I’m here! Now what?

by Ken Pryor

Working for a small police department in a rural area, my opportunities to do digital forensic work on real cases are much fewer and farther between than those who work in large departments or in the private sector. Once I had completed computer forensics training and acquired the necessary software, I was ready to go. Now what? There was no existing forensics unit in my department, so there was no caseload to jump into and no one there to work with. How to stay current and confident with my knowledge and skills, as well as my chosen tools?Staying sharp can be tough. There are many high quality blogs and forums that are fantastic resources for learning and exchanging information, but I’m the type of person who learns by doing, not just reading. However, you can only image your own hard drive and examine it for practice so many times before you’re bored to death with it. Fortunately, in addition to the free and low cost tools out on the net, there are also a number of freely available disk images available for download. There are images available in several different file system formats, so you won’t find yourself limited to just one type. The images have documented content which can be used to compare against the data your tools produce.

The site I’ve most taken advantage of when downloading images is The CFReDS Project. CFReDS, which stands for “Computer Forensic Reference Data Sets” is hosted by the NIST and exists to “…provide to an investigator documented sets of simulated digital evidence for examination”. The downloads include disk images, mobile device images and memory images. Some of the images have scenarios that accompany them and present a challenge with questions about the image you must answer. The answers are also available for you to check your work.

Much like the CFReDS page, the Digital Forensics Tool Testing Images page has a list of images you can use for testing. The images provided here are test images designed specifically for the testing of your software and provide you with the opportunity to do file carving, keyword searching and even memory analysis. Other images are there as well, accompanied by great supporting info on what you’ll find in the images.

A newer site I’ve found that has plenty of forensic image goodness is the Digital Corpora site. There is an excellent selection of images here, but it’s not limited to disk images. In addition to disk and file system images, you’ll also find cell phone images and packet dumps to work with.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

The annual DC3 Challenge is a fun and challenging way to improve your forensic skills. The Department of Defense Cyber Crime Center (DC3) provides this contest every year with excellent prizes provided this year for winning participants. The great thing about the DC3 Challenge is that everyone can participate, from the forensics noob to the seasoned veteran forensicator with five different levels of challenges are available. Unfortunately, it doesn’t appear that past years challenges are still available for download for those wanting to do them just for the learning experience. If I’m wrong and they are available, I’d appreciate someone letting me know, but I didn’t find them.

The Digital Forensics Research Workshop (DFRWS) posts new challenges each year related to the focus of its annual conference. Downloads are available for this years challenge, which focuses on cellular phone forensics. Unlike the DC3 Challenge, the DFRWS has archives of previous years challenges and still makes the challenge materials available for download in the Archive section of their website.

Finally, a great thing started just last year is the Network Forensics Puzzle Contest featuring the exploits of “Ann Dercover”. Most recently, Ann was featured in “Ann’s Aurora”, a contest held in concert with the SANS Forensic Summit last month. The puzzles and the underlying story for each are well thought out, entertaining and definitely challenging. I haven’t learned enough in the area of network forensics yet to feel like I can do these well, they provide those with the desire to learn an awesome opportunity to work them (and maybe win an excellent prize as well).

I hope you will take the time to look these sites over and see all they’ve got to offer, as I really only touched just a little on each. Also, if you know of other places where practice images and related materials are available, I’d love to hear from you.

Ken Pryor is a police officer and GCFA with the Robinson, Illinois Police Department. He became a police officer in 1987 and has been working in the area of digital forensics since 2008. He can be contacted at rpdforensics@gmail.com.

This article was originally published as a blog post on the SANS Computer Forensics website and is reprinted with kind permission.

1 thought on “I’m here! Now what?”

Leave a Comment

Latest Videos

Digital Forensics News Round Up, February 28 2024 #digitalforensics #dfir

Forensic Focus 29th February 2024 4:58 pm

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles