Digital Corpora

2009-M57-Patents

The 2009-M57-Patents scenario tracks the first four weeks of corporate history of the M57 Patents company. The company started operation on Friday, November 13th, 2009, and ceased operation on Saturday, December 12, 2009. As might be imagined in the business of outsourced patent searching, lots of other activities were going on at M57-Patents.

Two ways of working the scenario are as a disk forensics exercise (students are provided with disk images of all the systems as they were on the last day) and as a network forensics exercise (students are provided with all of the packets in and out of the corporate network). The scenario data can also be used to support computer forensics research, as the hard drive of each computer and each computer’s memory were imaged every day.

The full corpus is large (close to 460GB). To facilitate download and sharing of the data we provide BitTorrent files containing different portions of the corpus. If you have limited storage but want the entire corpus, pull down the “All Materials” torrent. You can recreate all other views into the data from the resulting files using the manifests for the other torrents. There are two versions of torrents which contain disk images. The torrents which end in “-E01″ have EnCase formatted disk images. The others use the Advanced Forensic Format (from which RAW images can be extracted using tools available at http://www.afflib.org/).

In a hurry? If you just want to work with the main exercises, the “Police Evidence” torrents contain only data that would be captured by an incident response team (and correspond to the final day of the scenario). These, along with the detective reports, warrant and affidavit, exercises (outlined in the slides blow), and instructor packet contain everything you will need.

The torrents can be found here:

• M57 Patents torrent files
• Direct link to “Police Evidence” torrent (disk images in AFF format)
• Direct link to “Police Evidence” torrent (disk images in E01 format)

We have prepared a variety of supporting materials for this scenario, including sample exercises, instructor slides, simulated detective reports and associated warrant, and encrypted scenario guides, hash tables, and answer keys for instructors (email Simson Garfinkel or Kam Woods for the passphrase).

Instructor Materials and Answer Keys (encrypted):

• m57-instructor-packet.pdf
• hash-sets.zip
• scenario-emails.zip

Exercise slides:

• M57-Patents-Illegal.key
• M57-Patents-Illegal.ppt
• M57-Patents-Illegal.pdf

• M57-Patents-Exfiltration.key
• M57-Patents-Exfiltration.ppt
• M57-Patents-Exfiltration.pdf

• M57-Patents-Eavesdropping.key
• M57-Patents-Eavesdropping.ppt
• M57-Patents-Eavesdropping.pdf

Detective reports, warrant and affidavit:

• detectivereport1.doc
• detectivereport1.pdf
• detectivereport2.doc
• detectivereport2.pdf
• detectivereport3.doc
• detectivereport3.pdf
• detectivereport4.doc
• detectivereport4.pdf
• m57-affidavit-warrant-final.doc
• m57-affidavit-warrant-final.pdf

Individual items from the corpus organized by calendar date as they were produced during the scenario can also be found here:

• Drive Images
• RAM Images
• Network Traffic

Notes:

1. Friday, 13 November has no images, because the scenario did not officially start until the following Monday (16 November). Your data may contain drive images from Thursday, 12 November. These are for reference (e.g. prior to any employee activity).
2. Friday, 20 December has images for two separate drives for Jo and Terry. See the scenario information for that date. The “Police Evidence” torrents contain only the second drive image.