2016 Annual Challenge

The inaugural challenge ran from January 1, 2016 to April 1, 2016. Registration was available on January 1, 2016. Participants were able to register any time during that period; however, contest entries were to be submitted by 11:59PM (ET) April 1, 2016.

 

Scenario Description

Security engineers running the data loss prevention program for The HiTeK Company believe they have encountered potential data exfiltration of sensitive information from its corporate network. They had incident responders make forensic images of two related computers and capture network traffic around the time of the alleged incident. You are to analyze the evidence and confirm the validity of the security engineers’ statement. The point structure for the challenge will be released to participants upon registration.

Solution

The following PDF contains the solution to the 2016 challenge:

https://s3-us-west-2.amazonaws.com/blacktshirtcyberforensicschallenge/2016-Annual-Challenge-Solution.pdf

Participation

1,012 individuals registered for the 2016 annual challenge. These registrants formed the following number of teams:

Academic category: 184 teams
Corporate category: 59 teams
Individual category: 449 individuals

Registrants came from 42 different countries and 45 states (and the District of Columbia) within the United States.

Registration

The Black T-Shirt Cyber Forensics Challenge is open to any individual or groups containing three or fewer members. Registrants will self-assign themselves into one of three categories at the time of sign-up:

  1. Academic/collegiate (each team may contain one, two, or three persons, who are students at the school. If faculty members wish to form teams, they should register under the Corporate category as they are employees of their institutions.)
  2. Corporate (each team may contain one, two, or three persons)
  3. Individual (solo; if two individuals wish to work together, they should register under the Corporate category.)

Participants may only register once, e.g., a person may not register as both an individual and as part of a group. Participants may not be part of two separate groups.

Schools and companies may have multiple groups compete in the challenge. Each group must register separately.

Participants must register on the contest’s website during the contest dates. After registering, the participants will be able to sign in to the Challenge website, go to the Information page, and download the data to be used in the contest. Participants will also receive the scoring criteria at the time of registration.

Cost

Registration is free. Participants must provide their own tools for analysis.

Rules

  • Participants are free to use any tools or techniques they wish in the course of their forensic analysis; however, the judges must be able to interpret and reproduce the results using publicly available means.
  • Contest entries are to be submitted via email to submissions [at] cyberforensicschallenge [dot] com by the last day of the challenge.
  • Contest entries are to be written in English.
  • Groups of up to three participants may work on the challenge; however, groups should work independently, i.e., multiple groups should not collaborate. There should be no "super teams." Schools and companies may have multiple groups compete in the challenge. Each group must register separately.
  • Individuals who assisted in creating the challenge are not eligible to compete in the challenge.
  • Judges may not evaluate/score the results of submissions from their institution, e.g., the submissions from university X must be evaluated by judges from different institutions.
  • In the event of a tie, the participant/team, who made the first submission with the highest score, will be declared the winner.
  • All decisions by the panel of judges are final

Winners

Academic Category

First Place
School: George Washington University
Team Name: Cache Only
Team Members: Tarik Hansen, Marysol Torres, and Brandon Austad

Second Place
School: Northern Virginia Community College
Team Name: CMYK
Team Members: Amy Thomas and Immanuel Silva

Third Place
School: University of New Haven
Team Name: UNHcFREG
Team Members: Christopher Meffert, Joseph Ricci, and Ibrahim (Abe) Baggili

Corporate Category

First Place
Team Name: Team MediOGRE
Company: withheld at team members’ request
Team Members: Mihai Criveti, John Sonnenschein, and Marisa Emerson

Second Place
Team Name: Scope-4n6
Company: withheld at the team members' request
Team Members: Lee Chin Sheng, Ahmad Zaidi Said, and Lee Hui Jing

Third Place
Team Name: K35537-Run
Company: withheld at team members’ request
Team Members: Glen Kurtz, Brian Chilton, and Matthew Stucky

Individual Category

First Place
Team Name: THS1
Name: Herman Slatman

Second Place
Team Name: Weltec4n6
Name: Paul Bryant

Third Place
Team Name: WhiteHack
Name: Piotr Stepien

Prizes for the 2016 Challenge

The following prizes will be available to the winners of the contest:

Academic/collegiate

  1. First place
    - Disruptive Solutions will be awarding one, paid summer internship (2016) to the individual winner in the academic category.*
    - Demisto will interview the first, second, and third place finishers and selecting one for a paid summer (2016) internship.*****
    - EC Council iClass Training in cyber security for each team member. The prize will include one year access to instructor-led training modules, one year of access to e-courseware and six months of access to iLabs.***
    - Registration for each team member to one of the following MISTI events: Cloud Security World (June 2016), Threat Intelligence Summit (December 2016), or InfoSec World (April 2017)

    - Tickets to Guidance Software's Enfuse Conference 2016 for each team member ****
    - a just announced USB 3.0 Wiebe Tech write blocker from CRU for each team member
    - one Identity Vector with $100 of service from Kyrus Technology
    - $250 per team
    - $50 of AWS credits for each team member
    - a copy of Practical Malware Analysis, The IDA Pro Book, and Black Hat Python published by the smart people at No Starch Press**
    - a black T-shirt for each team member
  2. Second place
    - $100 per team
    - a copy of Practical Malware Analysis, and Hacking: The Art of Exploitation, and The Tangled Web published by the smart people at No Starch Press**
    - a black T-shirt for each team member
  3. Third place
    - $50 per team
    - a black T-shirt for each team member

Industry/business

  1. First place
    - a one-year license of CyFIR with 5 agents from CyTech Services
    EC Council iClass Training in cyber security for each team member. The prize will include one year access to instructor-led training modules, one year of access to e-courseware and six months of access to iLabs.***
    - One LunarLine training course and voucher for a LunarLine certification for each member of the winning team.
    - Registration for each team member to one of the following MISTI events: Cloud Security World (June 2016), Threat Intelligence Summit (December 2016), or InfoSec World (April 2017)
    - Tickets to Guidance Software's Enfuse Conference 2016 for each team member ****
    - a just announced USB 3.0 Wiebe Tech write blocker from CRU for each team member
    - $250 per team
    - $50 of AWS credits for each team member
    - a copy of Practical Malware Analysis, Black Hat Python, and A Bug Hunter's Diary published by the smart people at No Starch Press**
    - a black T-shirt for each team member
  2. Second place
    - $100 per team
    - a copy of Penetration Testing, Metasploit: The Penetration Tester's Guide and Silence on the Wire published by the smart people at No Starch Press**
    - a black T-shirt for each team member
  3. Third place
    - $50 per team
    - a black T-shirt for each team member

Individual

  1. First place
    - TeelTech RIFF Kit and TeelTech Essentials Workbench Kit for JTAG
    - EC Council iClass Training in cyber security. The prize will include one year access to instructor-led training modules, one year of access to e-courseware and six months of access to iLabs.***
    - Registration to one of the following MISTI events: Cloud Security World (June 2016), Threat Intelligence Summit (December 2016), or InfoSec World (April 2017)
    - Tickets to Guidance Software's Enfuse Conference 2016 ****
    - just announced USB 3.0 Wiebe Tech write blocker from CRU
    - $500 American Express card courtesy of LunarLine
    - $250
    - $50 of AWS credits
    - a copy of Practical Malware Analysis published by the smart people at No Starch Press
    - a black T-shirt
  2. Second place
    - $100
    - a copy of Steal This Computer Book 4.0 published by the smart people at No Starch Press**
    - a black T-shirt
  3. Third place
    - $50
    - a black T-shirt

 

Scoring Criteria

This document contains the criteria, which will be used for scoring submissions.

Scoring Criteria
File: https://s3-us-west-2.amazonaws.com/blacktshirtcyberforensicschallenge/Scoring_Criteria.pdf
Size: 120KB
MD5: 7375ce78f77ae8bcbcb5af846393e30c
SHA1: 0888ecf636f5fb8720a9023699e525f4ff609fd9

Data Files

Network Traffic

File: network.zip
Link: https://s3-us-west-2.amazonaws.com/blacktshirtcyberforensicschallenge/network.zip
Size: 114MB
MD5: 7b195292103d94f88341f7178b245a08
SHA1: 58f817bac5c5f3673642cbf136bd41eaa49b565f

Computer #1 - Forensic Image

File: Computer1.E01
Link: https://s3-us-west-2.amazonaws.com/blacktshirtcyberforensicschallenge/Computer1.E01
Size: 1.46GB
MD5: 53ff8a7c786e36824118ccdf5d13cb01
SHA1: 62badc2b2b27095db51408f46931c51ad289dbb3

File: Computer1.E02
Link: https://s3-us-west-2.amazonaws.com/blacktshirtcyberforensicschallenge/Computer1.E02
Size: 1.46GB
MD5: 25597e820a19693aded202f3b0300f93
SHA1: 4eb10332a7876e39d8153624d7d365b67ccf6630

File: Computer1.E03
Link: https://s3-us-west-2.amazonaws.com/blacktshirtcyberforensicschallenge/Computer1.E03
Size: 1.46GB
MD5: 0b38a0e41c5b65aa320f1d02647800e6
SHA1: b7d9f4d5fab03e30c21a2bb845bb6052c38b480a

File: Computer1.E04
Link: https://s3-us-west-2.amazonaws.com/blacktshirtcyberforensicschallenge/Computer1.E04
Size: 1.46GB
MD5: f5297dc535f91666a6dbc34aaca330b0
SHA1: 32d20dfd9218cc03dd6ac2a936aa1d8192613a91

File: Computer1.E05
Link: https://s3-us-west-2.amazonaws.com/blacktshirtcyberforensicschallenge/Computer1.E05
Size: 1.46GB
MD5: 73c2a071afec76079f7eb9fa64409332
SHA1: fff112b45673b759d950ff0fa8e240adfbf5cd77

File: Computer1.E06
Link: https://s3-us-west-2.amazonaws.com/blacktshirtcyberforensicschallenge/Computer1.E06
Size: 1.46GB
MD5: f729bf6a150e881222cb93178db12d0f
SHA1: 5d1b4c35a28edd43d48ae2c2a290f89a055632c8

File: Computer1.E07
Link: https://s3-us-west-2.amazonaws.com/blacktshirtcyberforensicschallenge/Computer1.E07
Size: 1.46GB
MD5: 82359df946afb8a48e3cf0d5f0b1dde6
SHA1: 7493f7b667f2f305452bb3fd874688c6923eda9e

File: Computer1.E08
Link: https://s3-us-west-2.amazonaws.com/blacktshirtcyberforensicschallenge/Computer1.E08
Size: 153MB
MD5: 1c6b0be65195109c77d18436e2846eeb
SHA1: 85e88b711c089fe8635a68e68438e32bf3790ac3

Acquisition Notes
File: Acquisition_Notes_Computer1.E01.txt
Link: https://s3-us-west-2.amazonaws.com/blacktshirtcyberforensicschallenge/Acquisition_Notes_Computer1.E01.txt
Size: 1.55KB
MD5: 687b5045409f1a6c877e3eceb4f202f8
SHA1: d1a27dbf2765ff4d5cbc0e2794ea7843be719479

Computer #2 - Forensics Image

File: Computer2.E01
File: https://s3-us-west-2.amazonaws.com/blacktshirtcyberforensicschallenge/Computer2.E01
Size: 1.26GB
MD5: 762f3742c81aa0d3017674c2083f1e97
SHA1: 0664c64558b5e2c129509d446123aecde2fa07af

Acquisition Notes
File: Acquisition_Notes_Computer2.E01.txt
Size: https://s3-us-west-2.amazonaws.com/blacktshirtcyberforensicschallenge/Acquisition_Notes_Computer2.E01.txt
MD5: 385d398c50dc97f262abdbb664714f43
SHA1: 3cf42ec3a5f100ec1d93a20cbae8d2682fa06a81

Black T-Shirt Cyber Forensics Challenge
Prove Your Worth

* The candidate must meet the standard hiring qualifications of Disruptive Solutions, be a U.S. Citizen, and successfully complete the interview process. The internship will be on-site in Northern Virginia, U.S.A.
** Teams will be awarded one book per team member, e.g., if your team has one member, then you will receive one book; if your team has two members, you will receive two books; if your team has three members, you will receive three books.
*** EC Council training would be limited to the following courses: Certified Ethical Hacker, Computer Forensics Investigator, Certified Security Analyst, Certified Incident Handler, and Certified Secure Programmer.
**** Winners will be responsible for transportation and will agree to stay in the room block associated with the conference.
***** The candidate must meet the standard hiring qualification of Demisto. The internship will be compensated $6,000 per month. The paid summer internship will be on-site in Cupertino, California, U.S.A.