AlienPeaceSignIf you grabbed a contest disc to play after DEFCON, here are the passwords you’ll need to mount the TrueCrypt volume for each round.

Round 1: WhcFDjEQm9

Round 2: 4TWSDjtAeb

Round 3: jHfk4ykZBC

Round 4: 86BNnSn7Jp

Round 5: djawp7Tw6W

Round 6: hcdLwUKPTC

Round 7: zxEjEhCsVP

If you’re stuck, click on the jump to see a hint for each round. Continue reading »

Congratulations to all the teams that participated in the Network Forensics Puzzle Contest this year, and especially to our top three finishers! This year marked our sixth year running the contest, so we were happy to see a number of familiar faces at our booth as well as lots of first-time players.

The winners are…

1st place – Threat Level Pancakes

2nd place – Tom Pohl

3rd place – Blue Squirrel

The contest consisted of six rounds plus a bonus round. The leading teams breezed through the first few rounds before hitting challenging rounds 5 and 6. Three teams persevered for over 36 hours and successfully completed the puzzle. The bonus round remains unsolved. We hope you picked up a disc so you can give it a try at home!

The full top 10 leaderboard is below.

Screen Shot 2015-08-12 at 3.57.42 PM

An impressive 71 teams completed round 1. That number quickly dwindled down to 11 round 5 finishers, and just three round 6 finishers.


We would love to hear your feedback about the Network Forensics Puzzle Contest in the comments here or @LMGSecurity on Twitter using the hashtag #NFPC. Thanks for playing!

Finally, it’s what you’ve all been waiting for: the walkthrough and solutions to this year’s puzzle! When you’re ready to see how it’s done, click on the jump to view the walkthrough.

Continue reading »

Congratulations to the top 10 teams in this year’s contest! All 10 completed the first five rounds of this challenging puzzle. A special congratulations goes to the top three teams, who completed all seven rounds.

The first place team, Dofir, walked away with an iPod touch. Tom Pohl and Team Blue, who tied for second, earned a ION Mini Block Rocker and a portable touchpad, respectively. An Amazon Fire Tv, the prize for the first person or team to complete the bonus round, is still waiting for someone to claim it!

The puzzle was meant to get more difficult as it progressed, but several other factors affected the average duration of each round of the puzzle. We calculated the time to complete round one based on the time the contest started: Thursday, August 7 at noon–but clearly not everyone got started that early. The other averages are based on the time since that team completed the previous round.


The times were also affected by the decreasing number of competitors that completed each successive round. By round 5, for example, only a modest 12 teams were still playing, and they had the experience to complete the round relatively quickly. 264 teams registered to play, and 63 completed the first round while at DEFCON.


IMG_1256Stuck on a round of the puzzle? We can help you out. Here is the list of hints we released at DEFCON.

Round 1: All your base 64 are belong to us.

Round 2: Encode-ception.

Round 3: Snowden’s-eloquent-quotes.jpg

Round 4: @ is a common symbol used with device names.

Round 5: Satellite connect-the-dots.

Round 6: The image from round 3 is more than meets the Eye. (There is a hint in round 1.)

Good luck!


This could be yours (via

We are pleased to be giving an Amazon Fire TV to the first team to complete the bonus round of this year’s Network Forensics Puzzle Contest. You don’t need to complete all the other rounds to be in the running, just the eighth bonus round.

Our contest phone will be deactivated soon, so please submit your answers to myself at asawyer[at]lmgsecurity[dot]com or my colleague Bryan at bschmidt[at]lmgsecurity[dot]com. Good luck, and we look forward to seeing your solutions!

DEFCON-poster-draft2Congratulations to all the teams who entered and competed in this year’s Network Forensics Puzzle Contest at DEFCON 22. This was our fifth year running the contest, and we saw an incredible turnout of 264 registered teams for one of our most challenging puzzles ever. It was ultimately a test of endurance: teams were required to beat seven progressively more difficult rounds, with the winning team finishing in just over two days.

The eighth bonus round of the contest was attempted by the top three teams but went unsolved at DEFCON. We will ship the prize (an Amazon Fire TV) to whomever can successfully solve the bonus round first! We have a small confession: no one has solved this round yet (including the creators of the puzzle), so we will be impressed to see a solution.

The top 3 finishers:

1st place: Dofir (49 hours, 3 minutes)

2nd place (tie): Tom Pohl and Team Blue (52 hours, 7 minutes)

We hope you grabbed a disc even if you didn’t have time to play along at DEFCON so now you can check out the puzzle on your own. As promised, here are the passwords to unlock the Truecrypt volumes for each round. Please note that zeroes are often used instead of the letter ‘o.’

Round 1: izDEFCONf33ling22?#tSwift

Round 2: #pshth@twaSteh3@$y1#

Round 3: Ib3tuth0ughtQat@r&&

Round 4: h0wd1dug3tth@t1?%

Round 5: ur0nar0lln0w!@

Round 6: gud$luk^^0nth1s1

Round 7: !LA$$t0n3!!

Bonus round: Way-2_1337-4_u!

A walkthrough with solutions and the steps to get there will be posted this week. Statistics regarding the progress of participating teams and the time it took to complete each round will also be posted soon.

We would love to hear your feedback about the Network Forensics Puzzle Contest in the comments here or @LMGSecurity on Twitter using the hashtag #NFPC. Thanks for playing!

DEFCON 22 is coming up in just a few short weeks, and we’ll be hosting our fifth annual Network Forensics Puzzle Contest featuring Edward Snowden, obscure sporting events, and various North Korean officials. We look forward to seeing you there!

As you prepare for this highly competitive contest, make sure you check out this excellent walkthrough of last year’s puzzle by second-place finisher Tom Pohl.

See you at DEFCON 22!

Our latest puzzle was created by Eric Fulton, Sherri Davidoff, Jonathan Ham and Scott Fretheim.

“Oh god” is the first thought running through your mind as you crack open the door. An odious wafting of day old vomit, sweat, and stale cigar washes across you as the door moves from cracked to ajar. The room is pitch black, a dirty and exposed hallway light bulb does nothing to cut into the dark abyss of the room. Peering inside you see only shapes, but deep down you know it isn’t going to be pretty.

It’s been three weeks since the PaulDotCom crew went missing. Through extensive research and cyberstalking, millions of PDC fans gathered information relating to their disappearance and hired you to find them. This is John Strand’s safe house, and a quick Google image search was all you needed to know about his seedy life. Who knows what’s in this room? Donning rubber gloves you feel for a light switch with your left hand, both intensely afraid and curious for what you are about to see. Wincing in anticipation you flick the switch with a “click”.

Nothing happens. “Why do I always get the messed up jobs” you whisper to yourself, digging around in your black bag. Corporate espionage isn’t a clean game, but usually the tech jobs involve threatening geeks in suburban houses, not sneaking around what looks to be North Dakotan project housing. Pulling a sleek Pelican flashlight from the bag, you click it on and begin to survey the damage. Starting from the left you identify the location of the puke smell; there’s day old vomit trailing its way down peeling wallpaper toward a box of empty tequila bottles. Smell one located.

Further to the right you spot a human shape on a couch. You freeze with the flashlight beam aimed at the shape. It’s Larry, wrapped in a dirty pink blanket almost too small to cover him, rocking back and forth and muttering something unintelligible. What’s he saying? You suspect it’s key. His fingers are pale as he grips a WRT54G router which appears to have twenty-four overlapping bites taken out of it. Seconds tick by. Nothing happens; he pays no attention to your entry. Smells two and three probably located. Your light continues its sweep as you spot a table hosting two 24” monitors surrounded by miscellaneous cables. Jackpot.

Ignoring the rest of the room you step over martini glasses and other unidentified objects, making a beeline to the desk. The little voice in your head shouts “Damn! Damn! Damn!” There is evidence that someone left only recently. The scene is almost out of a second rate Hollywood movie, being so incredibly obvious:a puddle of spilled cosmopolitan makes apparent the distinct outlines where a laptop and external hard drive once sat.

Disheartened, you rummage though the desk, hopeful of finding a forgotten USB drive or other storage device. No dice. You slide a few sticky quarters off of the desk (it’s not like you’re getting a per-diem) and continue the search– wait. One of the quarters… splits a little. You pick it up and play with it. Viola! A small micro SDHC card lies inside the quarter. Your heart starts beating faster. You have a clue.

As a matter of habit you go through the rest of the room, quietly, as the eerie sound of Larry chanting in the background never stops. Old coffee mugs, a dirty microwave, hundreds of empty frozen food wrappers, and magnetic buckyballs cover the floor like a sort of 21st century urban underbrush…and then you see something peculiar. A stack of hard drives sits in the corner. The top drive looks like someone shot it 7 or 8 times, a strange method for data destruction, but certainly an effective one. Rummaging through the stack of drives you find one at the bottom looking as if it survived the data massacre. Grabbing it, you give one last look around as you walk to the door. The sounds of Larry go from muffled to silent as you shut the door and make your exit.

The Evidence

You are the forensic investigator.The items found in the safe house have been uploaded to this server for your analysis. These include:

  • quarter-SDHC-snippet.dd – A DD image of a the SDHC card found inside the quarter.
  • pcap-from-surviving-hard-drive.pcap – A packet capture that you copied off the surviving hard drive.

Download the 7-zipped evidence file here.

SHA256 sum:

The Adoring Fans’ Questions

Can you solve the puzzle and find out what happened to PaulDotCom? Their adoring legions of fans have asked you to find the answers to the following questions along the way:

1. In his conversation with juniorkeyy, how old does Larry initially say he is?

2. What was the filename of the file that had the following SHA256 sum:


3. What is the SHA256sum of the photo from the “dd” image that shows Larry taking a bite out of a wireless router?

4. What is the SHA256sum of the image that shows zombie Larry taking a
bite out of a cat?

5. What is Larry saying as he rocks back and forth? (No spaces or
capital letters.)

6. Where are Paul and John? Report their GPS coordinates:
a) Latitude
b) Longitude

BONUS. What is the name of the nearest bar?

Submission Form

Please submit your answers using the Official Submission Form.
Deadline is 7/23/12 (11:59:59PM UTC-11) (In other words, if it’s still 7/23/12 anywhere in the world, you can submit your entry.)


The Grand Prize will be a Black Hat “Black Card”! Thanks, Black Hat, for sponsoring such an awesome prize.

There will also be prizes for the first correct submission, as well as the 2nd and 3rd place runner-ups. Stay tuned for more info!

How to Win

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under a an approved Open Source License. All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will NOT be reviewed.

More Details

Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified. Also, please understand that the contest materials are copyrighted and that we’re offering them publicly for the community to enjoy. You are welcome to publish full solutions after the deadline, but please use proper attributions and link back. If you are interested in using the contest materials for other purposes, just ask first.

Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may be used as examples and tools in the Network Forensics course or book. All authors will receive full credit for their work.

To Recap

Evidence File
Sha256sum: 44450915addb8bdbe1766a3fad1c03059393a0f1f01839b19f98f235dc3b97bd

Deadline is 7/23/12 (11:59:59PM UTC-11). Here’s the Official Submission form. Good luck!!

Copyright 2012, Lake Missoula Group, LLC. All rights reserved.

Tune into the PaulDotCom Security Podcast TOMORROW, May 31 where we’ll release Puzzle 10: PaulDotCom Goes Off the Air! Eric Fulton will do a live reading of the puzzle scenario (which he wrote) in his best film noir voice.

Sherri Davidoff and Jonathan Ham will follow up with a Tech Segment called “AntiForensics and Bugs– When Forensics Tools Lie to You.”

Check out the show notes here for more details.

© 2015 Network Forensics Puzzle Contest Suffusion theme by Sayontan Sinha