Cyber Forensics Challenge

HomeConnectionsCSAWCyber Forensics

Cyber Forensics Challenge

Open to: high school teams located in the continental U.S.
Registration deadline: TBA
Challenge materials/hints posted: TBA
Report deadline: TBA
Finalists announced: TBA
Challenge capitals: Efstratios Gavas  and Moshe Caplan

Questions: Read the Frequently Asked Questions

Apply your hacking skills to a real murder mystery situation. Join up with the ISIS Police force: you’ll be privy to confidential evidence as you discover clues and use digital forensics to solve the scandal. Delve into log and file analysis, rootkit detection and analysis, botnet detection and analysis, live system forensics, steganography, and file carving. Your team will battle against other elite teams — and the clock — as you solve this fast-paced current day crime.

Prizes and Travel Grants

  • 8 finalist teams will be flown to NYC for the final competition
  • The winning team’s science department will receive: 
    • 1st place: $1,500
    • 2nd place: $1,000
    • 3rd place: $750

Challenge Materials and Hints for 2009

The NYU-Poly Police (NPP) needs your help to solve a murder. After responding to reports of screaming in the area, the NPP discovered Johnny Muzic dead in his office. Johnny Muzic was the executive at the newly-founded NYU-Poly ISIS Records, and has been seen hanging out with known criminals.

Our investigation revealed that the company was about to release a new album by rock star Taylor Shift. During questioning Taylor told the NPP that Johnny had the latest cut of her new album, but we did not find the album anywhere in the office. Additionally, she told the NPP she believes Johnny and his business partner, Vikram Rekorder, have been arguing over her new role in the company.

Vikram can not be found, and is wanted for questioning.

Vikram's aid, Efstratios Gavas, was questioned, but only produced some network data. He knew nothing else. The network data was taken from two separate machines. Therefore, the two times are not syncronized and the relative time between the two is off. However, both datasets are from October 14.

What the NPP needs from your team is a report, not to exceed 5 pages, about who killed Johnny Muzic and why, what happened to Vikram and the album, and any supporting data.

Below you will find links to the data recovered from Johnny Muzic's office computer, and the network. This is all the data you will need to solve this mystery.

Computer

http://isis.poly.edu/~egavas/csaw2009-forensics/jmuzic.tar.gz.torrent

If you have problems with the torrent, you may use the direct link here:
http://isis.poly.edu/~egavas/csaw2009-forensics/jmuzic.tar.gz

Network Data

http://isis.poly.edu/~egavas/csaw2009-forensics/pcap.evening
http://isis.poly.edu/~egavas/csaw2009-forensics/pcap.morning

Additional Evidence

The NPP has discovered a Twitter account which is associated with Mr. Muzic (http://twitter.com/jmuzic09). The NPP believes this is important new evidence and should be considered in your final report.

*VERY* Important Notes

All of the data you will need is either provided above, or available on ISIS controlled machines. You will NOT need to, NOR should you attempt to log into any non-ISIS machines or accounts used in this challenge. Seriously. We cannot be responsible for what might happen, and you will only be wasting time. If you have any questions about if a machine is within gameplay, or what access is allowed, you may request a "Warrant" from "Judge C. Saw" by e-mailing csaw_forensics@isis.poly.edu.

Thank You

Thanks to Colin Ames from Attack Research and MC from Metasploit for their crucial help developing the exploits. And, of course, Boris Kochergin for being sysadmin to the world. Also, special thanks to Nasir Memon, Beverly Johnson, Erin Newton, Shashikant Tangade, and Joy Colelli for doing all the work to bring this challenge together.

Frequently Asked Questions

Q: What should be in the final report?

A: The final report should be a PDF document that includes: 1) the evidence you found, 2) the tools you used to find the evidence, 3) time-line of events, and 4) your conclusions.

Q: Is there a standard, or sample, report format for the report?

A: There is no correct format for the report, only that the main report should be a 5 page (max) PDF document with evidence included as separate appendix or files. You may look at last years winners as examples.

Q. What can I use to analysis the network data?

A. The network captures are stored PCAP format, and can be opened with programs such as Wireshark (www.wireshark.org), or other network analysis tools.

Q. What can I use to extract the tar.gz archive?

A. You can decompress the archive with WinZip (www.winzip.com), or 7Zip (www.7-zip.org) on Windows Systems, or tar using the "-zxvf" options on Linux/Unix Systems.

Q. How do I access the computer once it is decompressed?

A. The file is a VMWare (www.vmware.com) image of the machine, a virtual machine. You can access the virtual machine by opening the "jmusic.vmx" file using one of the free software products from VMWware (either Player or Server), or the licensed Workstation product (any versions greater than 5).  You can also use the free 30-day trail version of VMWare Workstation (6.5).

Q. Do I have to worry about chain-of-custody, or evidence tampering?

A. No. You may also take advantage of the snapshot feature with the virtual machine.

Q. Can I turn on and log into the virtual machine?

A. Yes, the virtual machine is functionally a ceased computer. You may turn it on and even login for your investigation, but you should take care in doing so.

Q: Is there other information online?

A: Yes, you will find other information online, but will not need to login to any non-ISIS computers to access that information. If you have any questions about if a machine is within gameplay, or what access is allowed, you may request a "Warrant" from "Judge C. Saw" by e-mailing csaw_forensics@isis.poly.edu.

Q. Who should participate?

A. Students who have an interest in math, science, computer science, and technology are ideal candidates for this competition. Each team must have a mentor who is a teacher at their high school.

Q. What types of information should team members be comfortable with?

A. Team members should be comfortable with a variety of forensics topics, including traditional log and file analysis, rootkit detection and analysis, botnet detection and analysis, live system forensics, steganography, and file carving. The challenge is designed to escalate in difficulty as students move through it.

Q. What does each team have to do?

A. At the beginning of the challenge, teams will be given a disk image as well as other evidence collected by the fictitious ISIS Police investigating a fake murder case. As teams make progress in unraveling the forensic evidence, they will discover clues about what happened. The clues will reveal evidence both within the disk image and online. Finalists will use their evidence to compete in the final stage of the forensics challenge on NYU-Poly’s campus before the awards ceremony. Teams will not be responsible for chain-of-custody, and other legal aspects of the investigations.

Q. How will the finalist teams obtain information regarding travel and lodging accomodations for the final competiton?

A. Each team's teacher/mentor will be contacted by the YES Center and provided with all necessary information.

Q. Where can a teacher/mentor direct any additonal questions specific to the competition?

A. All additional questions and concerns pertaining to the competition should be sent to csaw_forensics@isis.poly.edu.

Q. Where can a teacher/mentor go to look for more information to help his/her student team?

A. Various tools and resources exist online. Here are a few:

2009 Judges

Yalkin Demirkaya, President, Cyber Diligence, Inc. | Bio
Oren Hamami, Chief Information Security Officer, Division of Instructional and Information Technology, New York City Department of Education | Bio
Amit Rao, Director Product Engineering, NIKSUN