Resources
​Resources provided for use by the DFIR community
Raw disk image - Khyrenz-FileCarvingImage
Logical image of a 2GB volume taken from a USB, designed to be used to validate file carving tools.
ZIP archive contains:
- Raw volume image: Khyrenz-FileCarvingImage-USB-logical-2GB-formatted.dd
- Acquisition text file (generated by FTK Imager): Khyrenz-FileCarvingImage-USB-logical-2GB-formatted.001.txt
- List of files present in Unallocated Space: Khyrenz-FileCarvingImage-USB-logical-2GB-test_file_list.pdf
A selection of test files of varying file formats was collected or generated, and then copied onto a USB device, which had been formatted to contain a 2GB FAT16 volume. This volume was subsequently re-formatted using the built-in Windows ‘quick format’ process, in order to remove filesystem metadata.
A raw logical image of the USB device volume was generated using FTK Imager 4.
ZIP hashes:
MD5: 7de6d9aa72948184487b558df4aa9a9a
SHA-1: 24cf57902a1b218cc22b43c38a761cd7fd49449e
SHA-256: b60f0ef79a21e3bead194c61d72e420acf3d8f4830ed1139b9c6b1c1ab4ffc5f
Tool Validation Reports
- File Carving
All file carving tool validation reports can be found at:
https://github.com/khyrenz/tool_validation/tree/main/file_carving_reports
Raw disk image - Khyrenz-USBconnKeywordImage-Win11-logical-25GB
Logical image of a Windows 11 volume taken from a virtual machine, designed to be used to validate USB connection artefacts, Registry tools, keyword searching capability, recent file artefacts, or other Windows artefacts.
ZIP archive contains:
- Raw volume image: Khyrenz-USBconnKeywordImage-Win11-logical-25GB.E01
- Acquisition text file (generated by FTK Imager): Khyrenz-USBconnKeywordImage-Win11-logical-25GB.txt
- Test plan followed: Khyrenz-USBconnKeywordImage-Win11-logical-25GB-Test_Plan.pdf
- USB connection artefact summary: Khyrenz-USBconnKeywordImage-Win11-logical-25GB-USB_Device_Connections_Summary.pdf
- List of files on volume: Khyrenz-USBconnKeywordImage-Win11-logical-25GB-Files_on_system.pdf
- Keyword list: Khyrenz-USBconnKeywordImage-Win11-logical-25GB-Keywords.txt
An E01 image of the virtual machine volume was generated using FTK Imager 4.2.0.13
ZIP hashes:
MD5: 905e938da7145f7831a8e831674cf844
SHA-1: ef23378b034eb5c8a813bb296ff1732982b1ce25
SHA-256: b737463497108fb368d375552c7fe0f58ccea97369e7643f0d25cc09e61480d3
Tool Validation Reports
- USB connection artefacts
All file carving tool validation reports can be found at:
https://github.com/khyrenz/tool_validation/tree/main/usb_connection_reports
Tool Validation Report
- Template
An example report template can be found at:
