Tuesday, April 23, 2019



National Institute of Standards and Technology(NIST) developed the Computer Forensic Reference Data Sets (CFReDS) for testing tools and training.


The site is made up of data sets and Forensics Images for simulation and testing forensic tools.
Included are questions and cases based on themed scenarios.
Be forewarned some of the data sets are a little dated; i.e., timestamps for 2004.

There is one case in particular that I like, the data leakage case, found at:

This case has a reasonably creative narrative of a scenario related to the leaking of sensitive information.  The images were taken from a Windows 7 machine, so more recent than 2004.  And there are three different removable media types with different file systems to practice with.

This particular NIST project laid out some nice practice points for forensics too. Of which hits some of the main themes of the field.
Included are:
Practice PointDescription
Types of Data Leakage
- Storage devices
      > HDD (Hard DiskDrive), SSD (Solid State Drive)
      > USB flash drive, Flash memory cards
      > CD/DVD (with Optical Disk Drive)
- Network Transmission
      > File sharing, Remote Desktop Connection
      > E-mail, SNS (Social Network Service)
      > Cloud services, Messenger
Windows Forensics- Windows event logs
- Opened files and directories
- Application (executable) usage history
- CD/DVD burning records
- External devices attached to PC
- Network drive connection traces
- System Caches
- Windows Search databases
- Volume Shadow Copy
File System Forensics- FAT, NTFS, UDF
- Metadata (NTFS MFT, FAT Directory entry)
- Timestamps
- Transaction logs (NTFS)
Web Browser Forensics- History, Cache, Cookie
- Internet usage history (URLs, Search Keywords…)
E-mail Forensics- MS Outlook file examination
- E-mails and attachments
Database Forensics- MS Extensible Storage Engine (ESE) Database
- SQLite Database
Deleted Data Recovery- Metadata based recovery
- Signature & Content based recovery (aka Carving)
- Recycle Bin of Windows
- Unused area examination
User Behavior Analysis- Constructing a forensic timeline of events
- Visualizing the timeline

There has been recent developments of new trending themes in the field, but I do say for those starting off and wanting to test out forensic examination tools. This could provide to be a valuable resource. 

Other options include imaging your own media or your friends, which can be fun to test.
Another option would be to go to garage sale or ebay to buy old storage drives and see you what you could find.  Resumes, tax returns, movies...etc.  Piece your own scenario

But for a free options the CFReDS project is not a bad place to start.
I plan to cover an open source option, Autopsy, to test out the exercise from this site and showing here in the future.

NIST. “The CFReDS Project.” The CFReDS Project, www.cfreds.nist.gov/

NIST "Data Leakage Case." "https://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html"


No comments:

Post a Comment