// offline labs

curriculum

10 offline, self-checking labs for investigators learning fatcousin against known synthetic scenarios. each lab replays the committed engines for a case type, then verifies your output against published golden SHA-256 hashes. every exercise runs 100% in your browser — no accounts, no uploads.

how the labs work

1get the fixture pack. download the synthetic evidence zip from the lab card (or the evidence library). synthetic data only — safe for classroom use.
2run the listed tools. open each engine, load the evidence file named in the walkthrough, and review the findings. processing stays on your machine. the lab's replay binder chains the same engines if you prefer one click.
3self-check offline. hash your engine output and compare it to the committed golden SHA-256 in the lab. a match confirms you reproduced the fleet-locked reference output for that engine_version.

full step-by-step walkthroughs, evidence-file tables, and golden hashes ship in the open-source repo at docs/curriculum/ — clone or download to run a lab end-to-end or build a workshop. this page is the index; the proof pages are the replay surface.

labs (10)

ordered as a learning path — email and ransomware fundamentals first, then cloud, crypto, mobile, identity, documents, media, network, and agent-abuse scenarios.

lab 01bec-sterling
trace a vendor-impersonation wire fraud through email headers, spoofing checks, thread forgery, and a malicious mailbox forward rule.
case type: business email compromise (BEC)8 engines
replay binder →fixture pack ↓
lab 02ransomware-acme-corp
pin encryption onset, map pre-encryption staging and lateral movement, and parse a ransom note across an ALPHV-style healthcare MSP attack.
case type: ransomware response8 engines
replay binder →fixture pack ↓
lab 03novak-api-key-leak
recover a leaked cloud credential from git history and follow it into CloudTrail IAM abuse, secret reads, and S3 egress.
case type: API key leak / repo compromise8 engines
replay binder →fixture pack ↓
lab 04voss-wallet-drain
decode an unlimited-approval drainer, build the on-chain drain graph, and detect mixer-shaped obfuscation on the BTC peel chain.
case type: crypto theft / wallet drain8 engines
replay binder →fixture pack ↓
lab 05miranda-pig-butchering
reconstruct a grooming timeline from iOS chat artifacts and trace victim deposits on-chain to a mixer sink.
case type: pig butchering / long-con investment scam8 engines
replay binder →fixture pack ↓
lab 06harbor-ato
correlate Okta MFA fatigue, a help-desk MFA reset, a hidden forward rule, and a SIM swap into one account-takeover timeline.
case type: account takeover (ATO)8 engines
replay binder →fixture pack ↓
lab 07nash-invoice-fraud
compare fraudulent and legitimate invoice email + PDF pairs to expose a homoglyph domain and an incremental remittance edit.
case type: invoice fraud / vendor account change8 engines
replay binder →fixture pack ↓
lab 08coleman-deepfake-investigation
run image, audio, and video detectors across a fabricated executive-impersonation media bundle.
case type: deepfake investigation (video / audio / image)8 engines
replay binder →fixture pack ↓
lab 09northwind-ddos-investigation
analyze PCAP, NetFlow, and nginx logs to characterize a volumetric DDoS and its botnet source cluster.
case type: DDoS investigation8 engines
replay binder →fixture pack ↓
lab 10summit-mcp-server-compromise
investigate a tampered MCP server: tool-name divergence, permission escalation, and prompt-injected tool results.
case type: MCP server compromise6 engines
replay binder →fixture pack ↓

scope & honesty

synthetic only — no real victims, companies, wallets, or credentials.
local-first — no accounts, no uploads, no server-side processing of your files.
analysis phase — fatcousin supports investigation and documentation; it is not a mobile-acquisition or imaging product. see scope.
admissibility — outputs can support admissibility prep; the court decides. a tool label is never a guarantee.

forensics home proof index evidence library methodology index quick-start checklists

replayable reference investigations live at /forensics/proof — downloadable fixtures at /forensics/evidence-library — investigation playbooks at /forensics/methodology. labs are self-checking against npm run check:flagship goldens.

how the labs work

1get the fixture pack. download the synthetic evidence zip from the lab card (or the evidence library). synthetic data only — safe for classroom use.

2run the listed tools. open each engine, load the evidence file named in the walkthrough, and review the findings. processing stays on your machine. the lab's replay binder chains the same engines if you prefer one click.

3self-check offline. hash your engine output and compare it to the committed golden SHA-256 in the lab. a match confirms you reproduced the fleet-locked reference output for that engine_version.

labs (10)

ordered as a learning path — email and ransomware fundamentals first, then cloud, crypto, mobile, identity, documents, media, network, and agent-abuse scenarios.

lab 01bec-sterling

trace a vendor-impersonation wire fraud through email headers, spoofing checks, thread forgery, and a malicious mailbox forward rule.

case type: business email compromise (BEC)8 engines

replay binder →fixture pack ↓

lab 02ransomware-acme-corp

pin encryption onset, map pre-encryption staging and lateral movement, and parse a ransom note across an ALPHV-style healthcare MSP attack.

case type: ransomware response8 engines

replay binder →fixture pack ↓

lab 03novak-api-key-leak

recover a leaked cloud credential from git history and follow it into CloudTrail IAM abuse, secret reads, and S3 egress.

case type: API key leak / repo compromise8 engines

replay binder →fixture pack ↓

lab 04voss-wallet-drain

decode an unlimited-approval drainer, build the on-chain drain graph, and detect mixer-shaped obfuscation on the BTC peel chain.

case type: crypto theft / wallet drain8 engines

replay binder →fixture pack ↓

lab 05miranda-pig-butchering

reconstruct a grooming timeline from iOS chat artifacts and trace victim deposits on-chain to a mixer sink.

case type: pig butchering / long-con investment scam8 engines

replay binder →fixture pack ↓

lab 06harbor-ato

correlate Okta MFA fatigue, a help-desk MFA reset, a hidden forward rule, and a SIM swap into one account-takeover timeline.

case type: account takeover (ATO)8 engines

replay binder →fixture pack ↓

lab 07nash-invoice-fraud

compare fraudulent and legitimate invoice email + PDF pairs to expose a homoglyph domain and an incremental remittance edit.

case type: invoice fraud / vendor account change8 engines

replay binder →fixture pack ↓

lab 08coleman-deepfake-investigation

run image, audio, and video detectors across a fabricated executive-impersonation media bundle.

case type: deepfake investigation (video / audio / image)8 engines

replay binder →fixture pack ↓

lab 09northwind-ddos-investigation

analyze PCAP, NetFlow, and nginx logs to characterize a volumetric DDoS and its botnet source cluster.

case type: DDoS investigation8 engines

replay binder →fixture pack ↓

lab 10summit-mcp-server-compromise

investigate a tampered MCP server: tool-name divergence, permission escalation, and prompt-injected tool results.

case type: MCP server compromise6 engines

replay binder →fixture pack ↓

scope & honesty

synthetic only — no real victims, companies, wallets, or credentials.

local-first — no accounts, no uploads, no server-side processing of your files.

analysis phase — fatcousin supports investigation and documentation; it is not a mobile-acquisition or imaging product. see scope.

admissibility — outputs can support admissibility prep; the court decides. a tool label is never a guarantee.