Forensic Challenge 5 - Log Mysteries

01 Sep 2010

Challenge 5 - Log Mysteries - (provided by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, Sebastien Tricaud from the French Chapter) takes you into the world of virtual systems and confusing log data. In this challenge, figure out what happened to a virtual server using all the logs from a possibly compromised server.

The questions are a more open ended than past challenges. To score highly, we recommend to answer the following way:

  • Accuracy is highly encouraged to get the highest note
  • You must explain tools you used and how
  • If you use visualization tools such as afterglow, picviz, graphviz, gnuplot etc. explain why this was better (than other tools, than other visualization): such as good timeline representation etc.
  • Outline HOW you found things

Skill Level: Intermediate

Enjoy the challenge!

The Challenge:
Analyze the attached and answer the following questions:

  1. Was the system compromised and when? How do you know that for sure? (5pts)
  2. If the was compromised, what was the method used? (5pts)
  3. Can you locate how many attackers failed? If some succeeded, how many were they? How many stopped attacking after the first success? (5pts)
  4. What happened after the brute force attack? (5pts)
  5. Locate the authentication logs, was a bruteforce attack performed? if yes how many? (5pts)
  6. What is the timeline of significant events? How certain are you of the timing? (5pts)
  7. Anything else that looks suspicious in the logs? Any misconfigurations? Other issues? (5pts)
  8. Was an automatic tool used to perform the attack? if yes which one? (5pts)
  9. What can you say about the attacker’s goals and methods? (5pts)

Bonus. What would you have done to avoid this attack? (5pts)

This work by Raffael Marty, Anton Chuvakin and Sebastien Tricaud is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

The Winners:

  1. William Soderberg (Sweden) - William’s submission - Sha1: 14ec42dcd24162d2e536f5c84820240cb521cad4
  2. Nikunj Shah(USA) - Nikunj’s submission - Sha1: 950aa99eec3b7663ee9f415826e0dfcfe43ab4ac
  3. David Bernal Michelena (Mexico)- David’s submission - Sha1: 58fc0cfeac54cf9fdc490b22b4b5e0e8ed7e92db

Additional information:
Carl Pulley, a loyal follower of our Forensic Challenges, has written up an analysis on how could one determine the apache version that generated the logs. His analysis can be found at and

Attachment Size
[your email]_Forensic Challenge 2010 - Challenge 5 - Submission Template.doc 71 KB
[your email]_Forensic Challenge 2010 - Challenge 5 - Submission Template.odt 21.23 KB 1.08 MB
david_bernal_michelena_Forensic_Challenge_2010_-_Challenge_5_-_Submission.pdf 336.32 KB
nikunj_shah_Forensic_Challenge_2010_-_Challenge_5_-_Submission.pdf 265.24 KB
william_soderberg_Forensic_Challenge_2010_-_Challenge_5_-_Submission.pdf 99.97 KB