Scenario:

 The city of New Orleans passed a law in 2004 making possession of nine or more unique rhinoceros images a serious crime.   The network administrator at the University of New Orleans recently alerted police when his instance of RHINOVORE flagged illegal rhino traffic.  Evidence in the case includes a computer and USB key seized from one of the University’s labs.  Unfortunately, the computer had no hard drive.  The USB key was imaged and a copy of the dd image is on the CD-ROM you’ve been given.

 In addition to the USB key drive image, three network traces are also available—these were provided by the network administrator and involve the machine with the missing hard drive.    The suspect is the primary user of this machine, who has been pursuing his Ph.D. at the University since 1972.

 MD5 hashes for evidence:

c0d0093eb1664cd7b73f3a5225ae3f30 *rhino.log
cd21eaf4acfb50f71ffff857d7968341 *rhino2.log
7e29f9d67346df25faaf18efcd95fc30 *rhino3.log
80348c58eec4c328ef1f7709adc56a54 *RHINOUSB.dd

The image and trace files are in a zip archive.

The task:

 Recover at least nine rhino pictures from the available evidence and include them in a brief report.  In your report, provide answers to as many of the following questions as possible:

• Who gave the accused a telnet/ftp account?
• What’s the username/password for the account?
• What relevant file transfers appear in the network traces?
• What happened to the hard drive in the computer?  Where is it now?
• What happened to the USB key?
• What is recoverable from the dd image of the USB key?
• Is there any evidence that connects the USB key and the network traces?  If so, what?