co-authored by Paul Lorentz, Senior Solutions Engineer, Cellebrite
Law enforcement officers and forensic examiners are constantly brushing up on old skills or learning new ones. Training can be enjoyable, but it’s also work. “Capture the Flag” competitions offer a good opportunity to have a lot of fun and learn new cybersecurity and digital forensics skills, in a way that may not seem much like work at all.
At Cellebrite, we recently wrapped up our third annual Capture the Flag (CTF) event, welcoming about 1,600 people to solve both simple and complex problems relating to digital forensics. We say both “simple and complex” because we create a range of problems for people at every level of digital forensics.
If you’re just learning about the field, Capture the Flag is a great place to start and offers a supportive and collegial community. Here’s what you need to know about the CTF world.
What is a Capture the Flag event – and what does that name mean?
CTF events take their name from the family game of competing for a real-life flag that has to be “captured” from another team. In cybersecurity terms, the virtual “flag” is hidden in a digital file that might have vulnerabilities to online attackers; teams have to find and grab the virtual flag or defend their computer or network against an “attack” from other players.
The competitions are intended to be a learning exercise, with competitors as well as winners sharing their approaches to meeting the objective. Participants can work on their own or create teams – a great way to boost learning with a group of law enforcement officers.
In our digital forensics world, we approach Capture the Flag a bit differently. Competitors download datasets in which a piece of information – such a photo or a text message – is hidden. The flag is the answer to the question. In Cellebrite’s most recent CTF event, which ran in May 2022, there were four datasets with about 40 associated questions that participants had to answer. The scenarios included data from Android and iOS devices, as well as a computer.
How difficult are Capture the Flag competitions, especially for newcomers to digital forensics?
Most CTF event planners, like our team at Cellebrite, offer challenges at every level. It’s important that beginners have some challenges to tackle since this is first and foremost a learning event. The questions get tougher as the competition goes on.
For example, the first question might address a hard disk you’ve taken from a suspect’s desktop computer: What is the serial number of the disk acquired? In this case, the “flag” is serial number 170615BA93CC – and you’d have to know that the serial number is in the drive’s acquisition log file.
If you knew how to solve this challenge, don’t get too confident just yet: The questions become tougher, and the datasets more complex! Consider this one to accompany a supposed dataset from an iPhone user: The suspects used an app that hides data (photos/video/contacts) behind an ordinary calculator. Provide the iCloud address used to purchase this app. (Answer: Locate the iCloud account that has been configured within the device.)
Is special software needed to take part in a CTF event?
For most events, participants are pointed toward free downloads of software, or are given permission to license use of the software for the duration of the competition. We use the demo-license approach at Cellebrite, providing access to our products to help participants solve the challenges.
The National White Collar Crime Center (NW3C)’s weekly Digital Forensics and Incident Response (DFIR) Capture the Flag competition directs competitors toward open-source tools that can be used on Windows, macOS, and Linux.
How much time is needed to participate in a CTF event?
The competition timeline will vary by event. In some CTF events, there’s only a single question to answer every week. We like to keep the Cellebrite CTF limited to a few days, going at a very fast pace – it’s a sprint to the finish line. To us, that’s more of a real-world scenario, such as in a child kidnapping case where you’d have to work as fast as possible to find a key piece of evidence.
Can participants get help if they need it?
CTF events are competitions, but friendly ones, certainly. In most events, you’ll find a healthy dose of information-sharing, because in the end, capturing that virtual flag is all about learning the many ways to find the data you need (the implication being the data needed to resolve investigations faster).
For Cellebrite’s Capture the Flag event, we offer starter guides for first-time participants, including questions and answers from previous CTF competitions. In the past, we’ve also dropped some helpful hints on Cellebrite’s LinkedIn and Twitter accounts. We also give participants access to online groups where competitors are sharing strategies for solving problems quickly.
What do participants get out of their CTF experience?
The top winners in our CTF events get challenge coins. But everyone taking part should walk away feeling like they had a good time and also upleveled their digital forensics skills. They’ll get some experience using different digital tools. They’ll also learn how other people and teams solved the challenges. The sharing is what makes the event so valuable.
If you’d like to learn more about our Capture the Flag events, go to www.Cellebrite.com and search for “ctr.”
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high-profile cases from child exploitation to Osama Bin Laden’s digital media.