The 2018 Lone Wolf scenario is a set of materials from the a fictional seizure of a laptop of a fictional individual who was planning a mass shooting. In the scenario, the individual’s brother alerted the police regarding the increasingly concerning behavior of his brother. As a result of the alert, the police seized the brother’s laptop. The laptop was then imaged with the FTK Imager program.
This scenario was created by Thomas Moore, a student at George Mason University, as his final project for CRFS 780: Cloud Forensics, taught in Spring 2018 by Simson Garfinkel. The purpose of the scenario is to give students the chance to work with a dataset that contains cloud artifacts left on clients, and to provide a scenario with a realistic size.
The seizure consists of the following materials:
- FTK Imager Log.txt
- LoneWolf.E01 (1.5GB)
- LoneWolf.E02 (1.5GB)
- LoneWolf.E03 (1.5GB)
- LoneWolf.E04 (1.5GB)
- LoneWolf.E05 (1.5GB)
- LoneWolf.E06 (1.5GB)
- LoneWolf.E07 (1.5GB)
- LoneWolf.E08 (1.5GB)
- LoneWolf.E09 (0.9GB)
- memdump.mem (17GB)
- pagefile.sys (2.9GB)
- single 15GB ZIP file containing the disk images.
- single 32GB ZIP file containing the disk and memory images.
Alternatively, you can download these materials in two different large ZIP files:
Because some students do not have access to commercial forensic tools, this scenario comes complete with the reports from several such tools. You can find the list of all tool reports here.
The password-protected 2018 Lone Wolf scenario can be downloaded from here:
If you are having trouble downloading and decompressing this file with a Macintosh using Safari, you should try to download and decompress it from the command line.
The teacher’s guide uses the same password as the other solutions available on this website. Please remember that the password to the teacher’s guide is only available to faculty at accredited universities. Further information can be found at the web page obtaining solutions.