A romantic getaway on the high seas turned tragic and you have just one week to parse through a lot of digital evidence to crack the case.
It’s both fun and a challenge and what made up Cellebrite’s 2024 Capture the Flag, or CTF, an annual competition designed by digital forensic experts who work for months setting up a real-world scenario. Players analyze files, logs and disk images and solve challenges to collect “flags,” or pieces of information hidden within datasets provided during the game.
When we write the questions, it really taps into your mindset as an examiner in a different way than working forensic cases because you are trying to build the whole view for someone else.
The Scenario
Three of the characters in this year’s storyline, Sharon, Felix and Russell, were back for more action. Last year, Abe took the fall for crimes committed with Russell, Sharon and Felix. Since then, Sharon and Russell are thriving, working to rebuild their reputations and stay out of trouble – thriving at Howie Dewitt, LLC, a top-tier marketing firm.
When Russell introduces Otto to Sharon at the Techno Security conference, the two hit it off and later embark on a Disney cruise. Tragically, Otto goes missing on the trip. What went wrong? Did he go overboard? But then, his device mysteriously reactivates 10 days later. In August, Sharon, “Otto” and Russell travel to Salt Lake City, where events take a turn for the worse. Meanwhile, Felix is arrested in France for possession and distribution of U.S. government documents. What a whirlwind of a summer!
Lessons Learned from the Data
The 2024 dataset was ideal in capturing a true, holistic view of what the forensic data will look like if one person is trying to be two people at the exact same time. Turns out, it’s impossible. When one person has these two devices in the same place, there must be slight differences. If I am texting on the iPhone, I can't be texting at the exact same time on the Android. You can only be doing one thing at a time. A good example is taking a picture with one device, then taking a picture with the other, yet the other one is still tracking the location in the background. What you have is foreground activity that puts the user behind the keyboard but then correlating the background activity.
AI’s Role in CTF
AI played a role in that attempted dual role, as I used Chat GPT to help me appear to be a 40-year-old man on Otto’s device. The biggest surprise was how easily Cellebrite’s AI-powered Physical Analyzer, our decoding solution, parsed Chat GPT as conversations. We anticipated it would be a challenge and that you would have to go into a database and dig it out manually. Yet it was all put right there just as a conversation between a chat bot and a human. It was disappointing for the contest because it presented a lack of a challenge for our contestants since every single thing I asked and every single response it gave me was parsed as messages.
An Education on Images, Time Zones and Power
Images were a huge part of our questions. Something we found on Android 14 is the location artifacts are not immediately available in the videos. You have to look at the metadata of the video to see the truth. It's not in the forefront like it used to be.
Time zone offsets really confused people and opened our eyes to the lack of understanding. We have an I Beg to DFIR webinar all about time zones and a cheat sheet in our user community The 101 that’s a handy reference. We intentionally traveled the world with these devices and it’s clear people need to educate themselves and learn more about time zones.
There's a handful of files on the Android operating system that track your battery power. We are advising and assisting investigators nonstop on a phone’s power activity. Did the phone get powered down because it died or did someone intentionally power it off? Knowing what battery power is at different times including if it’s plugged into a vehicle and charging helps place suspects and victims in locations which can be key to a case.
It’s important to reiterate that devices do not come with manuals. There’s no official record on how data is stored on operating systems. I've been doing CTFs for the past decade and leading Cellebrite’s for the last five years, and I learn from every single scenario we create. From how our tools parse the data to how the device is storing the data and the gaps that still exist and drive our innovation to make our solutions better and better.
The Learning Continues
This data was created throughout the year and serves as an excellent learning tool. The National Institute of Science and Technology hosts the data for Cellebrite, which is available throughout the year. People can go to Cellebrite’s User Community, The 101, and check out the Notebook section, where you’ll find all the questions and blogs that walk through each correct answer.
We strongly encourage universities and educators to use it. If you're hiring new people or perhaps you want to review where your examiners are technically, you can utilize the CTF data for continuous learning.
This year’s CTF would not be possible without the team of incredible professionals I work with daily, including Josh Hickman, JP Noat, Ronen Engler, Ian Whiffin, Scott Koenig, Jared Barnhart and Paul Lorentz.
About the Author
Heather Barnhart is the Senior Director of Community Engagement at Cellebrite, a global leader in premier Digital Investigative solutions for the public and private sectors. She educates and advises digital forensic professionals on cases around the globe. For more than 20 years, Heather’s worked on high-profile cases, investigating everything from child exploitation to Osama bin Laden's digital media.