Welcome to the 2019 DFCB Forensic Challenge!


For our first year we are featuring a fairly open-ended scenario.  This challenge is open now through Sunday, November 3rd, 2019.


There will be two winners chosen. One winner from within the DFCB certified members, and one from outside of the DFCB. Each winner will be able to select one DFIR related book from a list of options; substitutions will be considered. The winner from within the DFCB will also have their 2020 dues paid for!


This challenge takes place over a virtual disk file. You can retrieve this file in a 7zip format from https://drive.google.com/drive/folders/190iHNKQp-y25C-srLTO2SYprtnIQCkLs?usp=sharing The hash for the 7zip container should match `08DAE7D8488018F368DBFBF9006AEB1C`.


The following four questions are your challenge.


  • What was the point of entry into the environment?
  • What account(s) were compromised?
  • Was there any data ex filtration?
    • If so, exactly what data was exfiltrated?
  • Did the attacker successfully access any other machines?
    • If so, how many machines did the attacker access?


Answer submissions should be in a simple question – response format. All answers must contain sufficient information to support the stated conclusion and explain how that conclusion was made. The board of the DFCB will choose the winner based on earliest received entries meeting the outlined requirements.


Please send all submissions to  dfcb@iafci.org in a Microsoft Word or PDF format.