SANS Digital Forensics and Incident Response Blog

SANS Digital Forensics Summit Challenge 2010 - FINAL CONTEST WEEK!!


The 2010 Digital Forensics and Incident Response Summit's focus this year is examining and advancing the digital forensic professional to deal with advanced threats such as the APT and organized crime. Understanding how many of these crimes take place is crucial to creating lethal forensicators armed with the knowledge and skills to analyze complex cases. I asked Jonathan Ham and Sherri Davidoff (who co-authored the sell-out Forensics 558: Network Forensics course and created many successful contests at - to create a contest based partially on how the APT might try and trigger a compromise to steal intellectual property via a targeted attack via spear phishing.

Webcast Archive

Listen to the creators of the contest discuss how they judge the submissions and what they feel a winning submission would contain! The webcast also discusses the 2010 Digital Forensics Summit and announces the prizes associated with the Summit


Deadline is 6/27/10 (11:59:59PM UTC-11) (In other words, if it's still 6/27/10 anywhere in the world, you can submit your entry.)

Case Background

Ann Dercover is after SaucyCorp's Secret Sauce recipe. She's been trailing the lead developer, Vick Timmes, to figure out how she can remotely access SaucyCorp's servers. One night, while conducting reconnaissance, she sees him log into his laptop ( and VPN into SaucyCorp's headquarters.

Leveraging her connections with international hacking organizations, Ann obtains a 0-day exploit for Internet Explorer and launches a client-side spear phishing attack against Vick Timmes. Ann carefully crafts an email to Vick containing tips on how to improve secret sauce recipes and sends it. Seeing an opportunity that could get him that Vice President of Product Development title (and corner office) that he's been coveting, Vick clicks on the link. Ann is ready to strike...

Evidence File Location

Here is your evidence file:

  • MD5 (evidence06.pcap) = efac05c50c0ae92bf0818e98763920bd
  • SHA256 (evidence06.pcap)= fa5fc1ffad525688626c301372b37e101efcbbbd124f9781f5701648e6a02be3


This year we are offering multiple overall prizes. Some of these prizes have been offered by sponsoring vendors that support future digital forensics research, analysis, and the spirit of the competition. The winning team or individual will have their first choice at the prize list. Win in first place? First to choose your prize.

  • Lenovo Ideapad Netbooks (2 Netbooks - 1 netbook per winner )
  • Apple iPad - Sponsored by NetWitness Corporation
  • Flip Video Recorder - Sponsored by MANDIANT Inc.
  • F-Response TACTICAL (1 licensed copy) - Sponsored by F-Response
  • Forensic Toolkit 3 (1 licensed copy) - Sponsored by AccessData Corp.
  • Digital Forensics Magazine Subscriptions: Free print subscription for 12 months for the winner, and 2 digital online subscriptions for runner up prizes. The winner will also receive the backlist issues (i.e. 1-3). - Sponsored by Digital Forensics Magazine
  • 2011 Digital Forensics/IR Summit Passes (3 passes - 1 pass per top three winners)