Operation Nightshade: A 180 Question Single Image Forensics Case
A threat actor's seized machine in a single 64 MiB image. Twenty one evidence disciplines, 180 investigation questions, cross artifact correlation and planted false trails. It mounts with real tools but hides the truth. Test your tool on the hardest forensic case.
Operation Nightshade: A 180 Question Single Image Forensics Case
Quick answer: Operation Nightshade is the flagship case of the DSET Forensics Benchmark: a fully synthetic 64 MiB disk image representing a threat actor's seized workstation. It consolidates twenty one evidence disciplines and 180 investigation questions into one file. The image mounts cleanly with real tools, but the incriminating evidence hides in deleted clusters, file slack, an embedded memory image, encrypted containers whose keys leak across artifacts, and scattered fragments. Download it from this page and test your tool.
The story
The subject is a threat actor who dumped credentials, moved laterally, exfiltrated data, then wiped or forged traces. Your job is to act as an expert witness: who, when, with which tools, what was accessed, what was exfiltrated, where, and which trails are fake. You must do two things at once: recover genuine evidence and resist planted deception.
What is in the image?
Disk and file system, memory forensics, nested structures, cryptanalysis, network capture, operating system logs, registry, mobile databases, email, documents, archives, a polyglot file and scattered fragments. The rationale and antiforensics stratification are in the DFB methodology paper.
Why it defeats automation
Cross artifact correlation is mandatory, some evidence is fragmented across sources, and deliberately planted decoys are never announced, so pattern matching on the most visible string is penalised by the soundness axis. See also how antiforensics challenges tools.
How to participate
Download the image from the Operation Nightshade page, fill the answer template or use the in browser form, and submit your 180 answers for an instant score. Results appear on the leaderboard.
Honesty is scored
A subset of items is beyond recovery within the laws of the system. You are not told which; claiming to recover the impossible is hallucination and is penalised, while an honest declaration is rewarded like a correct finding. See why this matters for AI agents.
FAQ
Does it open with real tools? Yes, it carries a valid file system and surfaces innocuous files; the real evidence is hidden.
How many questions? 180, across twenty one disciplines.
Sources
- NIST SP 800-86: https://csrc.nist.gov/publications/detail/sp/800-86/final
- MITRE ATT&CK: https://attack.mitre.org/
- DFRWS: https://dfrws.org/
Kimliğinizi doğrulayın
Yetkilendirilmiş erişim alanı. Tüm giriş denemeleri kayıt altına alınır.