Nitroba University Harassment Scenario

August 20th, 2016 Leave a comment Go to comments

(Note: Because packet capture files contain timestamps for each packet, this scenario needs to have a date and time when it takes place. This scenario takes place in Summer 2008. The date and time stamps are not relevant in solving the problem set.)

You are a security administrator at the prestigious (and fictional) Nitroba State University.

Nitroba’s IT department received an email from Lily Tuckrige, a teacher in the Chemistry Department. Tuckrige has been receiving harassing emails and she suspects that they are being sent by a student in her class Chemistry 109, which she is teaching this summer. The email was received at Tuckridge’s personal email account, lilytuckrige@yahoo.com. She took a screenshot of the web browser and sent it in.

The system administrator who received the complaint wrote back to Tuckridge that Nitroba needed the full headers of the email message. Tuckridge responded by clicking the “Full message headers” button in Yahoo Mail and sent in another screen shot, this one with mail headers.

The mail header shows that the mail message originated from the IP address 140.247.62.34, which is a Nitroba student dorm room. Three women share the dorm room. Nitroba provides an Ethernet connection in every dorm room but not Wi-Fi access, so one of the women’s friends installed a Wi-Fi router in the room. There is no password on the Wi-Fi.

Because several email messages appear to come from the IP address, Nitroba decides to place a network sniffer on the ethernet port. All of the packets are logged. On Monday 7/21 Tuckridge received another harassing email. But this time instead of receiving it directly, the perpetrator sent it through a web-based service called “willselfdestruct.com.” The website briefly shows the message to Tuckridge, and then the website reports that the “Message Has Been Destroyed.”

You have been given the screen shots, the packets that were collected from the Ethernet tap, and the Chem 109 roster. Your job is to determine if one of the students in the class was responsible for the harassing email and to provide clear, conclusive evidence to support your conclusion.


The teaching materials for this scenario includes:

Hash values for nitroba.pcap:

Algorithm Value
MD5 9981827f11968773ff815e39f5458ec8
SHA1 65656392412add15f93f8585197a8998aaeb50a1
SHA256 2b77a9eaefc1d6af163d1ba793c96dbccacb04e6befdf1a0b01f8c67553ec2fb

(Note: Because packet capture files contain timestamps for each packet, this scenario needs to have a date and time when it takes place. This scenario takes place in Summer 2008. The date and time stamps are not relevant in solving the problem set.)

Please note: Do not leave comments asking for the password; please follow the instructions above.

  1. Paul
    May 17th, 2014 at 23:17 | #1

    Would it be possible to have SHA-256 + MD5 checksums of the PCAP file published? That’s something usually expected in a forensics scenario.

  2. May 18th, 2014 at 07:42 | #2

    @Paul
    Done. Is the format acceptable?

  3. Paul
    May 18th, 2014 at 15:29 | #3

    @admin
    That format works fine for me. Thanks very much!

  4. Paul
    May 18th, 2014 at 16:49 | #4

    BTW, in several places above the name of the complainant is spelled “Tuckridge”, whereas she is initially introduced as “Tuckrige”, and that is the spelling used in both the slide deck and the packet capture.

  5. Jesse
    July 12th, 2014 at 20:47 | #5

    It might be just me, but the MD5 sum I’m getting for the NITROBA.PCAP is different then the one posted here.

    I’m getting: 9981827f11968773ff815e39f5458ec8 nitroba.pcap

    Could some one explain?

  6. Simson Garfinkel
    December 13th, 2014 at 14:59 | #6

    @Jesse
    We edited the file and removed some information. Your MD5 is correct.

  7. Nick
    May 10th, 2015 at 06:33 | #7

    Is it possible to get access to the solution file outside of an institution? I’m trying to learn information forensics outside of my Computer Science degree.

  8. August 17th, 2016 at 11:20 | #8

    I think there’s some real-world information in here that might be removed – I found a facebook login cookie that references a real person, possibly the person who created the exercise – Beth?

  1. No trackbacks yet.

 

"This material is based upon work supported by the National Science Foundation under Grant No. 0919593. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation."