The M57-Jean scenario is a single disk image scenario involving the exfiltration of corporate documents from the laptop of a senior executive. The scenario involves a small start-up company, M57.Biz. A few weeks into inception a confidential spreadsheet that contains the names and salaries of the company’s key employees was found posted to the “comments” section of one of the firm’s competitors. The spreadsheet only existed on one of M57’s officers, Jean.
Jean says that she has no idea how the data left her laptop and that she must have been hacked.
You have been given a disk image of Jean’s laptop. Your job is to figure out how the data was stolen, or if Jean isn’t as innocent as she claims.
Note: Solutions to this problem have been widely distributed on the Internet, so this assignment should only be used for self-study, and not for academic credit.
- Jean’s disk in EnCase E01 format:
- Exercise Slides:
- M57-Jean.ppt (Microsoft PowerPoint format)
- M57-Jean.key (Apple keynote format)
- M57-Jean.pdf (Adobe Acrobat format)
Many students have had problems accessing these files with Autopsy. There is nothing wrong with these files or with Autopsy. Students: If you are having problems, you need to speak with your professor.
The solution is distributed as an encrypted PDF file:
Please see our note on obtaining solutions.
(Note: nps-2008-jean is a multi-volume Expert Witness file. You need to download both of the files and put them in the same directory, or else you will not be able to process the disk image.)