COS 496: Information Security

Spring 1999

General information

Assignment 4: Forensic Security

[This assignment is based on a true story.]

A Princeton student wanted to allow his friend to download some files from his account via ftp, so he briefly changed his password to an easy-to-guess value.  After changing his password back the next morning, he discovered a new subdirectory, below his home directory, containing some strange files.  Further investigation revealed that an intruder had logged into the account overnight.

We have captured the state of the new subdirectory on the morning after the intrusion in this zip-file.   In case it matters, the intrusion occurred on a Sparc/Solaris machine.

Your task in this assignment is to analyze the files and then write a memo explaining what you can conclude from them.  What (if anything) can you determine about who the intruder might be?  What did the intruder try to do?  What did the intruder succeed in doing?  How skilled was the intruder?  Was it sufficient to simply change the student's password, or are further recovery steps or further investigation needed?

Of course, as in any forensic task, the evidence you have may not answer all the questions you want answered.  Do your best, and make sure your memo clearly states what you can and cannot determine from the evidence you have.

Copyright 1998, Edward W. Felten.