Puzzle #9: Ann’s Deception (DEFCON 2011)

This year’s DEFCON contest was a huge success, with over 200 teams entering! The contest was split up into six rounds of increasing difficulty. The first team to complete all six rounds won the contest. Now that the contest is over, we’re placing the materials here for folks who would like to play around on their own.

WARNING: This contest contains off-color humor which may not be appropriate for the classroom, children, rodents, etc.

The lead chemist of a high-profile pharmaceutical company was involved in a serious accident, leaving him in a coma days before the release of the company’s highly publicized “133t pill.” The chemist was the only person in possession of the list of ingredients required to produce the wonder drug, and it is not known if he will ever recover. All chemical evidence of the drug has been destroyed, but the company believes that the missing ingredients may have been stored electronically. You have been hired as a forensic investigator, to recover the final ingredient of their 133t pill. Can you find the missing ingredient?

Here’s a link to the encrypted contest volume:
Defcon2011-Contest.tc

SHA256 CHECKSUM:
6906e4a08bd498c6ff78928b1c8d292a9f89f2ecfac60094528f4497e2254474

The Defcon2011-Contest.tc is an encrypted password-protected Truecrypt volume. Inside are six individual Truecrypt archives which each contain a single round of the contest. You will need to mount each encrypted volume using Truecrypt before you can access its contents. Here is a page which shows you how to mount a Truecrypt volume.

At the start time, DEFCON attendees visited the contest booth to obtain the first decryption passwords, provided below:

The password to unlock Defcon2011-Contest.tc is: !#$h1d3&&s33k$#!
The password to unlock round1 is: r0und1g0!!

When a team found the answer to a round, they texted it to Headquarters (HQ). If their answer was correct, staff texted back the key to unlock the next round.

SPOILER ALERT: You can find the keys to each of the encrypted volumes here.

SUPER SPOILER ALERT: For your convenience, we’ve also unlocked all the rounds for those of you who just want to play around with individual round puzzles without having to solve the whole thing in order. You can find the individual round puzzles here:

Round1
Round2
Round3
Round4
Round5
Round6

A few notes:

1. You will not get the correct answer simply by running “strings” on the packet captures. It is more complicated than that.

2. Please do not attempt to brute-force the answer by guessing. We reserve the right to cut you off from submitting answers if you abuse the privilege.

3. There are six contest rounds containing six evidence files. You must analyze the evidence files in order to answer the question(s) which go along with each capture.

Have fun! 🙂


This puzzle was created by Scott Fretheim, Randi Price, Eric Fulton, Sherri Davidoff, and Jonathan Ham (Lake Missoula Group, LLC).

Copyright 2011, Lake Missoula Group, LLC. All rights reserved.

2 Comments

  1. Could you post the answers you were looking for as well? So I can tell if I’m getting what you want? Thanks!

  2. sherri

    August 19, 2011 at 8:14 am

    Hi gobbles,

    Yes, the answers are posted here:

    http://forensicscontest.com/2011/08/16/puzzle-9-answers

Leave a Reply

Your email address will not be published. Required fields are marked *