Where can I get the images to learn DFIR?

6 min readJun 12, 2019


Here’s a list of images that might be appropriate for a “I want to learn forensics, but I don’t have an image for analysis.”. I’m preferentially collecting images with scenarios and answers.

The list includes many PC disk images, but also memory images, network packets, mobile phone and drone image data, and email data.

Image data provided by NIST for forensics

The CFReDS Project

This is a forensic dataset provided by NIST called “Computer Forensic Reference Data Sets (CFReDS)”. It’s probably one of the most famous data sets for forensic training.

  • Hacking Case
    You analyze a laptop’s disk image and gather evidence to answer 31 questions. The answer file is ready.
    Download 2 files “EnCase image” and “second part” and open “.E01” with a forensic tool such as FTK Imager.
  • Data Leakage Case
    You analyze 1 PC and 3 removable media and gather evidence to answer 60 questions. The answer file is ready.
  • Registry Forensics
    Image files for Registry Analysis exercise.
  • Drone Images
    Images from 60 drones including the DJI Phantom 4, and associated controllers, connected mobile devices and computers.
  • Russian Tea Room
    Disk image for Russian environment analysis. Your goal is to find eight sections.
  • Basic Mac image
    Disk image for Mac environment analysis. There are no specific scenarios.
  • Mobile Device Images
    Images from 10 mobile devices including the Samsung S4. There are no specific scenarios.
  • Container Files
    An image of the container environment. There are no specific scenarios.
  • Deleted File Recovery
    Metadata based deleted file recovery images.
  • File Carving
    Basic file carving images.

Technical — ENISA

Technical — ENISA

ENISA offers many great teaching stuffs at no charge, including images for forensic training.

  • Forensic analysis: Local Incident Response
    Incident response to an incident in which a customer’s sensitive data has been published online. It leads the trainees through a typical case, where a malicious action is reported and the aim is to find its source and handle the incident as a local one, limited to the workstation only.
    The disk image to be analyzed is “Virtual Image II”. “Virtual Image I” is a Linux image containing analysis tools.
  • Forensic analysis: Network Incident Response
    The main goal of this training is to teach trainees network forensic techniques and extend trainees operating system forensic capabilities beyond Microsoft Windows systems to include Linux.
  • Forensic analysis: Webserver Analysis
    There is a suspicion that a web server had been compromised. This training requires the students to perform a forensic analysis of three (web) servers, identified during the first two exercises as taking part in a malicious campaign.

In addition, various teaching materials are provided. For more information, visit the ENISA website.

Digital Corpora for use in Computer Forensics Education Research

Digital Corpora

A website that provides a digital corpus for computer forensics education and research. Disk images, memory dumps, and network packet captures are freely available. Use of that dataset is possible under special arrangement.

Note: Solutions are only available to faculty at accredited institutions and to trainers within the US Government.

Computer Forensics CCIC Training

2019 Digital Forensics Downloads — CCI — Cal Poly, San Luis Obispo

The site provides images and instructional text for Windows and Android. There’s also an image of Windows called “ Laptop Image” that you can parse to answer a few questions. The questions were created in Google Docs so you could easily check your answers.

Practical Exercise: Tucker

Digital Forensic — Training Materials

CIRCL » Digital Forensic — Training Materials

A Windows disk image. There is also a guidebook for forensic analysis and a command line cheat sheet for obtaining disk images.

Defcon DFIR CTF 2018

Hacking Exposed Computer Forensics Blog: Daily Blog #451: Defcon DFIR CTF 2018 Open to the Public

You collect evidence by analyzing disk images to answer CTF questions.

DFRWS Challenges

DFRWS Forensic Challenge | dfrws
  • 2003 : A challenge to analyze recovered floppy disks and answer questions.
  • 2005 : Challenge to analyze Windows memory and answer questions.
  • 2006 : The challenge of extracting as many complete JPEG, ZIP, HTML, text and Office files as possible from a 50 MB raw file.
  • 2007 : The challenge of extracting as many complete JPEG, ZIP, HTML, text, and Office files as possible from a 330 MB raw file.
  • 2008 : Challenge to analyze and answer questions about files, memory dumps, and packet captures contained in the user’s home directory.
  • 2009 : Challenge to analyze and answer questions about file system images, memory dumps, and packet captures of Linux systems on PS3.
  • 2010 : A challenge to analyze files related to Sony Ericsson K 800 i Cyber shot and generate a report containing some specified elements.
  • 2011 : A challenge to analyze files on Android smartphones and create a report with a few specific elements.
  • 2015 : Challenge is on development of GPU memory analysis tools, targeting GPU-based malware.
  • 2016 : Challenge seeks to advance the state-of-the-art in SDN forensics by focusing the community’s attention on this emerging domain.
  • 2017 : Challenge is about Internet of Things (IoT).
  • 2018 : Challenge is about Internet of Things (IoT).

Other Data Sets

Disk Image

Memory Image

Network Packet

Email Data Sets

Various Data Sets

Update History

  • 2019/06/13 New.
  • 2019/06/14 Added text about ENISA. (Thanks to @S0xbad1dea for the information.)
  • 2019/06/14 Added a link to Digital Forensics Incident Response Training.
  • 2019/06/15 Added a link to DFRWS Forensic Challenge.
  • 2019/06/16 Added text about Computer Forensics CCIC Training.
  • 2019/08/15 Modify Article Title.
  • 2019/08/16 Details of the downloaded file were added to the items of CFReDS and ENISA. It was corrected that the wrong image data name was described in the CCIC item. DFRWS from 2011 to 2003 added.
  • 2020/03/03 Revised.




Loves cats and CTFs. …ᓚᘏᗢ… [twitter:@soji256] ,CISSP