April 29th, 2017 Leave a comment Go to comments

The M57-Jean scenario is a single disk image scenario involving the exfiltration of corporate documents from the laptop of a senior executive. The scenario involves a small start-up company, M57.Biz. A few weeks into inception a confidential spreadsheet that contains the names and salaries of the company’s key employees was found posted to the “comments” section of one of the firm’s competitors. The spreadsheet only existed on one of M57’s officers—Jean.

Jean says that she has no idea how the data left her laptop and that she must have been hacked.

You have been given a disk image of Jean’s laptop. Your job is to figure out how the data was stolen—or if Jean isn’t as innocent as she claims.



The solution is distributed as an encrypted PDF file:

Please see our note onobtaining solutions.


  1. Greg
    July 9th, 2012 at 23:15 | #1

    I had the same problem and I converted the image to dd (raw) format to open it using p2 commander.

    For conversion I used ftk imager

    Best regards

  2. ol
    October 23rd, 2012 at 05:30 | #2

    For me, I put the 2 files .E01 and .E02 in the same directory and the sleuthkit command work like a charm. I realize that .E01 and .E02 is only one file. If you rename .E02 in .E02.back you must write the second file in the same line like this :
    mmls nps-2008-jean.E01 nps-2008-jean.E02.back

  3. May 7th, 2013 at 07:05 | #3

    @Anders Carlsson you can use libewf to read the disk images.

  4. may
    May 31st, 2018 at 01:49 | #4

    Is there a way students can get the password to the solution because i wanted to use this case for a class presentation?

  1. No trackbacks yet.


"This material is based upon work supported by the National Science Foundation under Grant No. 0919593. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation."