M57-Patents Scenario


The 2009-M57-Patents scenario tracks the first four weeks of corporate history of the M57 Patents company. The company started operation on Friday, November 13th, 2009, and ceased operation on Saturday, December 12, 2009. As might be imagined in the business of outsourced patent searching, lots of other activities were going on at M57-Patents.

Two ways of working the scenario are as a disk forensics exercise (students are provided with disk images of all the systems as they were on the last day) and as a network forensics exercise (students are provided with all of the packets in and out of the corporate network). The scenario data can also be used to support computer forensics research, as the hard drive of each computer and each computer’s memory were imaged every day.

All of the materials below can be found at http://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-patents/

Instructor Materials and Answer Keys (encrypted):

Exercise slides:

Detective reports, warrant and affidavit:

Individual items from the corpus organized by calendar date as they were produced during the scenario can also be found here:


  1. Friday, 13 November has no images, because the scenario did not officially start until the following Monday (16 November). Your data may contain drive images from Thursday, 12 November. These are for reference (e.g. prior to any employee activity).
  2. Friday, 20 December has images for two separate drives for Jo and Terry. See the scenario information for that date. The “Police Evidence” torrents contain only the second drive image.

Finally, we have made available some files resulting from processing the corpus with our other research tools:

We have prepared a variety of supporting materials for this scenario, including sample exercises, instructor slides, simulated detective reports and associated warrant, and encrypted scenario guides, hash tables, and answer keys for instructors (email Simson Garfinkel or Kam Woods for the passphrase).

The solution is distributed as an encrypted PDF file.

Please see our note onobtaining solutions.

  1. Blue.D
    March 2nd, 2011 at 18:11 | #1

    Hi, could you tell me the physical link speed of the network pcap files you shared? especially in day11-14.dmp.zip? Thank you!

  2. January 28th, 2012 at 13:25 | #2

    I believe it was 1gbit/sec. Why?

  3. March 24th, 2012 at 21:56 | #3

    I’m trying to follow the links to download the torrents and they’re redirecting to an auth page. I have no credentials for this site–how do I get access?

  4. kamwoods
    April 3rd, 2012 at 07:43 | #4

    @S. Widup
    The torrent links to Terasaur (formerly torrents.ibiblio) have been updated, and should now work without a problem. Note that the first link goes to the main listing of *all* the torrents (which are spread across two pages at Terasaur). Let us know if you have any further issues.

  5. Gian
    July 31st, 2012 at 02:25 | #5

    The link “Network Traffic” (ie: https://domex.nps.edu/corp/nps/scenarios/2009-m57-patents/net) is “Not Found”.
    Where I can find these pcap dump?

  6. mfshick
    July 31st, 2012 at 06:54 | #6

    The links have been fixed.

  7. December 3rd, 2012 at 03:48 | #7

    Dear Prof. Garfinkel,

    I am a PhD student at the Information Security Institute currently writing my dissertation. My research explores the use of metadata based correlations for digital forensics. Recently I managed to download your “M57 patents” scenario for validating some of my research. I would be much obliged if I could be provided with the answer keys for this scenario to verify my findings.

    Many thanks and regards

  8. Howard
    December 5th, 2012 at 21:28 | #8

    Hi can you please provide me the password for the below

  9. December 5th, 2012 at 21:35 | #9

    It’s only available to faculty at accredited institutions. Are you a faculty member?

  10. December 5th, 2012 at 21:35 | #10

    It’s only available to faculty at accredited institutions. Please have your adviser contact me.

  11. January 19th, 2013 at 19:58 | #11

    Also looking for the passwords for:

  12. May 28th, 2017 at 10:00 | #12

    I am trying to use this link for class with the lab manual for guide to computer forensics and investigations by Andrew Blitz and it is not working

  1. January 27th, 2012 at 19:03 | #1


"This material is based upon work supported by the National Science Foundation under Grant No. 0919593. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation."