Forensic Test Images

Testing software, researching forensic analysis, teaching forensics, and learning how to use forensic tools all require one common thing: test images .

There are so many forensic test images scattered across the Internet, that finding something that you need takes time. So…I have curated into categories all that I have found and add new sources as I find them or informed of them.

You can find them all here: https://www.dfir.training/resources/downloads/ctf-forensic-test-images

 

Links by category:

CTF/Challenges

https://www.dfir.training/resources/downloads/ctf-forensic-test-images/ctf

Malware

https://www.dfir.training/resources/downloads/ctf-forensic-test-images/malware

More images

https://www.dfir.training/resources/downloads/ctf-forensic-test-images/more-images

Registry Samples

https://www.dfir.training/resources/downloads/ctf-forensic-test-images/registry-samples

Windows Event Samples

https://www.dfir.training/resources/downloads/ctf-forensic-test-images/windows-event-samples

As to the details of each category, there really isn’t much to elaborate beyond the category title. However, an important point to remember is that any one of the links to a dataset usually includes gigabytes, if not terabytes of forensic images sub-categorized by the respective providers.

Summary of each category

CTF/Challenges

Plenty of challenges involving all aspects of forensics, steganography, cryptography, encoding, puzzles, and tutorials.

One of the more popular examples in the DFIR Training listings is Ali Hadi’s Digital Forensics Challenge Images (Datasets).  There are several great cases that are put together that cover quite a bit of forensic analysis groundwork.  

https://www.dfir.training/resources/downloads/ctf-forensic-test-images/ctf/716-b-n-ry-digital-forensic-challenge-1-2-3

 

Malware

The malware category is interesting, mostly because there is a TON of malware samples that you can access. The most popular listing on DFIR Training for malware samples is DAS MALWERK.

https://www.dfir.training/mt/tools/malware-analysis/misc-malware-tools/881-das-malwerk

More images

This category name is a bit misleading, because “more images” sounds like the leftovers. In reality, this category has the most number of datasets and most diverse type of datasets. Things like Android images by Josh Hickman, the Enron email dataset , and complete computer hard disk drive images.  The amount of data available is incredible, with sources like Rapid7 providing 18 TERABTYES of datasets!

Spend time browsing through this category and you will certainly be overwhelmed with the number of choices and amount of data, especially with sources like CalPoly’s images and tutorials.

https://www.dfir.training/resources/downloads/ctf-forensic-test-images/more-images/1683-calpoly-laptop-image

Registry Samples

The number of registry samples is small, but still, you have access to Windows registry datasets, including datasets from Eric Zimmerman .

https://www.dfir.training/resources/downloads/ctf-forensic-test-images/registry-samples/1211-ericzimmerman-registry

Windows Event Samples

This is the smallest of all categories, with only one source listed on DFIR Training. HOWEVER, these include machine learning, blockchain, and event logs samples!

 

https://www.dfir.training/resources/downloads/ctf-forensic-test-images/windows-event-samples/1681-evtx-attack-samples

A second source of forensics is building your own, on which, I wrote some thoughts on building your own forensic images here: https://www.dfir.training/dfir-training-blog/the-best-forensic-test-image-ever

You now know where to find the images. All you have to do next is get to work on them!

Written by :Brett Shavers