M57-Patents Scenario

April 29th, 2017 Leave a comment Go to comments


The 2009-M57-Patents scenario tracks the first four weeks of corporate history of the M57 Patents company. The company started operation on Friday, November 13th, 2009, and ceased operation on Saturday, December 12, 2009. As might be imagined in the business of outsourced patent searching, lots of other activities were going on at M57-Patents.

Two ways of working the scenario are as a disk forensics exercise (students are provided with disk images of all the systems as they were on the last day) and as a network forensics exercise (students are provided with all of the packets in and out of the corporate network). The scenario data can also be used to support computer forensics research, as the hard drive of each computer and each computer’s memory were imaged every day.

All of the materials below can be found at http://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-patents/

Instructor Materials and Answer Keys (encrypted):

Exercise slides:

Detective reports, warrant and affidavit:

Individual items from the corpus organized by calendar date as they were produced during the scenario can also be found here:


  1. Friday, 13 November has no images, because the scenario did not officially start until the following Monday (16 November). Your data may contain drive images from Thursday, 12 November. These are for reference (e.g. prior to any employee activity).
  2. Friday, 20 December has images for two separate drives for Jo and Terry. See the scenario information for that date. The “Police Evidence” torrents contain only the second drive image.

Finally, we have made available some files resulting from processing the corpus with our other research tools:

Accessing the corpus by BitTorrent

NOTE: Torrent links are working again!
The full corpus is large (close to 460GB). To facilitate download and sharing of the data we provide BitTorrent files containing different portions of the corpus. If you have limited storage but want the entire corpus, pull down the “All Materials” torrent. You can recreate all other views into the data from the resulting files using the manifests for the other torrents. There are two versions of torrents which contain disk images. The torrents which end in “-E01” have EnCase formatted disk images. The others use the Advanced Forensic Format (from which RAW images can be extracted using tools available at http://www.afflib.org/).

In a hurry? If you just want to work with the main exercises, the “Police Evidence” torrents contain only data that would be captured by an incident response team (and correspond to the final day of the scenario). These, along with the detective reports, warrant and affidavit, exercises (outlined in the slides blow), and instructor packet contain everything you will need.

The torrents can be found here:

We have prepared a variety of supporting materials for this scenario, including sample exercises, instructor slides, simulated detective reports and associated warrant, and encrypted scenario guides, hash tables, and answer keys for instructors (email Simson Garfinkel or Kam Woods for the passphrase).


The solution is distributed as an encrypted PDF file.

Please see our note onobtaining solutions.


  1. Blue.D
    March 2nd, 2011 at 18:11 | #1

    Hi, could you tell me the physical link speed of the network pcap files you shared? especially in day11-14.dmp.zip? Thank you!

  2. January 28th, 2012 at 13:25 | #2

    I believe it was 1gbit/sec. Why?

  3. March 24th, 2012 at 21:56 | #3

    I’m trying to follow the links to download the torrents and they’re redirecting to an auth page. I have no credentials for this site–how do I get access?

  4. kamwoods
    April 3rd, 2012 at 07:43 | #4

    @S. Widup
    The torrent links to Terasaur (formerly torrents.ibiblio) have been updated, and should now work without a problem. Note that the first link goes to the main listing of *all* the torrents (which are spread across two pages at Terasaur). Let us know if you have any further issues.

  5. Gian
    July 31st, 2012 at 02:25 | #5

    The link “Network Traffic” (ie: https://domex.nps.edu/corp/nps/scenarios/2009-m57-patents/net) is “Not Found”.
    Where I can find these pcap dump?

  6. mfshick
    July 31st, 2012 at 06:54 | #6

    The links have been fixed.

  7. December 3rd, 2012 at 03:48 | #7

    Dear Prof. Garfinkel,

    I am a PhD student at the Information Security Institute currently writing my dissertation. My research explores the use of metadata based correlations for digital forensics. Recently I managed to download your “M57 patents” scenario for validating some of my research. I would be much obliged if I could be provided with the answer keys for this scenario to verify my findings.

    Many thanks and regards

  8. Howard
    December 5th, 2012 at 21:28 | #8

    Hi can you please provide me the password for the below

  9. December 5th, 2012 at 21:35 | #9

    It’s only available to faculty at accredited institutions. Are you a faculty member?

  10. December 5th, 2012 at 21:35 | #10

    It’s only available to faculty at accredited institutions. Please have your adviser contact me.

  11. January 19th, 2013 at 19:58 | #11

    Also looking for the passwords for:

  1. January 27th, 2012 at 19:03 | #1


"This material is based upon work supported by the National Science Foundation under Grant No. 0919593. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation."