Where can I get the images to learn DFIR?

Image data provided by NIST for forensics

The CFReDS Project
  • Hacking Case
    You analyze a laptop’s disk image and gather evidence to answer 31 questions. The answer file is ready.
    Download 2 files “EnCase image” and “second part” and open “.E01” with a forensic tool such as FTK Imager.
  • Data Leakage Case
    You analyze 1 PC and 3 removable media and gather evidence to answer 60 questions. The answer file is ready.
  • Registry Forensics
    Image files for Registry Analysis exercise.
  • Drone Images
    Images from 60 drones including the DJI Phantom 4, and associated controllers, connected mobile devices and computers.
  • Russian Tea Room
    Disk image for Russian environment analysis. Your goal is to find eight sections.
  • Basic Mac image
    Disk image for Mac environment analysis. There are no specific scenarios.
  • Mobile Device Images
    Images from 10 mobile devices including the Samsung S4. There are no specific scenarios.
  • Container Files
    An image of the container environment. There are no specific scenarios.
  • Deleted File Recovery
    Metadata based deleted file recovery images.
  • File Carving
    Basic file carving images.

Technical — ENISA

Technical — ENISA
  • Forensic analysis: Local Incident Response
    Incident response to an incident in which a customer’s sensitive data has been published online. It leads the trainees through a typical case, where a malicious action is reported and the aim is to find its source and handle the incident as a local one, limited to the workstation only.
    The disk image to be analyzed is “Virtual Image II”. “Virtual Image I” is a Linux image containing analysis tools.
  • Forensic analysis: Network Incident Response
    The main goal of this training is to teach trainees network forensic techniques and extend trainees operating system forensic capabilities beyond Microsoft Windows systems to include Linux.
  • Forensic analysis: Webserver Analysis
    There is a suspicion that a web server had been compromised. This training requires the students to perform a forensic analysis of three (web) servers, identified during the first two exercises as taking part in a malicious campaign.

Digital Corpora for use in Computer Forensics Education Research

Digital Corpora

Computer Forensics CCIC Training

2019 Digital Forensics Downloads — CCI — Cal Poly, San Luis Obispo
Practical Exercise: Tucker

Digital Forensic — Training Materials

CIRCL » Digital Forensic — Training Materials

Defcon DFIR CTF 2018

Hacking Exposed Computer Forensics Blog: Daily Blog #451: Defcon DFIR CTF 2018 Open to the Public

DFRWS Challenges

DFRWS Forensic Challenge | dfrws
  • 2003 : A challenge to analyze recovered floppy disks and answer questions.
  • 2005 : Challenge to analyze Windows memory and answer questions.
  • 2006 : The challenge of extracting as many complete JPEG, ZIP, HTML, text and Office files as possible from a 50 MB raw file.
  • 2007 : The challenge of extracting as many complete JPEG, ZIP, HTML, text, and Office files as possible from a 330 MB raw file.
  • 2008 : Challenge to analyze and answer questions about files, memory dumps, and packet captures contained in the user’s home directory.
  • 2009 : Challenge to analyze and answer questions about file system images, memory dumps, and packet captures of Linux systems on PS3.
  • 2010 : A challenge to analyze files related to Sony Ericsson K 800 i Cyber shot and generate a report containing some specified elements.
  • 2011 : A challenge to analyze files on Android smartphones and create a report with a few specific elements.
  • 2015 : Challenge is on development of GPU memory analysis tools, targeting GPU-based malware.
  • 2016 : Challenge seeks to advance the state-of-the-art in SDN forensics by focusing the community’s attention on this emerging domain.
  • 2017 : Challenge is about Internet of Things (IoT).
  • 2018 : Challenge is about Internet of Things (IoT).

Other Data Sets

Disk Image

Memory Image

Network Packet

Email Data Sets

Various Data Sets

Update History

  • 2019/06/13 New.
  • 2019/06/14 Added text about ENISA. (Thanks to @S0xbad1dea for the information.)
  • 2019/06/14 Added a link to Digital Forensics Incident Response Training.
  • 2019/06/15 Added a link to DFRWS Forensic Challenge.
  • 2019/06/16 Added text about Computer Forensics CCIC Training.
  • 2019/08/15 Modify Article Title.
  • 2019/08/16 Details of the downloaded file were added to the items of CFReDS and ENISA. It was corrected that the wrong image data name was described in the CCIC item. DFRWS from 2011 to 2003 added.
  • 2020/03/03 Revised.




Loves cats and CTFs. …ᓚᘏᗢ… [twitter:@soji256]

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Emotet Memory dump analysis: Part 1 (Detecting malicious processes)

{UPDATE} kill'em all Hack Free Resources Generator

Stockholm’s war on interoperability

Christian Landgren’s design for a ‘Skrota Skolplattformen’ cap. Image: Christian Landgren https://twitter.com/Landgren/status/1319712457196261376

The Evolution of Security Operations Automation

{UPDATE} 二年级数学练习奥数题练习 Hack Free Resources Generator

Cloud Security Hygiene & Azure Security Center

How to Steal User’s Signature in NFT Phishing Attacks

PowerLoaderV2 Malware Analysis

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Loves cats and CTFs. …ᓚᘏᗢ… [twitter:@soji256]

More from Medium

Cyber security for beginners: Part 11

Log4Shell Honeypot Analysis

How Clubhouse user scraping and social graphs

With Great Power…