Resources
​Resources provided for use by the DFIR community
Raw disk image - Khyrenz-FileCarvingImage
Logical image of a 2GB volume taken from a USB, designed to be used to validate file carving tools.
ZIP archive contains:
- Raw volume image: Khyrenz-FileCarvingImage-USB-logical-2GB-formatted.dd
- Acquisition text file (generated by FTK Imager): Khyrenz-FileCarvingImage-USB-logical-2GB-formatted.001.txt
- List of files present in Unallocated Space: Khyrenz-FileCarvingImage-USB-logical-2GB-test_file_list.pdf
A selection of test files of varying file formats was collected or generated, and then copied onto a USB device, which had been formatted to contain a 2GB FAT16 volume. This volume was subsequently re-formatted using the built-in Windows ‘quick format’ process, in order to remove filesystem metadata.
A raw logical image of the USB device volume was generated using FTK Imager 4.
ZIP hashes:
MD5: 7de6d9aa72948184487b558df4aa9a9a
SHA-1: 24cf57902a1b218cc22b43c38a761cd7fd49449e
SHA-256: b60f0ef79a21e3bead194c61d72e420acf3d8f4830ed1139b9c6b1c1ab4ffc5f
Raw disk images - Khyrenz-FileCarving-ClusterBoundaries
Raw logical image of a 2GB NTFS volume with clusters containing filesystem metadata removed​, designed to be used to validate file carving and keyword searching tools.
ZIP archive contains:
- Modified raw volume image: Khyrenz-FileCarving-ClusterBoundaries.001
- List of files present in image, including file content and metadata: Khyrenz-FileCarving-ClusterBoundaries-CatFiles_File_list.pdf
A selection of test files of varying file formats was collected or generated. These files were copied onto a USB device, which had been formatted to contain a 2GB NTFS volume. A raw logical image of the USB device volume was generated using FTK Imager 4.2.0.13. This image was then manually edited to remove all clusters containing NTFS metadata.
​
ZIP hashes:
MD5: a6c62588fd9619eec6ba8e97cdb25d9f
SHA-1: 4c7f1c7bfa15fb5032367e574b34361e188ceb21
SHA-256: 711663b072502e088f23a18ffbf9ad3801aa0afa44667ef35a70135d43827b55
Raw disk images - Khyrenz-FileCarving-CatFiles
'Image' created to consist of files concatenated together, ignoring Cluster boundaries, designed to be used to validate file carving or keyword searching tools.
ZIP archive contains:
- Concatenated files: Khyrenz-FileCarving-CatFiles.001
- List of files present in image, including file content and metadata: Khyrenz-FileCarving-ClusterBoundaries-CatFiles_File_list.pdf
A selection of test files of varying file formats was collected or generated. The files were then concatenated together using the command:
cat Files/* > Khyrenz-FileCarving-CatFiles.001
ZIP hashes:
MD5: eb79d242125b5ad55518bff6a500176d
SHA-1: e9e16c87e49a9e7940e628f0dcc9f2194d3f07ab
SHA-256: ec378cdf3c175b838f2bb30a273e7cf71cb75806d3c75ec6869f69c76c102ea1
Tool Validation Reports
- File Carving
All file carving tool validation reports can be found at:
https://github.com/khyrenz/tool_validation/tree/main/file_carving_reports
Raw disk image - Khyrenz-USBconnKeywordImage-Win11-logical-25GB
Logical image of a Windows 11 volume taken from a virtual machine, designed to be used to validate USB connection artefacts, Registry tools, keyword searching capability, recent file artefacts, or other Windows artefacts.
ZIP archive contains:
- Raw volume image: Khyrenz-USBconnKeywordImage-Win11-logical-25GB.E01
- Acquisition text file (generated by FTK Imager): Khyrenz-USBconnKeywordImage-Win11-logical-25GB.txt
- Test plan followed: Khyrenz-USBconnKeywordImage-Win11-logical-25GB-Test_Plan.pdf
- USB connection artefact summary: Khyrenz-USBconnKeywordImage-Win11-logical-25GB-USB_Device_Connections_Summary.pdf
- List of files on volume: Khyrenz-USBconnKeywordImage-Win11-logical-25GB-Files_on_system.pdf
- Keyword list: Khyrenz-USBconnKeywordImage-Win11-logical-25GB-Keywords.txt
An E01 image of the virtual machine volume was generated using FTK Imager 4.2.0.13
ZIP hashes:
MD5: 905e938da7145f7831a8e831674cf844
SHA-1: ef23378b034eb5c8a813bb296ff1732982b1ce25
SHA-256: b737463497108fb368d375552c7fe0f58ccea97369e7643f0d25cc09e61480d3
Tool Validation Reports
- USB connection artefacts
All file carving tool validation reports can be found at:
https://github.com/khyrenz/tool_validation/tree/main/usb_connection_reports
Tool Validation Report
- Template
An example report template can be found at:
