I’m here! Now what?

by Ken Pryor

Working for a small police department in a rural area, my opportunities to do digital forensic work on real cases are much fewer and farther between than those who work in large departments or in the private sector. Once I had completed computer forensics training and acquired the necessary software, I was ready to go. Now what? There was no existing forensics unit in my department, so there was no caseload to jump into and no one there to work with. How to stay current and confident with my knowledge and skills, as well as my chosen tools?Staying sharp can be tough. There are many high quality blogs and forums that are fantastic resources for learning and exchanging information, but I’m the type of person who learns by doing, not just reading. However, you can only image your own hard drive and examine it for practice so many times before you’re bored to death with it. Fortunately, in addition to the free and low cost tools out on the net, there are also a number of freely available disk images available for download. There are images available in several different file system formats, so you won’t find yourself limited to just one type. The images have documented content which can be used to compare against the data your tools produce.

The site I’ve most taken advantage of when downloading images is The CFReDS Project. CFReDS, which stands for “Computer Forensic Reference Data Sets” is hosted by the NIST and exists to “…provide to an investigator documented sets of simulated digital evidence for examination”. The downloads include disk images, mobile device images and memory images. Some of the images have scenarios that accompany them and present a challenge with questions about the image you must answer. The answers are also available for you to check your work.

Much like the CFReDS page, the Digital Forensics Tool Testing Images page has a list of images you can use for testing. The images provided here are test images designed specifically for the testing of your software and provide you with the opportunity to do file carving, keyword searching and even memory analysis. Other images are there as well, accompanied by great supporting info on what you’ll find in the images.

A newer site I’ve found that has plenty of forensic image goodness is the Digital Corpora site. There is an excellent selection of images here, but it’s not limited to disk images. In addition to disk and file system images, you’ll also find cell phone images and packet dumps to work with.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

The annual DC3 Challenge is a fun and challenging way to improve your forensic skills. The Department of Defense Cyber Crime Center (DC3) provides this contest every year with excellent prizes provided this year for winning participants. The great thing about the DC3 Challenge is that everyone can participate, from the forensics noob to the seasoned veteran forensicator with five different levels of challenges are available. Unfortunately, it doesn’t appear that past years challenges are still available for download for those wanting to do them just for the learning experience. If I’m wrong and they are available, I’d appreciate someone letting me know, but I didn’t find them.

The Digital Forensics Research Workshop (DFRWS) posts new challenges each year related to the focus of its annual conference. Downloads are available for this years challenge, which focuses on cellular phone forensics. Unlike the DC3 Challenge, the DFRWS has archives of previous years challenges and still makes the challenge materials available for download in the Archive section of their website.

Finally, a great thing started just last year is the Network Forensics Puzzle Contest featuring the exploits of “Ann Dercover”. Most recently, Ann was featured in “Ann’s Aurora”, a contest held in concert with the SANS Forensic Summit last month. The puzzles and the underlying story for each are well thought out, entertaining and definitely challenging. I haven’t learned enough in the area of network forensics yet to feel like I can do these well, they provide those with the desire to learn an awesome opportunity to work them (and maybe win an excellent prize as well).

I hope you will take the time to look these sites over and see all they’ve got to offer, as I really only touched just a little on each. Also, if you know of other places where practice images and related materials are available, I’d love to hear from you.

Ken Pryor is a police officer and GCFA with the Robinson, Illinois Police Department. He became a police officer in 1987 and has been working in the area of digital forensics since 2008. He can be contacted at [email protected].

This article was originally published as a blog post on the SANS Computer Forensics website and is reprinted with kind permission.

1 thought on “I’m here! Now what?”

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...