The ALL NEW Cellebrite Capture the Flag (CTF) – September 2023

Why a CTF?

The annual Cellebrite Capture the Flag event is a great way for the DFIR community to come together and challenge themselves. Whether you are new to DFIR or a seasoned veteran, this CTF has something for everyone, with questions ranging from easy to highly challenging—but not impossible.  

We want you to have fun and enjoy the solid data sets that we have created, ones you can use after the challenge for testing and validation.

It is OK to not be able to answer them all, just do the best that you can.

Registration and Timeframe:

• Once registered, you will gain access to the datasets that must be downloaded before answering the CTF challenges.

Important Note: Your email must be verified to play. If you are emailing from a non-work email, please introduce yourself with an X (Formerly Twitter) account, LinkedIn account, or other mode of verification to show that you are not a bot.

The CTF Timeframe:

• Competition starts: 12:01 AM EDT on September 20
• Competition ends:  11:59 PM EDT on September 27

Ready Player One:

• The CTF site has all the information you need after you register, as stated above.
• After confirming your email, you will be taken to the CTF site and will have the option to either Create a Team or Join a Team.
• Teams are limited to 3 people, and you will need to know the Team Name and Team Password to join an existing one.

Once the CTF starts and you are logged in, you will see the challenges categorized by 4 datasets.

The 4 Datasets:

• Upon registration, you will be able to download the 4 datasets required to start the CTF.
• The password to the datasets is M0@r_c0WB3L1!!
• This year we are providing two Android extractions and two iOS extractions. If you experience issues, please reach out to ctf@cellebrite.com.

Now that the administrative details are out of the way, allow me to introduce you to our suspects. Simply click their names to access the datasets.

Abe

Felix

Russell

Sharon

For verification purposes, here are the MD5 values for each of the downloads:

CellebriteCTF23_Abe_.zip                      E6AACE42D05F400889BC9B9BE31CEB46

CellebriteCTF23_Felix.zip                      996A913B1301AB011CA7DD8CA93A9400

CellebriteCTF23_Russell.zip                  DC5C077DBD2C2DF6C644473447DE092B

CellebriteCTF23_Sharon.zip                 C94AB827D5AF5ED22A394FD45D676DE3

Support and Chat:

• Please join the Cellebrite CTF Channel on Discord. For non-Discord members, kindly follow this guide instead and then join the Cellebrite CTF Channel on Discord.
• Additional support can be provided by emailing ctf@cellebrite.com.

Questions and Answers:

• Most questions are readily available; however, you will find you need to answer some to unlock others.
• Read each question carefully as you will not get unlimited attempts to answer.
• Make sure you note the format provided. Unless specified in the answer, the text will be case insensitive.
• Timestamps should be provided in UTC unless otherwise specified in the question. Dates should be entered in YYYY-MM-DD HH:MM:SS format.

Scoring:

There are three levels of questions, and the points are listed accordingly.

• Level 1 – 10 points each
• Level 2 – 30 points each
• Level 3 – 50 or 100 points each

HINTS may be provided for Level 1 and Level 2. Keep in mind, that you will lose points for using hints. Level 3 has NO hints! Points may be awarded to players who are active on social media during the CTF. We want to see your posts!

Winners:

• Winners will be announced on September 28.

Prizes:

• 

  Winners will be awarded a Cellebrite CTF challenge coin.

• 

  The top scorer will win a Cellebrite training class.

Preparing for CTF 2023:

• Download the provided datasets and ensure you have enough space on your machine to process and work with the datasets*.
• When processing the extractions, we recommend you leverage the additional enrichments available in PA Ultra.

HINT: Watch the Tip Tuesday, and Heather on YouTube Live to learn how to load cases into PA Ultra.

• For those without a Physical Analyzer Ultra license, we are giving a fully functional (time-limited) license and access to the software, once we validate that you are not a bot.*

*Important note: The PA Ultra version provided for the CTF has usage statistics enabled. General information about extractions and features used will be reported back to Cellebrite. Case-specific information like keywords searched or PII from devices will remain confidential. If this version is used after CTF, it will continue to report usage statistics.

Usage statistics help us improve our products to better align with your needs. Enabling this feature in your production environments is encouraged.

Need Hints?

We realize some of you may be new to Cellebrite and DFIR. The CTF team will be providing hints daily starting September 20 on X (Formerly Twitter) and LinkedIn so make sure to follow us.

For those who need instructions or help on leveraging Cellebrite Physical Analyzer Ultra in an examination, check out the following resources:

Ask The Expert: Learn how to leverage and maximize Cellebrite solutions.

Cellebrite Blog – Dive into key topics of interest.

Tip Tuesday: Discover weekly tips provided by Heather Mahalik

For issues, you can reach out to ctf@cellebrite.com.