CIRCL Forensics Exercises

CIRCL Forensics Exercises are little challenges developed for and during the CIRCL Forensics Trainings, and for workshops or presentations. Usually you will find a PDF with the slides and the solution inline, next to a disk image with the challenge itself.

  • Wiped Disk Image:
    https://downloads.digitalcorpora.org/corpora/drives/circl-2023-wiped/
    Recovering data from a wiped disk sounds impossible. But wiping a ‘big’ disk would take time. If the adversary is not patient and interrupts the wiping process after some limited time, there is a good chance to recover some plain data, or even complete file system structures and/or partitions. Goal of this exercise is, to recover data from a partially wiped disk image.
    This is a manual approach, to learn how to analyze data on byte level.
  • To be continued

New Scenario: the 2012 National Gallery DC Scenario Digital Evidence and Instruction Materials

I am happy to announce that a new digital corpora has been posted to the scenarios collection of digitalcorpora.org.

SIX YEARS IN THE MAKING!

The scenario is the 2012 National Gallery DC scenario. Working in collaboration with Joseph Greenfield at USC, we have now completed the collection, annotation, and preparation of teacher guides. This has been a massive project and all of the data are now available for public consumption.

The 2012 National Gallery DC scenario spans approximately 10 days and encompasses two distinct yet intertwined story arcs. The scenario is centered around an employee at the National Gallery DC Art Gallery. Criminal plans for both theft and defacement are discussed amongst actors during the scenario, and evidence may remain across the digital devices they used. The scenario is terminated upon suspicious activity being reported to law enforcement at which point certain devices are seized and network traffic logs are requested. (A wiretap had been previously ordered, so there are some full content traces available.)

The scenario includes several believable characters:

Tracy —
Tracy is a recently divorced mother in the middle of a child custody battle. Unfortunately, Tracy’s daughter is in an expensive private school, which Tracy can no longer afford on her salary. Her ex-husband will only pay for the school if Tracy will give over custody of their daughter to him. Worse, Tracy’s daughter, Terry, age 15, has stated that she would rather live with her dad if it comes to staying in school. “After all, you ran Dad off in the first place.”

Pat —
Pat is Tracy’s brother. He is a police officer of the D.C. Enforcers Bureau. He holds the status of detective. He is very devoted to his sister and niece Terry, to this point he isn’t an outright criminal, but walks the line very closely. He busted King with some items that were against his parole, but hasn’t arrested him on the promise of a future “favor.”

Joe —
Joe is the father of Terry and is currently going through the divorce with Tracy. Joe is financially well-off, and still bitter about the relationship problems. He previously installed a key logger on the MacBook Air in an attempt to keep track of Terry’s online behavior. Now that Joe and Tracy are going through a divorce, he has motivation to utilize the key logger to spy on both Tracy and Terry. Joe used to have an account on the family MacBook Air however it was deleted. The home folder may have been preserved.

Alex —
Alex is a Krasnovian supporter who wishes to embarrass the United States. He is a foreigner and lives outside the country presumably in a region called Krasnovia. He knows Carry through extended family connections and contacts her as both having similar family ties and a fellow Krasnovian. He plans to deface foreign works that are on exhibit in the National Gallery DC. Defacing said artwork will embarrass the United States and possibly degrade the reputation between the United States and the foreign country providing the foreign exhibit to America. (In some documentation this is referred to as ‘Majavia’, a second pseudo-nation)

Carry —
Carry is a somewhat criminally involved individual that shares family ties with Alex. She is a Krasnovian supporter. Carry is both technologically savvy and an occasional social media user. She is contacted by Alex in the beginning of the scenario and asked to orchestrate the defacing of the artwork because she is both aligned with Krasnovia and because she has ‘Connections’. She has a slight familiarity as friends/acquaintances with Tracy.

Terry —
Terry is the daughter of Tracy and Joe. Terry attends an expensive private school. (Prufrock Preparatory School). She wants to stay in school to avoid having to start over and so that she can keep her current friends, despite the fact that her mother can no longer afford to pay the tuition.

The root download directory is here: http://downloads.digitalcorpora.org/corpora/scenarios/2012-ngdc/

The evidence in the scenario includes the following:

In addition to these final images, we also have day-by-day images of the two phones, the tablet, and the external hard drive. These day-by-day images are for *digital forensics research* and are not needed for scenario analysis.

Images of the phones and tablets were performed using a variety of techniques, including logging in to the devices and doing a ‘tar’ as well as using commercial digital forensics tools.

It’s true that this dataset is six years old! Please accept our apologies: it took a long time to clear all of this information. The advantage is that there should be good support for all of the file formats on these media, in both commercial and open source tools.

You can download the scenario and the teachers guides from:

2012 National Gallery DC Attack

The teacher guides are encrypted with the same passphrase that is used to encrypt all of the digitalcorpora.org teacher’s guides. If you do not have it, you can request it using the website’s contact form.

Finally, as a reminder: these are all fictional people and institutions. There is no National Gallery DC, there is no country of Krasnovia, and there is no D.C. Enforcers Bureau. Any similarity to actual people or organizations is entirely coincidental.

New Scenario: 2018 Lone Wolf

We are pleased to announce a new scenario in the digitalcorpora family!

Released today is the 2018 Lone Wolf Scenario, created by GMU student Thomas Moore. The scenario consists of more than 32GB (compressed) of data that was seized from a fictional individual who was planning a mass shooting.

The 2018 Lone Wolf Scenario is based on a (fictional) unstable individual who is planning a mass shooting. The individual is interrupted when a family member calls the police and his apartment is raided. The task for the investigators is to determine if anyone else was involved.

This scenario contains a disk image and memory dump from a laptop. It’s an image of a real, physical machine that was actually used, so it’s quite big. Also included in the scenario are the results of modern commercial digital forensics tools applied to the dataset, so that students who don’t have access to these tools can still see their results. There is a teacher’s guide that includes a report on all of the planted evidence.

The 2018 Lone Wolf Scenario was created by Thomas J. Moore, a student at George Mason University.

Please remember: this is a fictional scenario about fictional people!

Unlike the other scenarios on our website, this scenario also includes output of commercial forensic tools for student use. The idea is that there is nothing especially creative about running evidence through a tool, and a lot of students do not have access to state-of-the-art commercial tools, so we have run the tools for your students!

A teacher’s guide is available for this scenario.

You can find more information about the 2018 Lone Wolf scenario here: https://digitalcorpora.org/corpora/scenarios/2018-lone-wolf-scenario

test disk image of emails available

I have created a new disk image called 2010-nps-emails that can be used for testing programs that find email addresses or perform string search.

The disk image consists of 30 different email addresses, each one stored in a different document with a different coding scheme.

Below are a list of the email addresses and their codings:

email address                             Application (Encoding)

plain_text@textedit.com                   Apple TextEdit  (UTF-8)
plain_text_pdf@textedit.com               Apple TextEdit print-to-PDF (/FlateDecode)
rtf_text@textedit.com                     Apple TextEdit (RTF)
rtf_text_pdf@textedit.com                 Apple TextEdit print-to-PDF (/FlateDecode)
plain_utf16@textedit.com                  Apple TextEdit (UTF-16)
plain_utf16_pdf@textedit.com              Apple TextEdit print-to-PDF (/FlateDecode)

pages@iwork09.com                         Apple Pages '09
pages_comment@iwork09.com                 Apple Pages (comment) '09
keynote@iwork09.com                       Apple Keynote '09
keynote_comment@iwork09.com               Apple Keynote '09 (comment)
numbers@iwork09.com                       Apple Numbers '09
numbers_comment@iwork09.com               Apple Numbers '09 (comment)

user_doc@microsoftword.com                Microsoft Word 2008 (Mac) (.doc file)
user_doc_pdf@microsoftword.com            Microsoft Word 2008 (Mac) print-to-PDF
user_docx@microsoftword.com
user_docx_pdf@microsoftword.com           Microsoft Word 2008 (Mac) print-to-PDF (.docx file)
xls_cell@microsoft_excel.com
xls_comment@microsoft_excel.com           Microsoft Word 2008 (Mac)
xlsx_cell@microsoft_excel.com             Microsoft Word 2008 (Mac)
xlsx_comment@microsoft_excel.com          Microsoft Word 2008 (Mac) (Comment)

doc_within_doc@document.com               Microsoft Word 2007 (OLE .doc file within .doc)
docx_within_docx@document.com             Microsoft Word 2007 (OLE .doc file within .doc)
ppt_within_doc@document.com               Microsoft PowerPoint and Word 2007 (OLE .ppt file within .doc)
pptx_within_docx@document.com             Microsoft PowerPoint and Word 2007 (OLE .pptx file within .docx)
xls_within_doc@document.com               Microsoft Excel and Word 2007 (OLE .xls file within .doc)
xlsx_within_docx@document.com             Microsoft Excel and Word 2007 (OLE .xlsx file within .docx)

email_in_zip@zipfile1.com                 text file within ZIP
email_in_zip_zip@zipfile2.com             ZIP'ed text file, ZIP'ed
email_in_gzip@gzipfile.com                text file within GZIP
email_in_gzip_gzip@gzipfile.com           GZIP'ed text file, GZIP'ed

The image can be downloaded from nps-2010-emails

Edit, 2011-11-26 19:32 PST: One email was incorrectly recorded above. xlsx_comment@microsoft_excel.com is within the disk image, but xlsx_cell_comment@microsoft_excel.com was recorded here. That is now corrected above.

M57-Patents Scenario is Available

The M57-Patents scenario is now available. This scenario includes nearly a terabyte of information with 50 disk images, memory dumps, and network packets. There are three specific crimes in the scenario that can be solved, but there are also collections of data that can be used to enable a variety of computer forensics research projects and tool development.

The scenario is split up into many pieces so you can download just what you need.

You can download it from