DSET Forensics Benchmark

Operation Nightshade

Operation Nightshade: a seized workstation image of a threat actor. The actor dumped credentials, moved laterally, exfiltrated data and then wiped or forged its traces. The single 64 MiB image mounts with real tools; but the real evidence hides in slack, unallocated, nested images, encrypted containers and the memory dump. Answer the 180 questions.

Download Image Answer Template

180Questions

21Evidence Types

64MiB Image

AF4Difficulty

What Is in the Image

Deleted and carvable documents

Memory dump (hiberfil) and swap

Nested image and encrypted containers

Steganographic imagery and EXIF

Network capture (pcap)

Windows event log and Linux logs

Registry, mobile database, email

Archive and polyglot files

Scattered file fragments (multi source)

Classical, RSA, JWT and hash cryptanalysis

Evidence Categories

Submit Your Answers

Answer the 180 questions below, or download the JSON template, fill it and paste it. The same scoring runs via the API. Soundness, the resistance to planted false evidence, is measured alongside recall.

0 / 180

Your name / teamTrack

Paste answer-template JSON (optional)

Q001Flag carved from the deleted CONTRACT.DOC?Q002Owner of the deleted document?Q003Hidden flag in the last cluster of INVOICE.TXT?Q004Which anti forensics technique hid the payload in INVOICE.TXT?Q005Staging flag carved from unallocated space?Q006Recoverable content of the SHADOW.DB file?Q088Workstation name?Q089Invoice number in INVOICE.TXT?Q090Invoice amount in INVOICE.TXT?Q091Surname of the RESUME.DOC owner?Q092Which technique overwrote the wiped region?Q160First word of README.TXT?Q161Job title of the RESUME.DOC owner?

About This Case

Operation Nightshade is the DFB master case: a single, fully synthetic forensic disk image that consolidates twenty one evidence disciplines into one investigation. It is built to defeat automated triage and require genuine human or agent analysis. The file system mounts cleanly, so surface tools see innocuous files, while the incriminating evidence lives in deleted clusters, file slack, an embedded memory dump, encrypted containers whose keys leak across artifacts, a polyglot file, and scattered fragments that must be reassembled from several sources.

Operation Nightshade

What Is in the Image

Evidence Categories

Submit Your Answers

About This Case

Disk and File System 13

Memory Forensics 13

Nested Image and Container 10

Encrypted Container and C2 12

Steganography and Imagery 10

Classical Cryptanalysis 9

RSA Cryptanalysis 5

JWT and Protocol 6

Password and Hash 10

Network Traffic 11

Linux Auth Logs 9

Windows Event Log 13

Windows Registry 7

Mobile and SQLite 5

Email Forensics 8

Document Forensics 4

Archive and Polyglot 4

Scattered Recovery 7

Timeline 6

Anti Forensics Detection 5

MITRE ATT&CK and Attribution 13