-or-may-not have been hacked and infected with malware. Your job is to traces the attacker's footsteps from the origin of the breach, all the way to their ultimate payload.
To receive full credit for this project, you will turn in a single file:
- A file named project8/answers.txt that contains the answers to the six questions posed below. This file must be signed using your GPG public key when it is committed to Github (described below).
Brief Introduction to Digital ForensicsDigital forensics is the art of investigating computer systems to identify and isolate evidence. Forensics has applications to law enforcement as well as compromise triage more generally. In the former case, law enforcement officers must follow strict protocols governing electronic evidence to maintain the "chain of custody" of any evidence that is obtained so that it is admissable in court. This often involves the use of specialized digital forensics equipment that has been certified for use in law enforcement contexts. In the latter case, the goal of triage is typically to determine how an attacker broke into a system, what they did while they had access, determining whether the attacker still has access (e.g., did they plant a backdoor or rootkit?), and ultimately disinfecting the system so that the attacker no longer poses a threat. You will engage in this latter task, i.e., triaging a compromised system.
Getting StartedIn this project, you will play the role of a digital security expert who has been asked to forensically analyze a disk image that was captured from a compromised server. This server, owned and maintained by an employee of Happy Funtime Plastic Co., hosted a simple website that allowed people to upload and view images. However, the owner of the server began to notice strange behavior on the server, so they shut it down, cloned the hard drive to an image file, and sent the image to you for analysis. The disk image can be downloaded here:
- Server Image (warning: this file is 3 gigabytes, it may take a few minutes to download)
Note that while this assignment simulates a server that has been hacked and infected with malware, it is perfectly safe. Booting into this system is not a security risk to you or your host operating system.
- What was the name of the malicious script uploaded to the web server?
The HFPC employee who maintained this server believes that the attacker somehow broke into the server through this website, but is unsure how. Thus, you should begin your investigation here.
The web server uses the standard Apache web server software package. The configuration files for the Apache software are located in /etc/apache2/, and the files that compromise the website itself are located in /var/www/html/. Apache logs all incoming HTTP requests in the file /var/log/apache2/access.log; any requests that generate errors are logged in /var/log/apache2/error.log.
There is enough information left in these places to piece together how the attacker was able to initially breach the server. Once you've figured out how the initial breach occurred, move on to the next question.
- At what date/time was the malicious script uploaded to the web server?
- At what date/time did the attacker first log-in to the server?
- What critical system file was viewed/stolen by the attacker? Give the full path to this file.
- What is the name of malicious process running on this machine?
One way to schedule processes to run periodically on Linux systems is the Cron tool. Cron is like an alarm clock: it can be configured to run other programs on a schedule, i.e. once a day, once a week, or once a minute. Cron has various configuration files, all located in /etc/. /etc/crontab is the system-wide Cron configuration file, and there are additional, per-process configuration files in the folders /etc/cron.d/, /etc/cron.hourly/, /etc/cron.daily/, /etc/cron.weekly/, and /etc/cron.monthly/.
- What binary was back-doored? Give the full path.
One way to achieve these ends is by modifying the system utilities that everyone uses to manage to their systems (e.g. programs like ls and ps). In this case, did the attacker attempt to back door any system utilities? One way to see if system programs have been modified is by running the debsums tool: it checks the cryptographic hash of all system files and compares them to a list of known-good hashes. debsums prints "FAILED" for any file that appears to have been modified.
File Format for answers.txtTo receive full credit on this assignment, you must turn in a single (ASCII formatted with Unix-style line breaks) text file named answers.txt that contains the answers to the six questions given above. Each answer should be on its own line. For example, your answers.txt file might look like the following:
definitely_not_malware.exe 17/Nov/2020:05:49:52 -0500 Jan. 21 15:10:49 /usr/local/spark/sbin/start-all.sh gremlin-daemon /usr/bin/system-integrity-checkYour file should contain exactly six lines. Lines 1 and 5 should name particular files/processes. Lines 4 and 6 should state the full path of a file. Lines 2 and 3 should be a date/time in exactly the format given above.
Signing git Commits
Your GPG signing key is used by others to verify that a file originates from you. In this part, we will learn how to sign our commits to GitHub. In principle, others can have greater assurance about software you have placed on GitHub if it is signed.
The first step is to add your GPG public key to GitHub. Login to your account, goto "Settings", then "SSH and GPG keys", and then click "New GPG Key." Paste your GPG public key into this window.
The second step is to setup your git client to use your GPG key to sign commits. From the list of GPG keys, copy the GPG key ID you'd like to use. In this example, the GPG key ID is D95955E703474D7F0CC01FD0BDE2B89DD18E214A:
$ gpg --list-secret-keys --keyid-format LONG Wilson gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u sec rsa4096/BDE2B89DD18E214A 2021-01-19 [SC] D95955E703474D7F0CC01FD0BDE2B89DD18E214A uid [ultimate] Christo Wilson (Professor at Northeastern) <firstname.lastname@example.org> ssb rsa4096/89C601C710FF744B 2021-01-19 [E]To set your GPG signing key in Git use the following command, substituting in the GPG key ID you’d like to use. In this example, the GPG key ID is D95955E703474D7F0CC01FD0BDE2B89DD18E214A:
$ git config --global user.signingkey 3AA5C34371567BD2Now sign your commits by adding the -S option to git commit:
$ git add project5/answers.txt $ git commit -S -m "your commit message" $ git push
Submitting Your ProjectTo submit your project, do the following:
- Create a directory ~/cy2550/project8 in the folder corresponding to your git repository.
- Copy your answers.txt file to the ~/cy2550/project8 folder.
- Add these files to your repository, commit and sign them, and push the committed files to Github.
- Submit your repository to Gradescope.
GradingThis project is worth 10% of your final grade, broken down as follows (out of 100):
- Questions 1 and 3 are worth 20 points
- Question 4 is worth 10 points
- Questions 2, 5, 6 are worth 15 points
- 5 points for signing your commit