Maintaining Our Edge: How “Capture the Flag” Digital Trainings Help Local Law Enforcement Stay a Step Ahead

Historically, law enforcement has relied on scenario-based training—including active shooter drills, traffic enforcement and mental health simulations; so why not apply this same diligence to digital forensics?

Such training can be done with Capture the Flag (CTF) exercises, which are already a regular practice in the cybersecurity and military communities. In CTF events, the host hides “flags” in programs or websites in the form of text, images or other clues, and the team that finds the most “flags” at the end of the competition is named the winner. While they are not a direct replacement for training, these events are a great tool to reinforce the skills learned and challenge the user’s knowledge base and resourcefulness. CTF events can also push law enforcement to use their skills or develop new methods by mimicking real-world artifacts that can be gained from digital evidence.

Capture the Flag Events at Work

In 2020, Cellebrite expanded its CTF events to be accessible to communities beyond current customers. Most recently, Cellebrite’s CTF event featured four data sets from two Android mobile devices and two Apple iPhones, with teams from around the globe challenged to leverage their digital forensics skills to find the flags.

In this exercise, examiners had to find complicated artifacts and faced questions based on real-world events for evidence gathering. For example, several of the flags in the event asked the contestant to locate text messages from applications that were not the default messaging application, which engaged the examiner to dig deeper into various communication methods.

Other flags sent examiners hunting for internet connection logs, which in a real-world case could provide the examiner with those necessary shreds of evidence to build a prosecutable case. Some of the most challenging questions pushed examiners to decode database tools to find clues, search through OSINT (Open-Source Intelligence) collection from social media platforms used by Cellebrite staff and decipher different encoding methods.

This CTF event gave practitioners the opportunity to form teams with others from varying backgrounds, centric around local law enforcement on a smaller scale. For example, I was able to form my team, Team Revo-lutionaries, through the CTF’s Discord channel, which included fellow examiners from the Lake Jackson Police Department and the West Jordan Police Department in Utah.

Once the CTF began, teams leveraged private Discord servers to communicate. Our team took a “divide and conquer” approach, with each member taking a device and grabbing individual flags. At the end of the event, points were awarded, and the winner was named, with every team walking away with a more robust understanding of the latest tools and practices for digital investigations.

The Benefits of CTF Events for Practitioners

These kinds of events allow practitioners in digital forensics to test and evaluate not only themselves but the tools at their disposal. Practitioners are often given hands-on experience with the latest solutions during CTF events, which they can take back to their agencies and apply in their investigations. With Cellebrite’s CTF, participants utilized the decoding solution within the Cellebrite Inseyets Suite known as Physical Analyzer. This solution had a huge impact on participants’ ability to successfully complete the experience.

CTF events offer a great resource for local examiners to challenge themselves and learn new digital forensic methods. Most organizers post the questions and answers following the event, making this resource readily accessible year-round for law enforcement. In addition to being a part of teams with diverse backgrounds, CTF events also allow practitioners to compete against professionals from across the world, including everyone from single examiners to nation-state laboratories.

Beyond CTF events and other game-like scenarios, digital forensic training resources are vast. While CTFs can be expensive, there are several free or low-cost resources available for law enforcement practitioners, including those from the National White Collar Crime Center (NW3C), United States Secret Service’s National Computer Forensic Institute (NCFI), Bureau of Justice Assistance (BJA) and the Federal Law Enforcement Training Center (FLETC).

Beyond training alone, there are many other no-to-low-cost resources available including personal digital forensics blogs, podcasts, and vendor-specific newsletters and lessons that will keep you up to date on recent changes and developments at the forefront of digital forensics news.

With the constant evolution of technology, the need for up-to-date training is non-negotiable; practitioners in this field must be on top of their training and certifications. As digital evidence becomes increasingly embedded in more crimes, CTF events can be a critical differentiator in staying ahead of criminals, accelerating investigations and keeping communities safe.

Note: Cellebrite’s 2024 Capture the Flag (CTF) ran from October 15 – 22, but the datasets will still be available after that timeframe for training.