M57-Patents Scenario

August 31st, 2016 Leave a comment Go to comments

2009-M57-Patents

The 2009-M57-Patents scenario tracks the first four weeks of corporate history of the M57 Patents company. The company started operation on Friday, November 13th, 2009, and ceased operation on Saturday, December 12, 2009. As might be imagined in the business of outsourced patent searching, lots of other activities were going on at M57-Patents.

Two ways of working the scenario are as a disk forensics exercise (students are provided with disk images of all the systems as they were on the last day) and as a network forensics exercise (students are provided with all of the packets in and out of the corporate network). The scenario data can also be used to support computer forensics research, as the hard drive of each computer and each computer’s memory were imaged every day.

Please do not post solutions to our scenarios! They are being used in academic courses.

Instructor Materials and Answer Keys (encrypted):

Exercise slides:

Detective reports, warrant and affidavit:

Individual items from the corpus organized by calendar date as they were produced during the scenario can also be found here:

Notes:

  1. Friday, 13 November has no images, because the scenario did not officially start until the following Monday (16 November). Your data may contain drive images from Thursday, 12 November. These are for reference (e.g. prior to any employee activity).
  2. Friday, 20 December has images for two separate drives for Jo and Terry. See the scenario information for that date.

Finally, we have made available some files resulting from processing the corpus with our other research tools:

We have prepared a variety of supporting materials for this scenario, including sample exercises, instructor slides, simulated detective reports and associated warrant, and encrypted scenario guides, hash tables, and answer keys for instructors (email Simson Garfinkel or Kam Woods for the passphrase).

 

The solution is distributed as an encrypted PDF file.

Please see our note onobtaining solutions.

 

  1. Blue.D
    March 2nd, 2011 at 18:11 | #1

    Hi, could you tell me the physical link speed of the network pcap files you shared? especially in day11-14.dmp.zip? Thank you!

  2. January 28th, 2012 at 13:25 | #2

    I believe it was 1gbit/sec. Why?

  3. March 24th, 2012 at 21:56 | #3

    I’m trying to follow the links to download the torrents and they’re redirecting to an auth page. I have no credentials for this site–how do I get access?

  4. kamwoods
    April 3rd, 2012 at 07:43 | #4

    @S. Widup
    The torrent links to Terasaur (formerly torrents.ibiblio) have been updated, and should now work without a problem. Note that the first link goes to the main listing of *all* the torrents (which are spread across two pages at Terasaur). Let us know if you have any further issues.

  5. Gian
    July 31st, 2012 at 02:25 | #5

    The link “Network Traffic” (ie: https://domex.nps.edu/corp/nps/scenarios/2009-m57-patents/net) is “Not Found”.
    Where I can find these pcap dump?
    Thanks.

  6. mfshick
    July 31st, 2012 at 06:54 | #6

    The links have been fixed.

  7. December 3rd, 2012 at 03:48 | #7

    Dear Prof. Garfinkel,

    I am a PhD student at the Information Security Institute currently writing my dissertation. My research explores the use of metadata based correlations for digital forensics. Recently I managed to download your “M57 patents” scenario for validating some of my research. I would be much obliged if I could be provided with the answer keys for this scenario to verify my findings.

    Many thanks and regards
    Sriram

  8. Howard
    December 5th, 2012 at 21:28 | #8

    Hi can you please provide me the password for the below
    m57-instructor-packet.pdf
    hash-sets.zip
    scenario-emails.zip

  9. December 5th, 2012 at 21:35 | #9

    It’s only available to faculty at accredited institutions. Are you a faculty member?

  10. December 5th, 2012 at 21:35 | #10

    It’s only available to faculty at accredited institutions. Please have your adviser contact me.

  11. January 19th, 2013 at 19:58 | #11

    Also looking for the passwords for:
    m57-instructor-packet.pdf
    hash-sets.zip
    scenario-emails.zip
    Thanks

  12. December 1st, 2015 at 05:56 | #12

    Hi,

    What is the average time it takes for a group of, say, 3-4 students to complete the M57 patents investigation? I am thinking about just the analysis of the Illegal Digital Images, Theft of Company Property and Corporate Espionage within the images and USB’s?

    I am considering using it in my teaching and would like to know the average time it takes to complete?

    Thanks!

  13. August 31st, 2016 at 15:51 | #13

    Hi,
    Has the links for the images been moved. I can’t access the torrent site to download the torrent bits. Any assistance would be greatly appreciated. The server keeps resetting the connection. I have tried connecting from two different networks to ensure that it was not on my end, but no luck.

  1. January 27th, 2012 at 19:03 | #1

 

"This material is based upon work supported by the National Science Foundation under Grant No. 0919593. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation."