Designed as a introduction into cyber forensic investigations for middle and high school students interested in STEM. This activity employes the PBED process:
- Plan
- Brief
- Execute
- De-brief
Teams of 4-5 students will be established and receive the in-brief (CFC-InBriefing.pptx). In-brief will explain the importance of evidence collection, cateloging, and integrity. Finally, the challenge scenario will be outlined. Teams will have 15 minutes to properly handle, log, and analyze the evidence package.
- Small laptop or Chromebook (Chromebook requires Developer Mode) as seized evidence
- Small laptop or Chromebook as investigators system (Advanced Challenge)
- USB write blocker (Advanced Challenge)
- Media card reader (Advanced Challenge)
- Camera (Advanced Challenge)
- Clothing to include
- polo
- pants w/ belt
- vest
- headgear
- t-shirt
- USB drives x2
- SD card
- Pen that can hold a piece of paper
- LED penlight with batteries
- strips of paper with passwords
- Power on chromebook and press ESC + Refresh (F3) + Power button
- Once recovery mode screen is up, press Ctrl + Alt + D, then Enter
- Press Ctrl + Alt + D again to start Developer Mode
- Login to the chromebook
- Press Ctrl + Alt + T
- Type "shell"
- Type "cd ~/Downloads"
- Type "wget https://github.com/jknyght9/CyberForensicsChallenge/blob/master/cfc-chromebook-setup1.sh"
- Type "sudo sh cfc-chromebook-setup1.sh"
- Once the installation is finished enter "pete" as the user
- Enter the login password in "CFC-Forms_answers"
- Login to the Ubuntu Linux system
- Open a terminal
- Type "sudo sh ~/Downloads/cfc-guest-setup2.sh"
- Go through the VeraCrypt installation process
- Type "history -c" to remove all history
- Enter Ctrl + Alt + L to lock the screen
- Copy all items in "SD card" folder onto blank SD card
- Copy all items in "USB Drive 1" folder onto blank USB drive
- Copy all items in "USB Drive 2" folder onto blank USB drive
- Copy the veracrypt file from the "TC Volume" onto the laptop
- Copy the laptop login onto a piece of paper
- Copy half of the veracrypt volume password on one piece of paper and write on the other side "1"
- Copy the other half of the veracrypt volume password on another piece of paper and write on the other side "2"
- Choose other items that maybe found on a person
- Place items into various places of the clothing
- Give teams a blank version of the challenge form
- Give judges a black form of the judge form
- Fill out a chain of custody form with a simulated case number, date/time seized, location, case officer, and first line of the chain of custody form
- Place all simulated evidence and chain of custody form in a bag or box
- Begin challenge
Multiple systems and write-blockers can be expensive. The basic challenge allows students to analyze evidence on the seized system. Evidence photographs are also not required. Students are required to wear latex gloves while handling the evidence.
This challenge requires two laptops: one as seized evidence and the other as an investigators system. Challenge also requires a USB write-blocker (https://www.amazon.com/CRU-Inc-31300-0192-0000-WiebeTech-WriteBlocker/dp/B002DH1P0W), SD media card reader, and a digital camera. Students are required to log and photograph all evidence. Analysis of USB drives and SD cards must be completed on the investigator system with write blockers. Students are required to wear latex gloves while handling the evidence.
Password for CFC-Forms_answers.xlsx file is available by emailing me at [email protected]