Welcome!

If you are interested in participating in the OpenSOC DFIR Challenge at DC30, here’s what you need to know. The challenge will consist of 100% offline analysis of systems impacted by an intrusion. We used Velociraptor to collect key forensic files from each impacted endpoint, and zipped them up for you to download and process/analyze. The tools you use to analyze the data is completely up to you, but if you do not currently have tools for this we may recommend a few of our favorites.

START TIME: The challenges will unlock at 10AM PDT on Friday, Aug 12.

END TIME: The CTF ends at 10AM PDT on Saturday, Aug 13.

Want to participate? Here’s what you need to do.

1. Register as a team or an individual on our scoreboard

1. We ask that you keep teams to 5 people or less.

2. Download the evidence files IN ADVANCE - the password is r3c0n_df1r_ch4113nge

1. Challenge 1 files
2. Challenge 2 files
3. Note - if you use MacOS, the default archive tool will not work for unpacking these. Please use Keka or Unarchiver to unzip.

3. Join our Discord for:

1. Finding team members
2. Asking for help from the community
3. Reporting broken challenges or other issues to the Recon team in #ctf-ask-for-help by tagging @opensoc-team

4. Follow us on Twitter for more announcements
5. Check out our website to learn more about Recon!