DFRWS 2009 Rodeo

After the Banquet at the annual conference, a "forensics rodeo" is held. The rodeo is a challenge where conference attendees form teams to solve a digital forensics problem.

The DFRWS is making the materials from the DFRWS 2009 Forensic Rodeo available for educational purposes and to support further research in memory analysis and file carving. We are not publishing answers to the Forensic Rodeo until DFRWS 2010 because disseminating such details could expose students to some findings before they have a chance to work on the problem themselves.

To maintain the educational value of this scenario, we request that everyone who uses these materials keep the answers to themselves until DFRWS 2010. We will post the answers here at that time.

The scenario and files are listed below.

License

The scenario, images, and any other supporting materials are distributed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.
Creative Commons License

Scenario

On July 25, 2009, police arrested Constantine Petersburg in Baltimore as part of a joint operation between law enforcement in Maryland, New Jersey and New York. He had just picked up a group of tired and hungry individuals who had arrived at Fort McHenry on a boat earlier that morning under the cover of darkness. Mr. Petersburg claims that he just happened to be driving around Fort McHenry in his van that morning, and offered the sorry looking group a ride. He refuses to answer any further questions and nobody in the group he picked up speaks English giving investigators very little to work with.

Fortunately, during the arrest, investigators found a HTC S620 “Dash” Windows Mobile device and laptop in Mr. Petersburg’s van that may contain relevant information. However, the investigators do not have the resources to perform a complete forensic examination of these items. They have requested your assistance in performing a forensic examination of the mobile device and e-mail acquired from the laptop. Specifically, you are being provided with an Outlook PST file copied from the laptop and an image of the data partition on the Windows Mobile device (acquired using XACT).

You have agreed to perform a forensic examination and are expected to answer the following questions, to include a full explanation with supporting evidence for each answer. Remember, an answer alone is not sufficient.

Questions

  • What file(s) on the Windows Mobile device contain the most information about communications (e.g., e-mails, text messages, calls)?
  • Is there any indication that steps were taken to delete or conceal e-mails or text messages? If so, what were they?
  • Please provide any information that might help investigators identify potential accomplices?
  • Do you find any specific references to other potential sources of digital evidence that investigators might be interested in knowing about (e.g., servers, mobile devices)?
  • Please provide a summary of Web browsing activities on the mobile device.
  • Based on your previous findings, please determine what Constantine Petersburg and his cohorts were trying to do.
  • While the above information is necessary, it is of no value if it cannot be tied to a specific individual. Investigators suspect that Constantine Petersburg was involved in illegal activities. However, they need proof of this. Please provide detailed information based on your findings that would tie Constantine Petersburg (or others) to the contents of this Windows Mobile device as well as Outlook e-mail file.
  • The scenario and its contents are completely fictitious and are not based on any actual scenarios. Any coincidences are completely coincidences.

Image Files

Author

The DFRWS2009 Rodeo was created by Eoghan Casey.

©2001-2010 DFRWS   |   dfrws [at] dfrws [dot] org  

DFRWS is a US 501(c)(3) non-profit organization.