COMP 4027 Forensic and Analytical Computing
This file contains the description of assignment 1.
|assignment 1 || honeypot research and decision |
| description || to research existing honeypot software and facilities and make a recommendation
on which to use |
| marks || 15% (5% for seminar and 10% for report) |
| assessable component || seminar 10 minutes to class in week 5 30 March (big 2-hour lecture); short report |
| deadlines || |
- seminar week 5 lecture on 30 March
- report 03 April 11pm via AssignIT
| personnel || in small groups of 2 or 3 |
You have been assigned a task to gather evidence of illicit activity on your host machine. Your supervisor
is concerned that your server has been infiltrated in the past and wants to firstly ensure that intrusions
are detected (as much as possible), and secondly that you can gather enough evidence to prosecute the
perpetrators. A honeypot seems the ideal solution, as it allows you to collect evidence on a criminal's
activities without too much risk to your real data and systems. On the other hand, there is concern
that too attractive a honeypot will entice criminals to return to a site that would otherwise not be
of much interest. Also, it is necessary to determine whether setting up criminals to perform activities
they would not otherwise have done is going to be admissible as evidence in court.
In groups of two or three, you should research tools and methods for setting up a honeypot. Look for tools and
methods that may have been successfully used to prosecute in the past. Consider the risk to your real
data and how that risk can best be mitigated (e.g. a particular server architecture).
Note this assignment leads into assignment 3 and you will likely be allocated into groups for
assignment 3 according to your recommendations in assignment 1.
You will need to achieve 50% or above in this component to pass the course.
Assignment 1 is worth 15% of the total for this course. You will be given 10% for the report, and 5%
for the short seminar to the rest of the class. Your participation in class discussion can contribute
to your seminar mark.
All people in the groups will be given the same mark for both report and seminar unless a case is made otherwise (for example,
non participation in the assignment will mean a result of 0 for the assignment).
The two deliverables are the report, written jointly, and the seminar, also written jointly and
presented by either one or both members of the group.
The report should answer questions such as:
- how can honeypot tools and methods help us gather evidence on criminal intrusion and activities on our servers?
- how risky are these honeypot tools and methods to our data and systems? Will they compromise the
confidentiality, integrity or availability (or any other facet) of our systems and data?
- will we be able to collect any useful evidence that will lead to prosecution?
- what other benefits/disadvantages of these honeypot tools and methods are known?
- what recommendation do you make? Should a honeypot be implemented at all, and if so, what type? Justify your decision.
The seminar will be for a total of 10 minutes, not more than 5 Powerpoint slides (excluding title slide)
and should address briefly the same questions as the report, in a concise format. The seminar is for
you to explain to your supervisor what your honeypot recommendation is and why it is your choice, and to field
The seminar is scheduled for the lecture on 30 March. You should submit your talk to Helen Ashman
for uploading to the course website no later than Thursday 26 March. Do not email the talk but email a URL.
The report is due Friday 03 April at 11pm, and should be submitted by one of the group members
You will be assigned to groups of two or three for this exercise. The groupings
will be released on 09 March.
- Your most useful research tools are search engines with the terms "honeypot", "intrusion detection systems" and "IDS".
Also search on "forensic tools" and many of the security-related topics such as
hacking, evidence gathering.
- See also reports on honeypot work done locally by a past CIS student
Last update hla 2009-03-03