Submission deadline: February 1, 2022
The 2021 DFRWS Forensic Challenge seeks to advance the state-of-the-art in multisource analysis and correlation by focusing the community’s attention on this growing need. The format of this challenge is multipart; Parts 1 through 4 address specific devices in the scenario. Part 5 is much more open than previous years to encourage exploration around multisource analysis and correlation and to fast track research in this broad problem space.
The datasets for these challenges are available for download from Digital Corpora.
DFRWS Forensic Challenges are open to all participants and encourage participation at multiple skill levels. This competition is for open source tools (new or existing), and prizes will be awarded for the most innovative submissions.
Use of existing datasets is permitted, including those of previous DFRWS Forensic Challenges, but you may need to create your own to demonstrate the validity and significance of your approach.
As more investigations involve increasing amounts of data from a multitude of sources (e.g., computer, smartphone, IoT device, backups, networks) there is a growing need for unified approaches to analysing and correlating all available information. Multisource analysis and correlation is necessary to perform top-down analysis, to detect linkages, to discern activity patterns, to discover concealed data, and to prioritize further forensic processing.
This year we seek to put a dent in this ongoing unresolved problem.
While this is a large and complex problem, and we obviously do not expect a full solution to this issue, we are encouraging a broad range of submissions that offer partial solutions in this area from researchers across the world.
Submission can include:
- innovative software prototypes
- advanced multisource timelining
- advanced multisource visualisations
- correlated activities/identities/content across multiple sources using distinctive artifacts or more general similarities
- generated multisource datasets to assist future researchers
- automated normalization and correlation using interoperability standards
Any other relevant work is welcomed, and you are encouraged to think expansively and creatively.
- Contestants may enter individually, or as a team, with no restrictions.
- Source code must be openly available under a free software license, such as those listed at http://www.gnu.org/licenses/license-list.html. The author(s) retain rights to the source code.
- Tools may incorporate third-party free software, as long as it is compatible with your license and is included with your submission. However, submissions will be judged on the contribution your own work brings to the challenge.
- Submissions must include clear instructions for building tool(s) from source code along with all relevant dependencies.
- DFRWS will publish the results of the Challenge, both in detailed and summary form, along with the methodology used and the source of the specific version of each tool.
Submissions will be assessed by a panel of academics, practitioners and software developers, who will conduct a blind review and score the work. The panel members are asked to consider the submission against the following criteria, with approximate equal weighting [OR] to assess the contribution as an overall piece:
- Difficulty and effort (level of challenge and effort undertaken)
- Scope (variety of data sources, types of analysis, forms of correlation)
- Contribution (how much of a difference would this make to the problem)
- Novelty and innovation (has anything like this been done before or it it really novel)
- Understandability and traceability (transparency of factors/algorithms that produced results, consideration of uncertainty in results)
- Practical applicability and generality (readiness for deployment, adaptability to other contexts)
All participants must send an email to firstname.lastname@example.org with the subject line “Multisource solution submission”. The email should contain official contact information for the participant/team members; it should also indicate to whom a check should be made out, in case the solution is selected for the grand prize.
Submissions should include a summary report clearly detailing the nature of the contribution, link to a software repository (if appropriate), link to test data (if appropriate). The actual solution (code and relevant documentation) can be submitted in one of three ways:
- Email attachment. If the entire submission can be packed in an archive of less than 5MB, then submission can be sent as an attachment to email@example.com.
- http/ftp download. The submission email can contain a download link from where the submission can be downloaded as a single file.
- svn/git checkout. The submission email should contain appropriate instructions and credentials (if applicable) for organizers to obtain the submission.
Ideally, submissions should be self-contained; however, if bundling of third-party code is not possible (e.g., due to licensing restrictions) appropriate instructions on building the tool should be included.
As stated above, this competition is for open source tools and, in the interest of open competition, DFRWS may publish the actual submissions along with test results. You are also strongly encouraged to write up your work as a full paper for submission to a DFRWS conference.
- First Prize: DFRWS will provide free conference registration to one of our 2022 conferences for up to two members of the winning team.
- Grand prize: DFRWS will award an additional $1,000 cash prize to the winners, if their solution exhibits all the attributes of a field-ready tool with the necessary robustness and performance.
Send all questions to firstname.lastname@example.org. (Your email will be used only for this purpose and will be forgotten after DFRWS 2021 conferences.)
The DFRWS would like to thank Francesco Servida from University of Lausanne for performing the technical aspects of the scenarios and acquiring data from the devices, and Thomas Souvignet coordinated efforts to execute the scenarios. Eoghan Casey and Chris Hargreaves developed the challenge framework.
Part 1: Skimming device
Item 1 – 1_Skimmer_mSD
On April 9th, 2021, at 16:25, a “Skimming” device was discovered on the ATM of the Swiss Post location in Avenue Piccard, 1015 Lausanne, Switzerland.
The device was discovered when it malfunctioned and detached as a customer withdrew his credit card (CC) from the machine. According to security cameras, it was possible to establish that the device was placed shortly before at 16:20.
The digital forensic unit of the police collected the device and created a physical image of a micro-SD card found inside. The image is provided for download here:
- Filename: 1_Skimmer_mSD.zip
- SHA2-256: 1c5ad394daa49573f4088a31fb7f6a3f537dbcd092fdfd5abc8b572ebedbc262
We suspect that data from the CC are recorded in the files present on the memory card.
For reference, the CC number of the client is also provided:
- CC Number: 4334 2250 2436 4939
Part 2: Raspberry PI
Evidence Item 2 – 2_Raspberry_Pi_mSD
Based on forensic analysis of the SDCard from the seized skimming device, it was possible to identify a location of interest in Aosta.
Italian authorities searched the residence on April 18th, 2021. The investigators discovered a laboratory, but most of the devices and manufacturing equipment were destroyed. However, a specialist from the Reparto Investigazioni Scientifiche (RIS) of the Carabinieri identified a Raspberry Pi, connected to a 3D printer, seemingly forgotten in the destruction process. A forensic copy of the microSD card of the Raspberry Pi was acquired and is available for download here.
- Filename : 2_Raspberry_Pi_mSD.zip
- SHA2-256 : aabec0c1305e785d1ba5b4ba01c5dacd27cc128fdd32078758be826e75449953
No traces of 3D printed objects were found on site. Given the presence of the 3D printer connected to the Raspberry Pi, particular attention should be given to:
- Establishing whether the Raspberry Pi has been used to control the 3D printer.
- Establishing whether objects of possible illicit use have been printed, when and which ones.
Part 3: Samsung smartphone
Evidence Item 3 – 3_Smartphone_Samsung_S10
Based on information obtained from the forensic analysis of the previous evidence, it was possible to identify an individual of interest who was arrested in Geneva on of April 20th, 2021 at 18:30 while trying to board a plane using a ticket bought with a stolen CC.
Geneva Airport Police seized his phone and extracted a Full Filesystem copy on April 21st, 2021, which is available here.
Preliminary analysis of the smartphone highlighted encoded SMS exchanges which might be of particular interest.
- Filename: 3_Samsung GSM_SM-G973F_DS Galaxy S10.zip
- SHA2-256: 54877505f1b4eb26c4cb6b43fd6338424660c207e678b773044a4a79d6e374b7
Part 4: QNAP NAS
Evidence Item 4 – 4_QNAP_Disks
Based on forensic analysis of previously seized evidence, a location of interest was identified in Geneva at the ICC complex.
On April 29th, 2021, the Geneva state police searched the location and arrested M. Johann Schmidt who was on site, and they seized a QNAP NAS with 3 drives.
They think that the NAS might also have been used to host a communication system.
After shutting down the NAS, they acquired physical forensic copies for all 3 drives, which are available for download individually from Sharepoint:
|Filename||MD5 Hash (file)|
A Zip files of all 3 E01 files is also available (SHA2-256: 1b30b9e1f2f6b28e2043323ea1892b088a6ebcb9f2b22f5195fce4d605730525).
Reconstruction of the RAID array might have to be performed in order to analyze the system.
Part 5: Multisource analysis and correlation
The preceding datasets can be used to demonstrate novel multisource analysis and correlation solutions. You can also create your own datasets to demonstrate the validity and significance of your approach, or use other publicly available datasets.