26 October 2008

1. Can you figure out who killed Dr. Wilson, and why?

Starting with the partial disk image, I recovered a couple of files using foremost (see appendix 1). In addition to these two files, I recovered an e-mail (see appendix 2) by inspecting the strings within the disk image. The identity of the recipient is not clear from the e-mail text, but the Base64-encoded file attachment reveals a jpeg photograph of a messy office decorated with anime figurines. The e-mail states that the sender knows the
recipient is behind the cheating, and that the photo is proof of this.
Based on these findings, I suspect that Dr. Miller is the murderer. He knew that Dr. Wilson could identify him, and so used his opportunity in the darkened computer room to shut Dr. Wilson up.. for good.

2. How were the passwords stolen to steal the exams?

I suspect the encryption key was stolen using a hardware keylogger. The photo shows packaging for a 256K in-line key logging device in the waste basket of Dr. Miller's office. Dr. Taylor said that she scanned the PC for various malware, but a hardware keystroke logger would not have been detected with such a scan.

3. Can you provide a copy of the cryptography final exam? Can you create an answer key?

The final exam was stored in Excel format. Although foremost was able to recover the file from the partial disk image, it was also perfectly readable using strings. Here is the content of the final exam:

Cryptography Final Exam

Question 1

Q BEDW JYCU QWE, YD Q WQBQNO VQH, VQH QMQO
YJ YI Q FUHYET EV SYLYB MQH. HURUB
IFQSUIXYFI, IJHYAYDW VHEC Q XYTTUD
RQIU, XQLU MED JXUYH VYHIJ LYSJEHO
QWQYDIJ JXU ULYB WQBQSJYS UCFYHU.
TKHYDW JXU RQJJBU, HURUB IFYUI CQDQWUT
JE IJUQB IUSHUJ FBQDI JE JXU UCFYHU'I
KBJYCQJU MUQFED, JXU TUQJX IJQH, QD
QHCEHUT IFQSU IJQJYED MYJX UDEKWX
FEMUH JE TUIJHEO QD UDJYHU FBQDUJ.
FKHIKUT RO JXU UCFYHU'I IYDYIJUH QWUDJI,
FHYDSUII BUYQ HQSUI XECU QREQHT XUH
IJQHIXYF, SKIJETYQD EV JXU IJEBUD FBQDI
JXQJ SQD IQLU XUH FUEFBU QDT HUIJEHU
VHUUTEC JE JXU WQBQNO

Question 2

NOTCAESAR

fvtnlmdorgvxaoyfoncokkslgnvecajeejhzzqatiwlirakbvhmfmvvhlvivkmpfwgvhijimrfhjslwsnrzeuwmlhfhfequwanvfgtnlqqlzsspklpwnusckjiqoeiroenoylowfwzpsmcnfjwfuovlajucvmehloyrokvhidoiqariohfonjwensenedrcakwmdlerfugseneuosvcuwwicvjxyixzsrgogqnioijuhhfaclhrgmhwlpslccftafsjtyesxyhsoicyatmemlhvesecti

Question 3

Wheel Order 123
Stecker Pairs IJ ST
Indicator Settings AYB
Reflector B
EEHVWXXDGZJKFDLAANJCBK

An answer key does not seem to be included in the partial disk image. But who needs a key when you've got Velma on hand? Here's what she came up with:

Cryptography Final Exam Answer Key

Answer 1

This is a Caesar cipher with an alphabet shift of -10. It works by substituting letters from the normal alphabet (A-Z) with an alphabet that has been shifted, like such:

ABCDEFGHIJKLMNOPQRSTUVWXYZ <- the original character
KLMNOPQRSTUVWXYZABCDEFGHIJ <- translates to the character beneath it

The plaintext reads:

A LONG TIME AGO, IN A GALAXY FAR, FAR AWAY
IT IS A PERIOD OF CIVIL WAR. REBEL
SPACESHIPS, STRIKING FROM A HIDDEN
BASE, HAVE WON THEIR FIRST VICTORY
AGAINST THE EVIL GALACTIC EMPIRE.
DURING THE BATTLE, REBEL SPIES MANAGED
TO STEAL SECRET PLANS TO THE EMPIRE'S
ULTIMATE WEAPON, THE DEATH STAR, AN
ARMORED SPACE STATION WITH ENOUGH
POWER TO DESTROY AN ENTIRE PLANET.
PURSUED BY THE EMPIRE'S SINISTER AGENTS,
PRINCESS LEIA RACES HOME ABOARD HER
STARSHIP, CUSTODIAN OF THE STOLEN PLANS
THAT CAN SAVE HER PEOPLE AND RESTORE
FREEDOM TO THE GALAXY

This is the prologue to the movie Star Wars.

Answer 2

This ciphertext was generated using a Vigenere table (a matrix like the one shown
below) and a secret key to perform character substitution.

ABCDEFGHIJKLMNOPQRSTUVWXYZ
A ABCDEFGHIJKLMNOPQRSTUVWXYZ
B BCDEFGHIJKLMNOPQRSTUVWXYZA
C CDEFGHIJKLMNOPQRSTUVWXYZAB
D DEFGHIJKLMNOPQRSTUVWXYZABC

…and so on…

Each character of the cipher text is decoded by finding the letter in the matrix where a cipher character along the top and a secret key character down the side intersect. Each character of the secret key is used in succession, and repeated until the entire message is decoded.

The plaintext reads:

shalliloatheyounowparishonerohhearhimchristianwithinmeitstirsmysintheriverohsheswellswithourlousinessallmylifewillendforhimwerealloutofsignsiknowimsortashockedtohearthelordmygodnowwillsavemeohiwillnerbesavedbecauseilivewithsatanonewishtodaythatyoullallprayforthreewhowillmakeitherelate

With spaces, this reads: "Shall I loathe you now parishioner oh hear him Christian within me it stirs my sin the river oh she swells with our lousiness all my life will end for him were all out of signs I know im sorta shocked to hear the lord my god now will save me oh i will ner be saved because I live with satan one wish today that youll all pray for three who will make it here late." These are the words to Stairway to Heaven, heard when played backwards.

Answer 3

The parameters listed in the question refer to settings on a WWII German Enigma machine. When set properly, this mechanical device decodes the cipher text to read:

SOMEBODYSETUPUSTHEBOMB

"Somebody set us up the bomb".. the immortal words of CATS in A.D. 2101 from the game Zero Wing. All of your base are belong to us!

Several tools that helped with the decoding:

Enigma emulator: http://homepages.tesco.net/~andycarlson/enigma/enigma_j.html

ROT-13 decoder (and more):
http://web.forret.com/tools/rot13.asp

Vigenere decoder: http://islab.oregonstate.edu/koc/ece575/02Project/Mun+Lee/VigenereCipher.html

4. Also, provide some analysis of Velma's incident handling process. What did she do right? What should she have done differently?

Velma did right in creating a disk image to work from rather than directly manipulating the original media, and she went for the right tools to extract the relevant data. What she could have done differently:

Firstly, she should not have disturbed the evidence. Immediately upon discovering the crime, the proper thing to do would be to clear out and secure the data center and allow qualified law enforcement personnel to properly survey the scene. It also wouldn't hurt to keep the suspects together.

Supposing she was qualified to conduct a forensic investigation. The pocket knife should have been photographed as found, then tagged and bagged for safe-keeping. Two copies of the storage device would have been better: one for archival purposes and another to work from.

Velma should have used a hashing algorithm like MD5 or SHA1 to take fingerprints of the media. This could help later in establishing the integrity of the data if used as evidence in court.

The pocket knife should probably first undergo a more comprehensive physical examination, such as fingerprinting and DNA testing, before anyone diddles with it. By picking it up, Velma has contaminated potential evidence.

The device should have been operated in a controlled environment to avoid possible damage. Optimal conditions would have ensured no blood or other debris would interfere with operation of the USB drive. It's hard to know now whether the data was already corrupt, or if blood caused a short, or if the data was corrupted just by clumsy handling.

A digital forensic analysis should follow carefully planned procedures, and all steps performed should be documented. Digital evidence is often suspect due to the ease of its fabrication and modification, so a methodical approach is crucial in establishing the reliability of the data as evidence.

This case is interesting because the murder weapon and digital media are one in the same. Velma's missteps and lack of documentation could put the success of a future trial in jeopardy.. not only from the perspective of the data, but also the murder weapon.

5. Hey, was I just rick rolled?

Okay, so that wasn't a question in the challenge.. but we know these challenges well enough by now that Rick Astley's music video didn't end up in that partial disk image by accident! :-)

Rickrolling is an Internet meme involving the music video for the 1987 Rick Astley song "Never Gonna Give You Up". The meme is a bait and switch: a person provides a Web link they claim is relevant to the topic at hand, but the link actually takes the user to the Astley video. – Wikipedia

Appendix 1:

Output from foremost when processing partialdriveimage.bin
Foremost version 1.5.4 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File
Foremost started at Thu Oct 23 14:02:30 2008
Invocation: ./foremost partialdriveimage.bin
Output directory: /home/roberts/foremost-1.5.4/output
Configuration file: /home/roberts/foremost-1.5.4/foremost.conf
------------------------------------------------------------------
File: partialdriveimage.bin
Start: Thu Oct 23 14:02:30 2008
Length: 5 MB (5242880 bytes)
Num Name (bs=512) Size File Offset Comment
0: 00005372.xls 82 KB 2750464
1: 00005536.mpg 2 MB 2834432
Finish: Thu Oct 23 14:02:30 2008
2 FILES EXTRACTED
ole:= 1
mpg:= 1
------------------------------------------------------------------
Foremost finished at Thu Oct 23 14:02:30 2008

Appendix 2:

Contents of the e-mail from Dr. Wilson to Dr. Miller
Subject: Exam Questions
I know how you've been obtaining our passwords to steal the exams provide them to the students. You'll see I have the proof in the attachment. I expect you to resign your position and leave the University at the end of the semester or I will be forced to disclose this information and fire you.
Dr. Wilson

Attachment (file/jpg):


Note: To obtain this image, I copied the Base64 encoded content from the strings output and pasted it into a decoder (http://www.motobit.com/util/base64-decoder-encoder.asp). Several incomplete lines had to be padded in order to get a usable image.. it didn't come out perfect, but good enough to solve the puzzle!