Notifications
Clear all

Example casefiles  

Page 1 / 2
  RSS
Cybo
 Cybo
(@cybo)
New Member

Hi there all,

I am doing research in forensics and focus on "mining" for evidence within case files.

In order to progress we need example cases (case files containing "real' evidence) that we can use to develop and test our algorithms.

Do anybody know where I will be able to perhaps obtain such data.

Regards
Cybo

Quote
Posted : 17/01/2006 2:07 pm
Andy
 Andy
(@andy)
Active Member

For reasons that I imagine are pretty obvious, your are not going to get cases with 'real evidence'.

However for some practice, try here -

http//cfreds.nist.gov/

Andy

ReplyQuote
Posted : 17/01/2006 2:52 pm
Igor_Michailov
(@igor_michailov)
Senior Member

Digital Forensics Tool Testing Images
http//dftt.sourceforge.net/

ReplyQuote
Posted : 17/01/2006 4:03 pm
Cybo
 Cybo
(@cybo)
New Member

Thanks for the Info. I have looked at these site previously. The images is great for testing tools, especially acquisition tools. It is not comprehensive enough to test data/evidence mining ideas.

Anybody willing to help put together an example case (we think up a crime and then create evidence that would normally be associated with it, and then place in onto a drive together with a lot of other "normal" stuff).

Any help and any suggestions would be much appreciated.

Cheers
Cybo

ReplyQuote
Posted : 17/01/2006 6:22 pm
armresl
(@armresl)
Community Legend

To test that out, why not just image any pc? You will most likely find emails, deleted files, info2, index.dat, jpg's, etc. Why would you have to make up a crime and then put on a drive evidence associated with it?

ReplyQuote
Posted : 17/01/2006 8:05 pm
debaser_
(@debaser_)
Active Member

Lets do a fake CP case. Whats your email ?

Tasteless joke I know, but hey he wanted a more realistic case. Tasteless or not, this place could use some humor. As its one of the most common cases, its also not the one you would like to use as a fake scenario, as the props would get you in tons of trouble.

Hope i dont get banned for this one….

ReplyQuote
Posted : 17/01/2006 8:09 pm
youcefb9
(@youcefb9)
Junior Member

Keith jones et al made up their own tests cases and this didnt preclude them of calling it "Real digital forensics".

do you meam by "Real" "Big". as big hard disk that contains tons of data useful fo data mining.

ReplyQuote
Posted : 17/01/2006 11:46 pm
andy1500mac
(@andy1500mac)
Member

Cybo,

I have in the past just gone to the local computer store and asked for a couple of small used HDD (4GB) that have preferably been formatted and then tried to build a “profile” of what the user may have done.

Good practice for someone not doing actual forensic work and wanting to put into practice what they are learning.

As I wouldn’t have a case scenario I essentially do as armresl mentioned as well as go through things like the pagefile, spooler files and look for thumbs.db files etc…

Andrew-

ReplyQuote
Posted : 18/01/2006 6:00 am
bjgleas
(@bjgleas)
Active Member

I have in the past just gone to the local computer store and asked for a couple of small used HDD (4GB) that have preferably been formatted and then tried to build a “profile” of what the user may have done.

I used to do that as well… but now many of the stores are doing disk wipes… the last couple of drives I've bought have all had their jumpers configured as "slave" and everything was overwritten with 00s…

bj

ReplyQuote
Posted : 18/01/2006 7:02 am
fatrabbit
(@fatrabbit)
Active Member

Not much use to you guys, but in the UK a great source of used hard drives are the numerous car boot sales and local computer markets. You sometimes get ex corporate hard drives that occasionally still have interesting information on them.

ReplyQuote
Posted : 18/01/2006 1:32 pm
nickfx
(@nickfx)
Active Member

Hi Cybo and welcome to the forum.

We've all been in your position, looking for test data to 'play' with. I used to ask friends if I could image their drives but it was amazing how few were keen to let me do it. I guess everyone has their secrets!

The issue with 'creating' evidence is that its like playing Find the Easter Egg when you hid the egg! The way we solved the problem was to work in pairs with your buddy using his machine normally for 1 month. You then image the machine and look for answers posed by him. For example

What email addresses do I use
What hobbies do I have
Where do I bank
What passwords can you find
Where did I go on holiday
Find deleted pictures of my weekend at the beach

Things like this are not 'real' evidence of course but quite accurately simulate the methods you use and patterns of behaviour that you look for in a real case.

Hope it helps.

Nick

ReplyQuote
Posted : 18/01/2006 7:02 pm
Cybo
 Cybo
(@cybo)
New Member

Hi there,

Some interesting feedback.
Why I want an virtual crime case is because we want to work on automatically finding the links between pieces of information (likes those mentioned by Nick) that relates to a specific case. This could be the case the investigator is actually looking at but may also include other "crimes" found on the same forensic data set. We therefore need examples of real crimes in order to have the links.

Cybo

ReplyQuote
Posted : 18/01/2006 7:22 pm
neddy
(@neddy)
Active Member

I have on more than one occasion imaged drives from computers left on the street near where I live. I have built profiles of the users and found it quite enjoyable. Needless to say I was always concerned that I may find material that I may have to disclose but thankfully that was never the case and I destroyed all the case and image files afterwards.

ReplyQuote
Posted : 18/01/2006 7:48 pm
bjgleas
(@bjgleas)
Active Member

One place where you can get come cases is from the HoneyNet Project

The archive contains a number of network and disk based cases. They provide you with some background information and the evidence… there are over 30 cases here for you to practice on.

http//www.honeynet.org/misc/chall.html

There are multiple solutions for each case (but don't peek!)

There are different levels of difficulty, and most of the major operating systems seem to be covered.

bj

ReplyQuote
Posted : 18/01/2006 8:28 pm
Cybo
 Cybo
(@cybo)
New Member

Thank bjgleas,

The scan 24 and scan26 stuff is close to what I am looking for. It is just very small and I would like to have a much bigger dataset to work with.

Cybo

ReplyQuote
Posted : 19/01/2006 1:27 pm
Page 1 / 2
Share: