DC3 2010
DC3 2k10 is here again, and team NSSAL will be participating again this year. I was a little disappointed in our overall ranked performance last year, but the challenge numbers are a little misleading. The 2008 challenge was composed of discrete components, whereas 2009 was an investigation – we solved the investigation, but there is only so much time you can spend beating a dead horse for more points once a case is solved.
I’m pleased to say this year our team will have fewer distractions and we’ll even all be in the same city this go around. I’m due to pick up the challenge data this weekend, but first appearances seem to indicate 2010 will be closer in format to 2008. Obviously, with the DC3 I cannot comment about the challenge itself until the end, but I hope to have another good write up on our entry when everything is over in December.
DC3 2009
The results for the 2009 challenge are due in 6 days. This year there were 1153 entries with 44 submissions, a slightly lower rate of return than last year. The challenge format was different this year. Last year’s format was a set of discrete problems at various levels of difficulty with some of the higher difficulty problems being more complex forms of the lower problems. This year the challenge was a simulation. We received a case file with information from the investigators and a type of work order for what we were to investigate. The challenge data was a single hard drive image from a system used by the suspect.
Evidence was located in a variety of places from simple chat logs to the windows registry. There were some red herrings along the way including files from previous years, but all in all it was a decent challenge. Some of the documents felt rushed, such as the case file still having track changes enabled, but given the difficulty in constructing believable simulations I cannot call the DoD to task overly much.
Below the fold is our primary report for the challenge we submitted earlier in the month. The full report including the registry report, the evidence files, and so forth will likely be released when the results are announced as they were last year. If DC3 does not release them, I will post a copy for download if anyone is interested.
DC3 Countdown – 4 days to go
Just a short update. I’ve been busy working away at the final touches on the DC3 2009 submission. 4 days to go until the deadline then I’ll be posting a summary of our findings!
DC3 – Digital Forensics Challenge 2009
Team NSSAL met Tuesday to digest the DC3 challenge packet for 2009. The 2008 challenge was a more structured series of well defined tasks split up into categories and difficulty levels; the 2009 challenge is set up to mimic a real investigation. We were provided with some documentation regarding seized evidence, and an affidavit submitted to obtain the warrant. The scenario centers around an individual purporting to be highly skilled at hiding his data so we are preparing to encounter all the techniques from last year’s challenge in the current one, but in a realistic application scenario. Thankfully we have a tool belt of tools we used (and some we built) from last year to meet the challenge head on.
I will not be blogging about any specifics of our findings while the challenge is going on, but do expect a full write up at the end. I did want to mention I will be using the early alpha builds of Black Friar in the course of the challenge. I have indexed the drive image we were provided with using Black Friar, and from some initial triage it looks to be working quite well. Expect specific details on how it performed in the challenge when the time comes.
DC3 2008 again
The university slipped a page about team NSSAL and the 2008 DC3 challenge into the spring edition of the university magazine. We’re on page 19 (21 in the PDF). I should probably do a debrief of the challenge from last year. It was a grab bag of interesting and trivial problems, but over all it was pretty solid. We just got the data packet for the 2009 challenge, we’ll actually be meeting Tuesday about it – from the description this is looking to be a stego challenge. I really hope there is some brute force work to be done, I just got some credits on the super computer and I’m dying to burn them for password cracking.