This week, DFIR and infosec professionals converge on Las Vegas this week for the Black Hat and DEFCON conferences, each of which has its own Capture the Flag (CTF) competition. We thought we’d take a fond look back at the success of our own first-ever CTF, held in May in conjunction with our User Summit, by interviewing winner Jaco Swanepoel and third-place winner Phill Moore. (Second-place winner Sam Smoker was unavailable for comment.)
MF: How many CTFs had you participated in before this one?
JS: This was actually my first live CTF.
PM: I did SANS NetWars in December last year and outside of a bit of prep work with some public CTF stuff I haven’t participated in any CTFs before that.
MF: In general, what kinds of themes interest you or make you want to participate in CTFs? What drew you to participate in this one?
JS: Working as a DFIR analyst, I’m interested in challenges that are in line with our skill set, i.e. based around digital forensics and incident response.
The MUS CTF interested me as it was exactly that, a CTF built around DFIR. After seeing that Dave and Matt from the ‘Forensic Lunch’ was responsible for building the CTF, I was also interested to see what they would come up with, and new it would be a challenge!
PM: CTFs are a great test of your understanding of forensic artifacts and investigative thinking. And they have a correct answer!
Often in investigations you have to infer and test your theories about what happened. But with a CTF, the person creating it has the right answer, because they did it!
Participation in this one came from the fact that it was on. I like participating in them, and Dave and Matt have a great track record.
MF: What did you appreciate most about this CTF experience? Were there any surprises?
JS: As part of the CTF, were provided with a laptop containing a forensic image processed with AXIOM. However, the CTF wasn’t a ‘click through AXIOM’ exercise as you had to make use of additional tools to be able to get to all the answers. This reaffirmed the toolbox approach for when doing forensics.
I was surprised at how much effort went into building the image we analyzed. The image contained loads of data and noise purposely introduced, making it a challenge to get to the answers as you had to know what you were looking for.
PM: The CTF system they used was fantastic. It focuses on passing people that had the correct answer, not necessarily whether they could format the answer the exact way they wanted.
The only surprise was that the system was opened before it’s official start time, so it was right into it and then a break for the keynote.
MF: What was / were the CTF’s most important takeaways for you?
JS: The prizes! (Just kidding, but an AXIOM license, access to DFIR Netwars continuous and Magnet swag did sweeten the deal)
Comparing your skills to analysts from across the globe. The top 3 for the CTF was from three different continents: Africa (myself), North America (Sam) and Australia (Phill). I met a bunch of new people which I’ve already engaged in the last couple of weeks.
- Knowing what you can do with your tools
- Knowing the limitations of your tools
- Validate your findings when you can (CTFs are a bit harder due to the rush)
- Think about the artifact, know what tool to go to to find the answer.
MF: What’s your advice to future Magnet User Summit CTF participants?
- Make sure you are up to date with what’s going on in the DFIR industry. Dave and Matt from the Forensic Lunch did a great job at putting together a very real-world CTF investigation for which the content was current.
- Have your ‘toolbox’ ready. This will help you to not spend unnecessary time doing on the fly research while trying to answer questions.
- I was a slow starter with the CTF and only pulled it back to win in the last seconds (literally!).
- Don’t lose heart if it seems like you’re falling behind, just keep on going!
PM: Dive in and have a go. You might do better than you expected. And even if you don’t, CTFs work well at highlighting where your weak points are.
Thanks, Jaco and Phill! We appreciate your enthusiasm and participation in the community and look forward to seeing you at future User Summits—watch this space for forthcoming details about MUS 2019!