High School Cyber Forensics Challenge

Congratulations to the 2011 Winners!

High School Cyber Forensics Challenge

  • Team Zettabyte, Red Bank Regional High School, N.J. – Emily Wicki, Michael Terpak and Alec Jasanovsky
  • Team Echo, Poolesville High School, Maryland – Brendan Rowan, Daniel Luu and Jamie Palmer
  • 11 Man Team, Middlesex County Academy for Science, Mathematics and Engineering Technologies, N.J. – Shreyas Chand, Eric Jeney and Brianna Mussman

Congratulations to the 2011 Finalists!

High School Cyber Forensics Challenge

  • for(;ever;);, Amador Valley High School, CA, USA
  • failwhales+, High Technology High School, NJ, USA
  • Pretzels, High Technology High School, NJ, USA
  • Epiary, Illinois math and science academy, IL, USA
  • An Enigma, John P. Stevens High School, NJ, USA
  • 11 Man Team, Middlesex County Academy for SMET, NJ, USA
  • SB6120, Pompano Beach High, FL, USA
  • Echo, Poolesville High School, MD, USA
  • Administrators, Red Bank Regional High School, NJ, USA
  • Zettabyte, Red Bank Regional High School, NJ, USA
  • GonePhishing, Roanoke Valley Governor's School, VA, USA
  • Wh0 Need5 Sleep, The Brooklyn Latin School, NY, USA
  • 010101000101001101010011, The Salisbury School, MD, USA

Important Dates and Information

Open to: High school teams located in the U.S.
Webinar: Monday, September 19th - 3PM EST (SECOND DATE)
Challenge begins: Wednesday, September 21st
Registration deadline: Monday, October 3rd at 5:00 p.m.
Challenge submission deadline: Monday, October 24th at 5:00 p.m.
Finalists announced: Friday, October 28th
Finals in NYC: Thursday, November 10th thru Friday, November 11th
Challenge captain: Joel Fernandez
Questions: Read the Frequently Asked Questions

The challenge is now open, download the instructions here.


We invite you to recruit a teacher/mentor and a team of one to three motivated students to participate in our 2011 High School Cyber Forensics Challenge during CSAW. Students will discover the fascinating world of cybersecurity such as log and file analysis, rootkit detection and analysis, botnet detection and analysis, live system forensics, steganography and file carving. Your school's team will battle against other elite teams – and the clock – as they solve this fast-paced mystery.
The challenge takes place remotely over the Internet. Twelve teams of finalists will be brought to NYC with their faculty mentors to compete in the finals competition and awards ceremony on November 10th-11th. The cost of the trip is covered by the competition. The challenge begins on September 21st and submissions will be due on October 24th. In order to participate, students must register online — starting on September 15th. Note that the teacher/mentor contact information is required to complete the application.

Prizes and Travel Grants

  • 12 finalist teams will be flown to NYC for the final competition
  • The winning team’s science department will receive:
    • 1st place: $2,500
    • 2nd place: $2,000
    • 3rd place: $1,000

$7,000 Undergraduate scholarships for all finalists who attend the School of Engineering. Winning undergraduate teams will receive the following scholarship prizes:

  • 1st place: $14,000
  • 2nd place: $12,000
  • 3rd place: $9,000

For new undergraduate and graduate students: scholarships can only be used at the School of Engineering and for tuition purposes only, and when combined with other Poly grants and/or scholarships cannot exceed cost of tuition.

For current Poly undergraduates: The CSAW scholarship for continuing Poly undergraduates when combined with other Poly grants and/or scholarships cannot exceed $20,000 tuition costs per year.

Frequently Asked Questions

Q: What should be in the final challenge submission?

A: The final challenge submission should be a PDF document that includes: 1) the evidence you found, 2) the tools you used to find the evidence, 3) time line of events and 4) your conclusions.

Q: Is there a standard, or sample, format for the challenge submission?

A: There is no correct format for the challenge submission, only that the main report should be a 5- page (max) PDF document with evidence included as separate appendix or files. You may look at last year's winners as examples

Q. What can I use to analyze the network data?

A. The network captures are stored PCAP format, and can be opened with programs such as Wireshark (www.wireshark.org), or other network analysis tools.

Q. What can I use to extract the tar.gz archive?

A. You can decompress the archive with WinZip (www.winzip.com), or 7Zip (www.7-zip.org) on Windows Systems, or tar using the "-zxvf" options on Linux/Unix Systems.

Q. How do I access the computer once it is decompressed?

A. The file is a VMWare (www.vmware.com) image of the machine, a virtual machine. You can access the virtual machine by opening the "jmusic.vmx" file using one of the free software products from VMWware (either Player or Server), or the licensed Workstation product (any versions greater than 5). You can also use the free 30-day trial version of VMWare Workstation (6.5).

Q. Do I have to worry about chain-of-custody, or evidence tampering?

A. No. You may also take advantage of the snapshot feature with the virtual machine.

Q. Can I turn on and log into the virtual machine?

A. Yes, the virtual machine is functionally a ceased computer. You may turn it on and even login for your investigation, but you should take care in doing so.

Q: Is there other information online?

A: Yes, you will find other information online, but will not need to login to any non-ISIS computers to access that information. If you have any questions about if a machine is within gameplay, or what access is allowed, you may request a "Warrant" from "Judge C. Saw" by e-mailing csaw_forensics@isis.poly.edu.

Q: Can I use any scanners, password crackers or other automated tools?

A: You may use anything you want locally, but you may *NOT* use any automated tools (brutus, nessus, nikto, etc) on *ANY* online resource. The challenges are designed such that you can gain access by careful investigation and use of information gathered from your investigation.

Q. Who should participate?

A. Students who have an interest in math, science, computer science and technology are ideal candidates for this competition. Each team must have a mentor who is a teacher at their high school.

Q. What types of information should team members be comfortable with?

A. Team members should be comfortable with a variety of forensics topics, including traditional log and file analysis, rootkit detection and analysis, botnet detection and analysis, live system forensics, steganography and file carving. The challenge is designed to escalate in difficulty as students move through it.

Q. What does each team have to do?

A. At the beginning of the challenge, teams will be given a disk image as well as other evidence collected by the fictitious ISIS Police investigating a fake murder case. As teams make progress in unraveling the forensic evidence, they will discover clues about what happened. The clues will reveal evidence both within the disk image and online. Finalists will use their evidence to compete in the final stage of the forensics challenge on the School of Engineering's campus before the awards ceremony. Teams will not be responsible for chain-of-custody and other legal aspects of the investigations.

Q. How will the finalist teams obtain information regarding travel and lodging accommodations for the final competition?

A. Each team's teacher/mentor will be contacted by the YES Center and provided with all necessary information.

Q. Where can a teacher/mentor direct any additional questions specific to the competition?

A. All additional questions and concerns pertaining to the competition should be sent here.

Q. Where can a teacher/mentor go to look for more information to help his/her student team?

A. Various tools and resources exist online. Here are a few: