The Rhino Hunt data set requires examination of a small image file
and three network traces.
This image was contributed by Dr. Golden G. Richard III, and was
originally used in the DFRWS 2005 RODEO CHALLENGE.
city of New Orleans passed
a law in
2004 making possession of nine or more unique rhinoceros images a
serious crime. The network
administrator at the University
of New Orleans recently
police when his instance of RHINOVORE flagged illegal rhino traffic. Evidence in the case includes a computer and
USB key seized from one of the University’s labs. Unfortunately,
the computer had no hard
drive. The USB key was imaged and a copy
of the dd image is on the CD-ROM
you’ve been given.
addition to the USB key drive image, three network traces are also
available—these were provided by the network administrator and involve
machine with the missing hard drive.
The suspect is the primary user of this machine, who has been
his Ph.D. at the University since 1972.
hashes for evidence:
The image and trace files are in a
Recover at least nine rhino
pictures from the available
evidence and include them in a brief report.
In your report, provide answers to as many of the following
The answer (pdf).
- Who gave the accused a telnet/ftp
- What’s the username/password for the
- What relevant file transfers appear in
the network traces?
- What happened to the hard drive in the
computer? Where is it now?
- What happened to the USB key?
- What is recoverable from the dd image of the USB key?
- Is there any evidence that connects
the USB key and the network traces? If so,