What/Why a CTF?

Cellebrite’s Capture the Flag event is a great way for the Digital Forensics and Incident Response (DFIR) community to come together and challenge themselves.

Whether you are new to DFIR or a seasoned veteran, this CTF has something for everyone. The challenges were written so that some are easier, and some are extremely challenging, but not impossible.  

We want you to have fun and enjoy the effort we put into creating solid data sets for you to use even after the challenge ends for testing and validation. It is OK to not be able to answer them all, just do the best that you can.

Timeframe

Registration is now open.

From the moment you register, you will gain access to the datasets that must be downloaded and processed prior to answering the CTF challenges.

For this event, we will be utilizing the same old dataset from 2021 which is also available through NIST CFReDS – the password for the datasets is: 02DB2ECE91DB67E8FA939FC3DC15D16B 
and is the same password for all zip containers.

The CTF officially kicks off at 12:01 EDT on Monday, May 23rd and runs through 23:59 EDT on Thursday, May 26th – which is when we will call the winner
(we will keep the platform open until the following Monday, May 30th at 23:59 EDT for those who would still like to play outside the competition)

The datasets

Upon registration, you will be able to download the 4 datasets required to start the CTF.

These are the same datasets we set in 2021 – so making it a bit easier. The datasets are also available on our new CTF Community Group. Due to sizing, some images are split into multiple zip files for easy download. Make sure you put the zip (001, 002, 003…) files into the same directory for unzipping.

If you experience issues, please reach out to ctf@cellebrite.com.

Ready Player One – The CTF has all the information you need after you register, as stated above.

Once the CTF starts and you are logged in, you will see the challenges categorized by the 4 datasets.

Preparing for the CTF:

You will need to download the forensic extractions of the 4 devices. Use the above password to extract the images from the zip files, per the instructions above. There is only one password for all zip files.

If you already have Cellebrite Physical Analyzer and Inspector, you can start processing the data. Two of the datasets are large and may take additional time.

If you do not have an active license or need a personal license, please log in to the Cellebrite Community and go to the Products & Licenses page and click on Start a trial.

After you download and install Physical Analyzer, you can follow the instructions to generate your license.

Questions and Answers

Most questions are readily available; however, you will find you need to answer some to unlock others.  Read each question carefully as you will not get unlimited attempts to answer. Make sure you note the format provided.

Unless otherwise specified in the answer, the text will be case insensitive. Timestamps should be provided in UTC unless otherwise specified in the question. Dates should be entered in YYYY-MM-DD HH:MM:SS format.

Scoring

There are three levels of questions and the points are listed accordingly.

  • Level 1 – 10 points each
  • Level 2 – 20 points each
  • Level 3 – 50 or 100 points each

HINTS may be provided for Level 1 and Level 2. Keep in mind, that you will lose points for using hints. Level 3 has NO hints!

Winners

Winners will be announced on Friday, May 27th from the Cellebrite Twitter and LinkedIn accounts. We will be selecting 5 individuals as winners. Winners will be awarded a Cellebrite CTF challenge coin.

Need Hints?

We realize some of you may be new to Cellebrite and DFIR.

The CTF team will be providing hints daily starting May 23rd on Twitter and LinkedIn and if you know some of the team members – they might be tweeting some secrets as well so make sure to follow us.

For those who need instructions or help on leveraging Cellebrite Physical Analyzer in an examination, please check out the following resources:

For issues, you can reach out to ctf@cellebrite.com

Share this post