Here’s a list of images that might be appropriate for a “I want to learn forensics, but I don’t have an image for analysis.”. I’m preferentially collecting images with scenarios and answers.
The list includes many PC disk images, but also memory images, network packets, mobile phone and drone image data, and email data.
Image data provided by NIST for forensics
- The CFReDS Project
https://www.cfreds.nist.gov/
This is a forensic dataset provided by NIST called “Computer Forensic Reference Data Sets (CFReDS)”. It’s probably one of the most famous data sets for forensic training.
- Hacking Case
You analyze a laptop’s disk image and gather evidence to answer 31 questions. The answer file is ready.
Download 2 files “EnCase image” and “second part” and open “.E01” with a forensic tool such as FTK Imager. - Data Leakage Case
You analyze 1 PC and 3 removable media and gather evidence to answer 60 questions. The answer file is ready. - Registry Forensics
Image files for Registry Analysis exercise. - Drone Images
Images from 60 drones including the DJI Phantom 4, and associated controllers, connected mobile devices and computers. - Russian Tea Room
Disk image for Russian environment analysis. Your goal is to find eight sections. - Basic Mac image
Disk image for Mac environment analysis. There are no specific scenarios. - Mobile Device Images
Images from 10 mobile devices including the Samsung S4. There are no specific scenarios. - Container Files
An image of the container environment. There are no specific scenarios. - Deleted File Recovery
Metadata based deleted file recovery images. - File Carving
Basic file carving images.
Technical — ENISA
- Technical — ENISA
https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/technical-operational
ENISA offers many great teaching stuffs at no charge, including images for forensic training.
- Forensic analysis: Local Incident Response
Incident response to an incident in which a customer’s sensitive data has been published online. It leads the trainees through a typical case, where a malicious action is reported and the aim is to find its source and handle the incident as a local one, limited to the workstation only.
The disk image to be analyzed is “Virtual Image II”. “Virtual Image I” is a Linux image containing analysis tools. - Forensic analysis: Network Incident Response
The main goal of this training is to teach trainees network forensic techniques and extend trainees operating system forensic capabilities beyond Microsoft Windows systems to include Linux. - Forensic analysis: Webserver Analysis
There is a suspicion that a web server had been compromised. This training requires the students to perform a forensic analysis of three (web) servers, identified during the first two exercises as taking part in a malicious campaign.
In addition, various teaching materials are provided. For more information, visit the ENISA website.
Digital Corpora for use in Computer Forensics Education Research
- Digital Corpora
https://digitalcorpora.org/
A website that provides a digital corpus for computer forensics education and research. Disk images, memory dumps, and network packet captures are freely available. Use of that dataset is possible under special arrangement.
- Cell Phone Dumps : Nokia_6230, SE_P800, Nokia_T68i and SE_T630.
- 2008 M57-Jean : A single disk scenario involving the exfiltration of corporate documents from an executive’s laptop.
- 2008 Nitroba University Harassment Scenario : A fun-to-solve network forensics scenario.
- 2009 M57-Patents : A complex scenario involving multiple drives and actors set at a small company over the course of several weeks.
- 2012 National gallery DC : a fictional attack on the National Gallery DC, foiled in 2012.
- 2018 Lone Wolf Scenario : A scenario involving the seizure of the laptop of a fictional person planning a mass shooting.
Note: Solutions are only available to faculty at accredited institutions and to trainers within the US Government.
Computer Forensics CCIC Training
- 2019 Digital Forensics Downloads — CCI — Cal Poly, San Luis Obispo
https://cci.calpoly.edu/2019-digital-forensics-downloads
The site provides images and instructional text for Windows and Android. There’s also an image of Windows called “ Laptop Image” that you can parse to answer a few questions. The questions were created in Google Docs so you could easily check your answers.
Digital Forensic — Training Materials
- CIRCL » Digital Forensic — Training Materials
https://www.circl.lu/services/forensic-training-materials/
A Windows disk image. There is also a guidebook for forensic analysis and a command line cheat sheet for obtaining disk images.
Defcon DFIR CTF 2018
- Hacking Exposed Computer Forensics Blog: Daily Blog #451: Defcon DFIR CTF 2018 Open to the Public
https://www.hecfblog.com/2018/08/daily-blog-451-defcon-dfir-ctf-2018.html
You collect evidence by analyzing disk images to answer CTF questions.
DFRWS Challenges
- DFRWS Forensic Challenge | dfrws
https://dfrws.org/dfrws-forensic-challenge
- 2003 : A challenge to analyze recovered floppy disks and answer questions.
- 2005 : Challenge to analyze Windows memory and answer questions.
- 2006 : The challenge of extracting as many complete JPEG, ZIP, HTML, text and Office files as possible from a 50 MB raw file.
- 2007 : The challenge of extracting as many complete JPEG, ZIP, HTML, text, and Office files as possible from a 330 MB raw file.
- 2008 : Challenge to analyze and answer questions about files, memory dumps, and packet captures contained in the user’s home directory.
- 2009 : Challenge to analyze and answer questions about file system images, memory dumps, and packet captures of Linux systems on PS3.
- 2010 : A challenge to analyze files related to Sony Ericsson K 800 i Cyber shot and generate a report containing some specified elements.
- 2011 : A challenge to analyze files on Android smartphones and create a report with a few specific elements.
- 2015 : Challenge is on development of GPU memory analysis tools, targeting GPU-based malware.
- 2016 : Challenge seeks to advance the state-of-the-art in SDN forensics by focusing the community’s attention on this emerging domain.
- 2017 : Challenge is about Internet of Things (IoT).
- 2018 : Challenge is about Internet of Things (IoT).
Other Data Sets
Disk Image
- Between Two DFIRns: Forensic CTF: Baud.. James Baud..
https://betweentwodfirns.blogspot.com/2016/11/forensic-ctf-baud-james-baud.html - Digital Forensics Challenge — Digital Forensics Challenge
http://dfchallenge.org/ - Linux LEO
https://linuxleo.com/ - Computer Forensics, Malware Analysis & Digital Investigations: Forensic Practical
http://www.forensickb.com/2008/01/forensic-practical.html - Ali Hadi, Ph.D.
https://www.ashemery.com/dfir.html
Memory Image
- Memory Samples · volatilityfoundation/volatility Wiki
https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
Network Packet
- SampleCaptures — The Wireshark Wiki
https://wiki.wireshark.org/SampleCaptures - Puzzles! — Network Forensics Puzzle Contest
http://forensicscontest.com/puzzles
Email Data Sets
- Enron Email Dataset
https://www.cs.cmu.edu/~enron/
Various Data Sets
- Datasets — Datasets for Cyber Forensics
https://datasets.fbreitinger.de/datasets/ - Digital Forensics Incident Response Training - More Images!
https://www.dfir.training/resources/downloads/ctf-forensic-test-images/more-images
Update History
- 2019/06/13 New.
- 2019/06/14 Added text about ENISA. (Thanks to @S0xbad1dea for the information.)
- 2019/06/14 Added a link to Digital Forensics Incident Response Training.
- 2019/06/15 Added a link to DFRWS Forensic Challenge.
- 2019/06/16 Added text about Computer Forensics CCIC Training.
- 2019/08/15 Modify Article Title.
- 2019/08/16 Details of the downloaded file were added to the items of CFReDS and ENISA. It was corrected that the wrong image data name was described in the CCIC item. DFRWS from 2011 to 2003 added.
- 2020/03/03 Revised.
