Tuesday, February 07, 2006

Images to play with

From other forums, I've found example images that can be used to sharpen your skills in forensic analysis. For example, there are some images at the CRFeDS Project at NIST...I've downloaded the "Hacking Case" images. There are also Digital Forensics Tool Testing images that are available.

There are also some things to play with over at the HoneyNet Project SotM site. Not only are there binaries you can look at and log files you can examine, but SotMs 24 and 26 involve examining the image of a floppy.

On a slightly tangential note, VMWare has made their Server product a free download...from there, you can find a list of community-built virtual machines. These are primarily various flavors of Linux/*nix, but would offer some practice if you ran the VMs and performed live imaging (I do this with my Windows VMs, using ProDiscover).

Are there any other example images of Windows systems out there, available for download?

On a side note, has anyone used some of the popular tools (such as the FSP, or WFT, or any of the various batch files) for retrieving volatile data from live Windows systems, and posted the data for analysis?

8 comments:

Anonymous said...

Which ProDiscover product do you use for live imaging? ProDiscover Incident Resposne?

Keydet89 said...

Yep, that's the one.

Anonymous said...

Would it be legal for me to put out a Windows VM? Wouldn't I be violating a license agreement with Mcirosoft with it? What if a person downlaoded the image not for forensics practice but to use for everyday use? Maybe if you crippled the system in some way it would be ok?

Keydet89 said...

Good question...I'm really not the one to answer it. I suspect you may be right, though.

Monkey Chief said...

Actually there is a forensics challenge organized by the UNAM-CERT (Mexico). It published an Win2k3 image (dd image) and it has an interesting scenario: (translated)

"An admin of a small company, has figured out that there is an additional user account in his ERP system, so he belives that someone hacked the system and he doesn't know the severity of such event.

The system was running the ERP system in a Windows 2003, which main task was to offer access to the ERP system through Web.

The admin said that he used to have an updated system so he doesn't know how could anybody get access to it. Also the admin said that there were more users with priviledged account and sometimes they used it not only for admin tasks, but also for applications that not required such priviledge.

Now we have to find out if there was an unauthorized access, how it happened and we need to determine the damage of such activity."

URL:
http://www.seguridad.unam.mx/eventos/reto/

Anonymous said...

You can find some more testing images on http://dftt.sourceforge.net/
There are some small test cases for testing digital forensic analysis and acquisition tools.

varf said...

How can I mount disk images created with dd on windows ???, say, I've created a ntfs disk dump with dd, how can I access the files in it ??

Keydet89 said...

varf,

The next version of ProDiscover will reportedly have the ability to create an ISO from an image (either dd or ProDiscover-specific format). You can then use VMPlayer or VMWare to run the image.

If you're simply interested in accessing the image you've created, ProDiscover has a freeware version, and TSK can be installed on Windows (I've done it).