Images

In writing Investigating Windows Systems, published in 2018, I made use of publicly available images found on the Internet. Some were images posted as examples of techniques, others were posted by professors running courses, and some were from CTFs. If you have read the book, you'll know that for each of the images, I either used or made a more "real world" scenario, something that aligned much more closely to my experiences over two and a half decades of DF/IR work, a good bit of which was consulting. During that time, and at several different companies, we'd have an "IR hotline" folks could call, and request computer incident response...this is something many firms continue to do. Those firms also very often had "intake forms", documents an analyst would fill out with pertinent information from a caller or customer, which very often included investigative goals. 

Over the years, the sites from which I downloaded some of the images I used have disappeared, which is unfortunate, but not a deal killer. The intent and value of the book isn't about the images, but rather, about the process. The processes used, even those where an image of a Windows XP system was used, can be replicated, developed, and extended for any Windows OS. 

Brett Shavers recently posted on LinkedIn, pointing the repository of available images he's compiled at DFIR.Training.

Over at Stark4N6, we see another repository of images, this one called The Evidence Locker. Here's Kevin's LinkedIn post with a description of the site.

If you're not interested in downloading full or partial images, I recently took a look at an infostealer sample, from the perspective of file formats. Fortunately, the OP provided a hash for the sample they looked at, which allowed me to find a site from which I could download a copy of the sample. I'm not a malware RE guy, but what I do try to do is follow Jesse Kornblum's example of using all the parts of the buffalo, and exploit file format metadata for threat intel purposes.