DFRWS EU 2021 Forensic Rodeo

Welcome to the DFRWS EU 2021 Forensic Rodeo

The DFRWS Forensic Rodeo is a friendly, but fierce, capture-the-flag style forensics competition held during and after the conference dinner at the DFRWS EU conference. Attendees can participate in teams. This page explains the context, the challenges and the results of the 2021 rodeo.

The rodeo was held on the evening (19:00 British time) of March 30, 2021 at the DFRWS EU 2021. It lasted about 90 minutes. Since the conference was run online, the rodeo was also be run as a full online event.

Rodeo Organizers: Felix Freiling, Janine Schneider and Linus Düsel (all from Friedrich-Alexander-Universität, Germany) with support from Freddie Barr-Smith (Oxford University, UK) and Lena Voigt (FAU).

Keywords

Disk forensics, evidence tampering, browser and application forensics, browser artifact analysis

Results

(Update April 7, 2021) Congratulations to the team Kiki from University of Lausanne (Xavier Burri, Francesco Servida, Hannes Spichiger, Adrien Vincart and Tim Bollé) for winning the rodeo with a fantastic score of 76 points and all challenges solved within about 1 hour! Well done also to team8 (Aurélien Thierry) for also solving all challenges correctly and scoring 72 points playing solo. With last minute effort jumping to third place during the final minutes also congratulations to the team JimmyThreePockets (Jan-Niklas Hilgert and Martin Lambertz) with a score of 34 points.

We have provided the decryption keys for the challenges below if you want to have a look at them after the rodeo.

We will also prepare an analysis of the data collected during the rodeo and share the insights with the community soon.

Instructors wishing to use the challenges in digital forensics trainings can get access to the correct results (forgery/original) by contacting one of the organizers.

The Fictitious Scenario

On the afternoon of November 5, 2019, the German police seized the personal laptop computer of Markus Maier during a search of his flat. Based on credible statements by several witnesses, the police have a strong suspicion that Markus Maier had accessed websites containing illegal material and downloaded illegal files to his laptop computer. During the search, the forensic computing unit of the police shut down the running computer in a controlled manner and transported it to their forensics lab where a bitwise 1:1 copy was produced.

The illegal website in the context of this case is the entry on rhinoceros of the German Wikipedia (https://de.wikipedia.org/wiki/Nashörner). The machine is running Ubuntu Linux 18.04.03 using an ext4 file system and a standard Mozilla Firefox browser installation.

Unfortunately, the police officer in charge of handling the evidence turns out to be a personal friend of Markus Maier who has had full access to the hard disk and the motivation to help the perpetrator by removing incriminating data from the disk image without raising suspicion.

The Fictitious Task

You are given the disk image of Markus Maier’s laptop. The police requests answers to the following two questions:

Has the website https://de.wikipedia.org/wiki/Nashörner been accessed between October 20 and November 5, 2019?
Were pictures downloaded from https://de.wikipedia.org/wiki/Nashörner onto the computer between October 20 and November 5, 2019?

Because of the situation, there might be the possibility of evidence tampering (i.e., a post-mortem manipulation of the main disk image).

The Rodeo

During the rodeo, you will receive a sequence of “alternative” disk images of Markus Maier’s machine that correspond to different things that could have happened in the past. Some of the disk images are from a machine that neither accessed the „illegal“ Wikipedia page nor downloaded images of rhinos from there. These images are called “originals”. However, some of the disk images are from a machine that accessed the website and had downloaded rhino images, but these disk images were subsequently tampered with after they were created with the intent to appear that no illegal activity had occurred, i.e., to appear the Wikipedia page on rhinos had never been accessed. These disk images are called “forgeries”. With every disk image you receive, there is equal chance of receiving an original or a forgery.

For every disk image you analyze, your team needs to give one of two answers:

An answer of YES means that the image is a forgery, i.e., there were traces of illegal activities on the disk but they have been removed post-hoc.
An answer of NO means that the image is an original, i.e., there were never traces of illegal activities on the disk and the images have not been modified post-hoc.
Together with your result you need to give a level of confidence.

Scoring

Every correct answer scores positive points, every wrong answer negative points. The amount of points depends on the level of confidence. Highly confident answers score considerably more points than ones with low confidence. Let r be the result (correct = 1, incorrect = -1) and c be the level of confidence (very unsure = 0, unsure = 1, sure = 2, very sure = 3) for a particular disk image. Then the number or points awarded is calculated as r * 2^c. For example, a very unsure correct result scores 1 point while a sure incorrect result scores -4 points.

The team score is the sum of all points for every solved disk image. The team with the most points wins.

Note that during the rodeo for every team only the number of solved challenges is shown in order to prevent inference about the the correctness of submitted results.

How to Prepare

Download the set of disk images beforehand from this location. The file contains 10 images (average compressed size 3.7 GB each, total size 37 GB) that are zipped and encrypted with random keys. During the rodeo you will receive the keys. You can also download individual images separately from this location, but don’t expect to be able to do that on-the-fly during the rodeo. (Zip archives also contain a sha256 hash and the results of running the foremost file carver on the image.)
Bring the tools you need to the rodeo. Suggestions for typical analysis environments are Kali Linux (you may want to look at pre-configured virtual machines where many analysis tools are pre-installed), typical open source analysis tools for hard disk images are The Sleuthkit and Autopsy, an SQLite file browser (like DB Browser for SQLite) and a browser cache analysis tool (like MZCacheView by Nirsoft).
Form teams before the rodeo and register your team at the rodeo CTF server (which is offline now). To register, you need to name a team captain (and give an valid email address) and enter your team name, the size of your team (number of persons) and an estimation of the expertise of the team.

FAQ

How do I decrypt an image archive, e.g. file 1454.zip?
The image archives are encrypted using the standard pkzip algorithm which is supported by most compression programs like Winzip or 7zip on Windows and zip or 7zip on Linux. To decrypt the archive, simply invoke the unzip operation and enter the key interactively. Decryption should take between 3 and 7 minutes.
How long does decryption of an image archive take?
Be prepared that decrypting and unzipping an archive file takes between 3 and 7 minutes, depending on the machine you are working on.
Is there a limit on the size of the teams?
No. Teams can be any size. When registering a team, you have to name a team captain, give a valid contact email address and state the number of team members. The team captain is responsible for entering the answers on the rodeo web site.
How large are the individual disk images?
Disk images are encrypted and zipped. Zipped images have a size of around 3.7 GB each. Unzipped disk images have a size of round 10 GB.
Where can I download the files?
Make sure to download the images as a single file (37 GB) or two files (file1 and file2) of 18 GB each. Individual images are accessible here from this location.
Do all team members need to download the disk images?
No. As long as one team member has access to the data and can work on behalf of the other team members, that’s fine. During the rodeo, teams will have the possibility to join a separate breakout room on the conference site to coordinate their activities. Alternative collaboration models are also allowed.
What does an individual zip file contain?
Each image zip file contains (1) a raw disk image that can by analyzed using tools, (2) a sha256 hash of the image for you to be able to check integrity, and (3) the output of running the file carver foremost with standard options (subdirectory xxxx_foremost_output/) to spare you from performing file carving during the rodeo.
Are there any restrictions on the tools used?
No, you can use any tool you like for the analysis. A typical analysis environment is Kali Linux (where many analysis tools are pre-installed), typical open source analysis tools for data on hard disk images are The Sleuthkit and Autopsy, an SQLite file browser (like DB Browser for SQLite) and a browser cache analysis tool (like MZCacheView by Nirsoft). You can also use and run a file carver like foremost but since this takes a long time, the results of running foremost have been precomputed are are provided along wth the disk images.
I need to do file carving during the rodeo, but this takes a long time and isn’t possible – that’s unfair!
For each individual disk image, we also provide the output of running the file carver foremost with standard options (= no options) in the subdirectory xxxx_foremost_output/ within every zip file.
Are teams allowed to analyze multiple disk images in parallel?
No. One goal of the rodeo is to measure the effort/time it takes to identify a forgery. If teams analyze multiple images in parallel, we have no means to compute this effort. The game server of the rodeo will hand out new keys only if you have entered the solution of the previous image.
How long does the rodeo last?
We are expecting around 90 minutes „playing time“ of the rodeo. The rodeo will be followed with a short debriefing and a prize ceremony.
I can’t see the scores during the rodeo. Where are they?
During the rodeo we will only show the number of challenges that each team has solved. The final scores will be shown only after the rodeo has ended. This prevents any information about the correctness of submitted answers leaking during the competition.
I want to check the integrity of the downloaded files. Where can I find them?
Here’s a list of the sha256 hashes of the files:
- all_images.zip: <computer crashed while computing, so trust us …>
- half1.zip: 822d1732b299f94985603a8ca0154d8ee2dee6fc419f6c6b3df859ffacc922f6
- hal2.zip: 1c4ce7fdc2f520efea55d189a5172a7eb4d49e17950c9827304ba56146b8465a
Can you provide links to individual images?
Yes of course, here you are (sha256 sums of decrypted and unzipped images are also given):
- 1454.zip (492a443b72cc27c3134337a7c3cda950fa8de10330696bc684452f818ff1842b)
- 1676.zip (773fa583992c64415a060d1a7ddb7a0ff88315e7f474dc4e9b020ebb84245cab)
- 2641.zip (034f044fec5b6012c1afe94750086345115a05ec460c342200adf3ef991b0416)
- 3492.zip (2ea73ac362d5776b615110130c461eb90ef920454d96f1799c6680f28bad9878)
- 5164.zip (e1c74c259bbc7d944f63aae363b844f49a43097ba2f9c06513c191e8db96fd23)
- 5770.zip (1f0045f6ea50897f61dd1665d5e3b33fbee5afd5b902bd5a424751b9a9562cca)
- 6298.zip (851da0fd9884ca6a8b11bbbd77561e7fe16008f540b56d6d93cc1ffdc01236b3)
- 6960.zip (d4db47f9605886c73052fdfc0cc8bcfda49522034392688a8c98aa2a1248301b)
- 8028.zip (d45b1ecfe5a5b0465efdca1719c0fe523e326b473ec4b8e7d1bad6f64fea1fb9)
- 8127.zip (c456fee41de4b2c4314c3188a1b7621dcd8295c943b2bf9cce0accd8494d637f)
Can you provide the keys to decrypt the individual zip archives after the rodeo ends?
Yes of course:
- 1454.zip → EZw(j?WL
- 1676.zip → VhB},C.R
- 2641.zip → zNT_Gru$
- 8028.zip → <ZS=wVnw
- 5164.zip → r&!FKC6k
- 5770.zip → NG2?<uAv
- 6298.zip → tGb4Mec(
- 6960.zip → zpqn(aAJ
- 3492.zip → BG{G8Kdk
- 8127.zip → !URrRSX!

Thanks

Thanks go to the students of the course on Advanced Forensic Computing at FAU during the winter term 2019/20 and 2020/21 for preparing the forgeries.