This year I took part in an international forensics challange. The goal was to gather information out of a network capture, memory dump and some gathered files from a home directory in order to answer these questions:

1. What relevant user activity can be reconstructed from the data and what does it show?
2. Is there evidence of inappropriate or suspicious activity on the system related to the user?
3. Is there evidence of collaboration with an outside party? If so, what can be determined about the identity of the outside party? How was any collaboration conducted?
4. Is there evidence that sensitive data was copied? If so, what can be determined about that data and the manner of transfer?

Further details can be found here http://www.dfrws.org/2008/challenge/submission.shtml

Meanwhile the jury decided, I am proud that I achieved the fourth place right away:

• First Place: Michael I. Cohen, David J. Collett, AAron Walters
• Second Place: Rodney M. Jokerst, Yanni A. Kouskoulas, Donna C. Paulhamus, Karla J. Saur, Kevin Z. Snow, Brian M. Whipple (JHU APL)
• Third Place: Devin Paden (SpectreWorks)
• Fourth Place: Philipp Hellmich
• Fifth Place: Ricci S. C. Ieong, Lunar Au, HC. Leung, Luky Siu, Kenneth Tse (eWalker)

My competitors mosty worked in teams and had much more ressources to solve this challange.

Philipp Hellmich used PyFlag for file and network analysis and to aggregate and report on findings. Used strings to extract information from memory. Searched browser history file, memory strings and web traffic in pcap to determine user activity. Created a PHP script to recover the ZIP file from pcap file, broke the ZIP password file, and recovered evidence preservation from mc history.

The full results can be found here http://www.dfrws.org/2008/challenge/results.shtml

Wikipedia