In the Fall 2020 season, the National Cyber League (NCL) saw its first new category in years: Forensics. But what is forensics in the context of NCL? Don’t all the challenges technically fall under the broad category of “forensics?”

Why, yes, they do! That solves that. Shortest blog post ever. See you next week for our blog post on—

Jokes aside, it’s true that Forensics is not as well-defined as the other categories, in part because it hasn’t been around for long. However, based on the nature of the challenges we’ve seen so far, we can draw some general conclusions:

Forensics emphasizes an inquisitive mindset and favors competitors with a strong sense of curiosity. Players are expected to think outside the box and perform some proper detective work.
Observation is key. See something unusual? Does one particular piece of information stand out? It might be important, even if you’re not yet sure of its significance.
Technical skills are useful, but there’s no well-defined set of technical skills that will give players an advantage. General knowledge and the ability to research obscure information are important. This contrasts with categories such as Exploitation and Enumeration, which tend to require very specific and well-developed technical skills.
Similar to Web Application Exploitation, there’s rarely a straightforward set of procedures to follow while solving any given problem. Problem solving skills are important.

This presents a dilemma for players and instructors alike: there doesn’t seem to be a well-defined set of technical skills that are necessary to solve Forensics challenges, nor is there a clear set of tools that would be useful. In many ways, this is comparable to the more difficult Web Application Exploitation challenges in that it is difficult to learn and teach; it relies a great deal on intuition.

Skills for easy-to-medium challenges

At easier tiers, basic digital forensic skills are key. For example:

Familiarity with different file formats and what they represent (e.g., ZIP and RAR are archive formats, PDF and DOCX are document formats)
Understanding of metadata and how to examine it for various file formats (e.g., EXIF in JPEG)
Ability to identify different file formats even when file extensions are missing by examining magic bytes and using tools such as file
Dissecting binary files using tools such as 7-zip, binwalk, and hex editors
Basic file structure analysis: Is something unusual about a file? What should a DOCX look like? How can I examine the contents of a DOCX file?
Ability to recover data that a user attempted to hide or delete
How common productivity tools operate and their caveats—do some tend to preserve edit history?

Skills for medium-to-hard challenges

Harder challenges always tend to be more open-ended, but this appears to be especially true in the Forensics category. Challenges are likely to require some combination of:

Technical research and OSINT, including examination of technical documentation
Ability to perform in-depth analysis of obscure or low-level binary formats
Thinking outside the box: not all challenges are purely digital; some may require knowledge of the real world or rely largely on observation and intuition
Detective work

Bridging the gap between technical knowledge and problem solving

The essence of the Forensics category is encouraging players to apply their technical knowledge to open-ended puzzles reminiscent of what they might encounter in the real world. Threats are constantly evolving; professionals regularly encounter scenarios for which no extant tutorial or analytical process will apply, requiring them to draw upon their general knowledge and intuition to devise a solution.

On one hand, this can make it difficult to prepare for the Forensics category: learning about the set of technologies relevant in one season may not help in subsequent seasons. Fortunately, in-depth technical knowledge isn’t required for most challenges; mindset is more important. An overly technical approach to any given challenge may even distract from the real solution. This mirrors the real world: attackers aren’t always going to take the most technical approach if something more casual is likely to be sufficient. Similarly, the ability to combine digital and physical evidence may be the key to success. For example, a photo may contain metadata indicating when it was taken, but it might also contain visual clues in the form of shadows and the position of the sun.

Teaching or learning a mindset can be difficult, but it’s not impossible. Forensics embraces the classic hacker mindset: think outside the box, solve problems in new and creative ways, and be inquisitive. Fortunately, there are a wealth of talks and written works exemplifying this mindset, ranging from the digital exploits of Kevin Mitnick to the social engineering shenanigans of Deviant Ollam. While these resources tend to be more entertaining than instructional, they do tend to inspire the sort of problem solving ability necessary for the Forensics category.

But I came here for a tutorial!

Consider the Forensics category your push to graduate from the world of tutorials and deterministic, step-by-step solutions. It’s fine if this doesn’t come naturally at first; all the technical knowledge in the world isn’t enough to do well in Forensics. By definition, there is no well-defined process for thinking outside the box.

This may be frustrating at first in the same way that a difficult test is frustrating—but NCL isn’t a test; it’s a competition. Instead of questions, it has challenges. There is no shame in failing to solve a challenge; there is only shame in failing to try.

And if you absolutely need a tutorial, check out the blog that Hush1e just wrote about Autopsy, an open source digital forensics tool.

Can I at least have some tools?

Basic Linux command-line tools typically used for analysis, such as grep, xxd, file, binwalk, identify, and exiftool
7-zip, since it opens just about anything
A decent hex editor
A good search engine; Google and DuckDuckGo are popular choices
~~Caffeine~~ Plenty of sleep