Hi there all,
I am doing research in forensics and focus on "mining" for evidence within case files.
In order to progress we need example cases (case files containing "real' evidence) that we can use to develop and test our algorithms.
Do anybody know where I will be able to perhaps obtain such data.
Regards
Cybo
For reasons that I imagine are pretty obvious, your are not going to get cases with 'real evidence'.
However for some practice, try here -
http//cfreds.nist.gov/
Andy
Digital Forensics Tool Testing Images
http//dftt.sourceforge.net/
Thanks for the Info. I have looked at these site previously. The images is great for testing tools, especially acquisition tools. It is not comprehensive enough to test data/evidence mining ideas.
Anybody willing to help put together an example case (we think up a crime and then create evidence that would normally be associated with it, and then place in onto a drive together with a lot of other "normal" stuff).
Any help and any suggestions would be much appreciated.
Cheers
Cybo
To test that out, why not just image any pc? You will most likely find emails, deleted files, info2, index.dat, jpg's, etc. Why would you have to make up a crime and then put on a drive evidence associated with it?
Keith jones et al made up their own tests cases and this didnt preclude them of calling it "Real digital forensics".
do you meam by "Real" "Big". as big hard disk that contains tons of data useful fo data mining.
Cybo,
I have in the past just gone to the local computer store and asked for a couple of small used HDD (4GB) that have preferably been formatted and then tried to build a “profile†of what the user may have done.
Good practice for someone not doing actual forensic work and wanting to put into practice what they are learning.
As I wouldn’t have a case scenario I essentially do as armresl mentioned as well as go through things like the pagefile, spooler files and look for thumbs.db files etc…
Andrew-
I have in the past just gone to the local computer store and asked for a couple of small used HDD (4GB) that have preferably been formatted and then tried to build a “profile†of what the user may have done.
I used to do that as well… but now many of the stores are doing disk wipes… the last couple of drives I've bought have all had their jumpers configured as "slave" and everything was overwritten with 00s…
bj
Not much use to you guys, but in the UK a great source of used hard drives are the numerous car boot sales and local computer markets. You sometimes get ex corporate hard drives that occasionally still have interesting information on them.
Hi Cybo and welcome to the forum.
We've all been in your position, looking for test data to 'play' with. I used to ask friends if I could image their drives but it was amazing how few were keen to let me do it. I guess everyone has their secrets!
The issue with 'creating' evidence is that its like playing Find the Easter Egg when you hid the egg! The way we solved the problem was to work in pairs with your buddy using his machine normally for 1 month. You then image the machine and look for answers posed by him. For example
What email addresses do I use
What hobbies do I have
Where do I bank
What passwords can you find
Where did I go on holiday
Find deleted pictures of my weekend at the beach
Things like this are not 'real' evidence of course but quite accurately simulate the methods you use and patterns of behaviour that you look for in a real case.
Hope it helps.
Nick