DFRWS IoT Forensic Challenge (2018 - 2019)

Submission deadline: Mar. 20, 2019

 

DFRWS Forensic Challenges are open to all participants and are designed to be accessible at multiple skill levels. Some answers will be accessible to participants with basic digital forensic skills, and more advanced elements are included. Examples of previous challenge submissions, including the grand prize winners, are available here.

Scenario:

On 17 May 2018 at 10:40, the police were alerted that an illegal drug lab was invaded and unsuccessfully set on fire. The police respond promptly, and a forensic team is on scene at 10:45, including a digital forensic specialist.

The owner the illegal drug lab, Jessie Pinkman, is nowhere to be found. Police interrogate two of Jessie Pinkman’s known associates: D. Pandana and S. Varga. Pandana and Verga admit having access to the drug lab’s WiFi network but deny any involvement in the raid. They also say that Jessie Pinkman’s had the IoT security systems installed because he feared attacks from a rival gang and that Jessie kept the alarm engaged in “Home” mode whenever he was inside the drug lab.

Within the drug lab the digital forensic specialist observes some IoT devices, including an alarm system (iSmartAlarm), three cameras (QBee Camera, Nest Camera and Arlo Pro) as well as a smoke detector (Nest Protect). An Amazon Echo and a WinkHub are also present.

 

Challenge details and data can be obtained from https://github.com/dfrws/dfrws2018-challenge/

 

Challenge Questions:

The Attorney General needs answers to the following questions:

  •  At what time was the illegal drug lab raided?
  • Could any of the two friends of Jessie Pinkman have been involved in the raid?
    • If yes: 
      • Which friend?
      • What is the confidence in such hypothesis?
  • How was the QBee camera disabled?

 

This DFRWS IoT Forensic Challenge aspires to motivate new approaches to forensic analysis and has four levels of participation.

  1. Device Level Analysis: Developing methods and tools to forensically process digital traces generated by IoT devices, including on mobile devices.
  2. Network Level Analysis: Developing methods and tools to forensically process digital traces generated by IoT devices on networks and cloud systems.
  3. Correlation and Analysis: Developing methods and supporting tools that combine information from various data sources and automatically compute, visualize, or otherwise expose patterns of potential interest.
  4. Evaluating and Expressing Conclusions: Assigning the probability of the results given two competing propositions (e.g. The prime suspect committed the offense, versus some unknown person did).

 

Rules:

  • Contestants may enter individually, or as a team, with no restrictions.
  • Source code must be openly available under a free software license, such as those listed at http://www.gnu.org/licenses/license-list.html. The author(s) retain rights to the source code.
  • Tools may incorporate third-party free software, as long as it is compatible with your license and is included with your submission. However, submissions will be judged on the contribution your own work brings to the challenge.
  • Submissions must include clear instructions for building tool(s) from source code along with all relevant dependencies.
  • DFRWS will publish the results of the Challenge, both in detailed and summary form, along with the methodology used and the source of the specific version of each tool.

 

Submission:

All participants must send an email to challenge@dfrws.org with the subject line "Solution submission". The email should contain official contact information for the participant/team members; it should also indicate to whom a check should be made out, in case the solution is selected for the grand prize.

The actual solution (code and relevant documentation) can be submitted in one of three ways:

  • Email attachment. If the entire submission can be packed in an archive of less than 5MB, then submission can be sent as an attachment to challenge@dfrws.org.
  • http/ftp download. The submission email can contain a download link from where the submission can be downloaded as a single file.
  • svn/git checkout. The submission email should contain appropriate instructions and credentials (if applicable) for organizers to obtain the submission.


Ideally, submissions should be self-contained; however, if bundling of third-party code is not possible (e.g., due to licensing restrictions) appropriate instructions on building the tool should be included.

As stated above, this competition is for open source tools and, in the interest of open competition, DFRWS may publish the actual submissions along with test results. Beyond that, DFRWS will make no further attempts to distribute the solutions.
 

Prizes:

  • First Prize: DFRWS will provide free conference registration to one of our 2019 conferences for up to two members of the winning team.
  • Grand prize: DFRWS will award an additional $1,000 cash prize to the winners, if their solution exhibits all the attributes of a field-ready tool with the necessary robustness and performance.

 

Contact:

Send all questions to challenge@dfrws.org. (Your email will be used only for this purpose and will be forgotten after DFRWS 2019 conferences.)

 

Acknowledgements:

The DFRWS would like to thank Francesco Servida and Eoghan Casey at the School of Criminal Sciences at University of Lausanne for creating this Forensic Challenge in coordination with DFRWS.

The DFRWS would also like to thank SecuLabs (https://www.seculabs.ch/), especially Thibault Soubiran, for collaborating on the physical analysis and vulnerability assessment of the devices used in this forensic challenge.