While planning the 2016 Palmetto Cyber Defense Competition (PCDC), a new twist was included in order to challenge participants in a different area of cyber technical skills. During the inaugural pilot competition, 32 forensic challenges ranging in difficulty allowed competitors to solve various exercises distributed in a capture-the-flag environment.
Participants ranged from various high schools and colleges across South Carolina who competed over a period of six hours to solve a wide range of forensic scenarios. These challenges focused on gathering forensic artifacts, reverse engineering malware, browser forensics, critical thinking, file analysis, and data recovery just name a few specific areas.
During the first “official” launch of the forensic competition, over 45 competitors attended the full day event. Competitors brought their own laptops outfitted with their respective forensic tools in order to tackle whatever challenges surfaced during the competition. At the end of the day, an awards ceremony commenced which resulted in handing out great prizes provided by local sponsors. In addition, an overwhelming amount of feedback from competitors explained how exciting and competitive the competition was.
The following two years grew significantly by allowing more competitors and adding new unique challenges. In 2018, a new element added to the competition was to focus on gap solution development. The two challenges deployed in the competition required participants to solve the specified challenge by constructing a method, process, and a custom tool to meet the requirements. To receive points, either completely or in part, submitted ample documentation including design drawings, workflow diagrams, source code and other software development documents. These challenges allowed participants to the ability to bump up their score dramatically in upwards of 500 additional points for each challenge.
This year’s Palmetto Digital Forensics supports two separate divisions of competition, High School and College/Universities, which has been the norm for the previous years. The competition will however expand to include Virginia and Maryland high schools and college/universities with South Carolina. Those wishing to compete in the aforementioned states will get to participate in their respective state hosting location. Locations for this years competition are Trident Technical College in North Charleston, SC, Capitol Technical University in Laurel, MD, and Norfolk State University in Norfolk, VA.
Both divisions will tackle scenario-based exercises grouped into four progressive levels of difficulty ranging from 100, 200, 300, 400 and 500. Most of the 100-level exercises can be easily solved by conducting limited research and the use of free digital forensic tools. Exercises in the 200-300 range will require more in-depth knowledge, research, concepts, methods, and tools as well as applying critical thinking skills. The 400-level exercises are the most difficult and will require extensive knowledge and expertise in order to identify the correct flag based on the provided exercise artifacts. This may involve development of new digital forensic methodologies, techniques, scripts, and processes leading to the discovery of a unique flag. Flags may vary based on the provided challenge scenario that can result in identifying a specific hash value, timestamp, encoded answer, or a word/phrase.
New in this year’s competition is the 500-level challenge group. Although there only a few challenges in this category, competitors will need to develop a tool that will solve a unique gap area. Those tackling these challenges, solution with a detailed user guide. These challenges are different than the 100 through 400 level challenges hosted in the CTF platform since teams can work on these solutions by developing a tool over the course of several weeks.
Competitors will have up to seven hours to complete as many forensic scenarios as possible. At the end of the competition, the winner from each division will be determined based on the total number of points accumulated from each correctly solved challenge. A grand champion across all states, will be awarded for each division as well as winners from each state.
The purpose of the Palmetto Digital Forensics Competition is to challenge individuals in the field of digital forensics in a condensed competitive competition. One of the primary focal points of the competition is to generate interest in digital forensics with critical thinking, research, and exploration in the use of new tools.
The following is a brief, but not all-inclusive, list of possible CTF objectives:
- Password Cracking
- Maintain Forensic Integrity
- Web-browser Analysis
- Determine Methods of Unauthorized Intrusion
- Execute Operating System Analysis
- Network Forensics
- Data Obfuscation
- Network Traffic Analysis
- Basic and Advanced Malware Analysis
- Metadata Analysis
How To Play
High school students must be actively enrolled in classes from ninth grade through twelfth grade within the state of South Carolina, Maryland, or Virginia. Students may be enrolled in a state/county public school, private school, or part of a homeschool program. Students who attend a virtual school hosted outside of the state of South Carolina, Maryland, or Virginia are also eligible as long as the student resides within the respective states.
To be eligible for the College/University division, students must be actively enrolled in a higher education institution within the state of South Carolina, Maryland, or Virginia in a associates or bachelors program.
Pre-registration is available via the competition website hosted at palmettodfc.com. Since there are only a limited number of seats, pre-registration will ensure your team seats are reserved for the event. Pre-registered participants who have not checked in to the competition prior to the start of the event will forfeit their reserved seats, thus allowing any walk-up participants the ability to register and participate.
The Palmetto Digital Forensics Competition is limited to a maximum of 60 seats at each hosting site. Acceptance is based on a first come first come first serve basis and is determine by the pre-registration submission date-time stamp followed by walk-up registrations. Each high school, college/university and professional organization will be initially limited to the first three registrants. If at the start of the event, seats are available, seats will be filled based on the walk-up registration submission time.
The official event check-in will begin at 0700 and will remain open throughout the day until 1400 with the competition ending at 1600. If seats are available between 0800 and 1400, walk-up registrations will be accepted on a first-come, first serve basis. At the competition hosting site, a CTF website will be available for participants to login to their pre-established accounts which will be provided the morning of the competition. This information is generated from the pre-registration form or the onsite walk-up registration form. Once registered, participants will be provided access to all of the scenario-based exercises.
Capture The Flag (CTF) Server Access
On the morning of the event, competitors will receive the CTF platform URL. Competitors will need to login to their pre-generated accounts provided by the PDFC team administrator. As stated in the next section under “Competition Rules”, access to this server must be through login credentials provided to each participant. Participants may not share account access, login to an account that is not theirs, conduct any form of attacks or methods to interact, inject data or extract data that will cause the system to perform any actions deemed unauthorized by the PDFC organizers.
By completing the pre-registration form or the on-site registration form, participants agree to the following rules in addition to everything expressed in this document:
- This is a team competition of only 1 to 3 personnel! No swapping team members are permitted. If teams wish to reorganize personnel, the Team Lead must withdraw the their registration and resubmit a new registration. This however may put your team at the back of the registration line.
- Teams may not assist other teams in any fashion.
- Participants can only be part of one team.
- A person cannot participate if they have not completed the registration process.
- Participants under the age of seventeen must submit a signed parental or guardian consent form allowing the student to participate in the competition and agree to the contents stated in this document, 2019 PDFC Instruction Guide. The PDFC consent form must be completed and submitted before the student can participate in the competition. All other participants must agree to all of the contents within the 2019 PDFC Instruction Guide when signing the check-in and consent form on the day of the competition.
- Non-competitors may not assist any team members or the team as a whole without authorization from the PDFC judges.
- Discovered “flags” must be submitted via the provided Digital Forensics Competition CTF website in order to receive points.
- Participants are not authorized to conduct any form of offensive, reconnaissance, scanning, probing, or enumerating of the PDFC environment including servers, competitor workstations, and networking devices on both the wired and wireless networks of the hosted sites.
- Participants may not alter the competition environment by establishing fake resources, redirecting participants to incorrect destinations, establishing network available services, interfering with pre-established networking operations, cause denial-of-service, and any other actions deemed deceptive or offensive by the PDFC judges.
- Participants must be present during the announcement of the winners in order to receive the designated prize.
- The Digital Forensic CTF Competition Judges have the final say in any dispute and has the authority to remove competitors (or the team) if it is deemed that a participant(s) or team is acting in an unprofessional manner including cheating, violating any of the CTF rules, conducting malicious actions, false registration, or conducting any other act that violates the nature of the competition.
- Participation in the challenge gives full permission to SPAWAR Atlantic, the Department of Defense and the hosting locations to use your name and photograph in any media, internal and external including printed publications, video and web content (e.g. Facebook).
- DoD employees assisting at PDFC and their immediate family members are ineligible to win any prizes or receive recognition in the contest results.
- Competitors understand that this is a “Bring Your Own Device” (BYOD) event and PDFC is not furnishing forensic systems for competitor use.
- At the closing of the competition, if two or more teams have the same exact score, the team who achieved the highest score first will take precedence.
- Scenarios and exercise artifacts will not be released until the start of the competition.
- All competitors agree not to disseminate any of the PDFC CTF artifacts to any individual, group, organization, business or educational entity without out expressed written consent from the PDFC director.
- Participants who submit code, documentation, information/data, design drawings/figures, methods/processes, applications/programs/scripts, ideas/conceptions or by-products of any of the challenges, give full permission to the US government to use the aforementioned submissions, in whole or in-part, for use in any developmental and/or operational use including but not limited to integration with existing or new technology, use in training, part of testing & evaluation or use as-is for as long as the government deems beneficial.
Hints and Tips
- If you’re programming, minimizing time spent coding is your goal. You’re writing code that will be used once. Maintainability, readability, and robustness are not concerns (except for the 500 level challenges).
- Make good use of search engines such as Google and Bing.
- Have a diverse team of knowledge, skills, and abilities.
- Split the exercises up according to team member’s knowledge strength areas.
- If you get stuck on a challenge, take a break or move onto another one and come back to it later.
- Linux shell utilities are your friend. Many easy challenges can be solved with one-liners.
- Be aware of your time. Don’t spend too much time on just one exercise.
- Look at all of the challenges and determine which ones you are the strongest in and identify a strategy. 100-level exercises are easy but only give you minimal points, while 400-level exercises give you more bang for your buck (but may take longer).
- Create a spreadsheet to index all of the challenges, make notes, record flags, and identify its status. This will help when you hit roads blocks and need to skip exercises and need to come back.
- Bring adapters as required (secondary network interface, USBA to USBC adapter, etc.)
- Most importantly… Have fun!!!
The Digital Forensics Competition
Forensic Analysis Environment
The competition is centered on participants bringing their own forensic system (BYOD) to connect to the private network hosting the challenges. The benefit of this option allows participants the ability to customize their own workstation(s) including operating system and install tools as needed. These systems however will need to connect to the competition network in order to register and submit completed exercises but can then disconnect in order to access the Internet. Participants will however need to reconnect back to the CTF network each time the participant wishes to provide a new submission or series of submissions.
The competition is broken down into four (5) exercise groups based on difficulty. Exercises will range from 100-level exercises valued at 100 points each, 200-level exercises valued at 200 points each, 300-level exercises valued at 300 points each, 400-level exercises valued at 400 points each and 500-level exercises valued at 500 points.
Submissions will be electronically marked with a date-time stamp at the time of entry. This time will be the official time used in any dispute within the competition. In the event of a tie, the individual that has the earliest date-time stamp on the last/final submittal will receive precedence.
Prizes will be awarded to the winning teams based on the final point tally and timestamps respectively. It should be noted that the Palmetto Digital Forensics CTF Competition reserves the right to replace, alter, add or remove prizes without posting notice or supplying justification. Prizes cannot be redeemed for cash value or traded for a different prize.
Registered individuals will be disqualified for any of the following reasons:
- Failure to provide accurate personal identification information and/or falsifying registration information.
- Obtaining help and/or assistance from unauthorized individuals.
- Interfering, removing, altering or accessing and PDFC information system, infrastructure, hardware or software, or any other competitor’s property.
- Fraudulent acts, statements, or misrepresentations involving the Palmetto Digital Forensics CTF Competition or other federal government documentation or systems used for the competition. This includes pirated software and or violating end-user software licensing agreements.
- Violation of any federal, state, or local law or regulation determined to be inconsistent with the Palmetto Digital Forensic Competition.
- Unprofessional behavior including cheating, violating any part of the aforementioned rules, disrupting the competition, arguing with competitors/PDFC staff/hosting facility staff, or any action deemed unacceptable by the PDFC staff.
The Palmetto Digital Forensics Competition reserves the right to cancel this competition at any time leading up to or during the competition. If the competition is canceled, the Palmetto Digital Forensics Competition is not required to disclose the reasoning for the cancellation.
Limitation of Liability
The material provided to participants for use in the Palmetto Digital Forensics CTF Competition has been checked for malware using commercial anti-virus software configured with up-to-date signatures. By participating in this competition, participants acknowledge that the Palmetto Digital Forensics Competition and/or the hosting facility, is not responsible for any damage caused to any computer system, network or data due to the installation or operation of any material provided by the Palmetto Digital Forensics CTF Competition, other competitors, or personnel in attendance at the PDFC event. PDFC and/or the hosting facility is also not liable for any information disclosures of participants personal data on the CTF platform, their personal system used in the competition, any attached storage media/devices or is transmitted across the network(s).
Winner Information Release
If a team is designated as a winner, the Palmetto Digital Forensics Competition reserves the right to release each of the winners name and their affiliation to be published in public media including newspapers, websites, magazines and other types of informational releases.