Appendix J — Practice Images and Lab Setup

Purpose. A build-it-this-weekend guide to a hands-on practice environment: where to download legitimate practice disk, memory, and network images (NIST CFReDS, Digital Corpora's M57-Patents and Lone Wolf, DFRWS, the Honeynet Project, Magnet and Belkasoft CTFs, and more), how to stand up Linux and Windows analysis VMs with the free tool stack this book uses, how to handle the data safely and legally, and exactly which images map onto each chapter's exercises and onto the progressive Forensic Case File project.

You cannot learn this craft by reading. Every technique in this book — imaging, hashing, carving, MFT analysis, timelining, Volatility, plaso, registry parsing — becomes real only when you run it against bytes you are allowed to touch. This appendix exists so you never have an excuse not to. Everything here is free and legal to practice on. Chapter 37 — Building a Forensic Lab covers the professional lab (write-blockers, evidence vaults, ISO 17025); this appendix covers the learning lab on hardware you already own.


J.1 How to use this appendix

Find your goal, jump to the section, download the image, build the VM, and start. The fastest path to your first finding is J.21 Quick start: your first hour — skip there if you just want momentum, then come back to set things up properly.

I want to… Go to
See every practice-data source at a glance J.2
Download a full Windows case to examine J.3 (Hacking Case), J.4 (M57, Lone Wolf)
Get memory images for Volatility J.8
Get network captures (PCAP) J.9
Get mobile (Android/iOS) images J.10
Build my own tiny practice image J.11
Stand up a Linux analysis VM J.14
Stand up a Windows analysis VM J.15
Handle images safely and legally J.16, J.17
Organize my casework on disk J.18
Know which image goes with which chapter J.19
Pick the image for my progressive project J.20

Why this matters. A keyboard, a free hypervisor, and the public images below reproduce the evidence side of nearly everything a six-figure lab does. What you cannot reproduce at home is the chain of custody for real evidence, the write-blocked acquisition of physical originals, and the courtroom — which is exactly why this book pairs every practice image with the discipline (hashing, working copies, contemporaneous notes) that makes the difference between "I found it" and "I can prove I found it and it is unaltered."

URLs drift; project names don't. Sites reorganize. Every resource below is named so you can find it with a search even if a link rots. Always download over HTTPS and verify the published hash (J.17) before you trust a single byte.


J.2 The practice-data landscape

The whole field at a glance. "Size" is approximate; "Answers?" notes whether a published solution/answer key exists (a huge help when you are learning solo).

Source What you get Best for (paths) Size Answers? License/cost
NIST CFReDS Curated disk, memory, mobile + file-system test sets; the Hacking Case; the Data Leakage Case Whole-system exam, recovery test sets 💾🔍 MB–GB each Hacking Case: community; Data Leakage: yes Free, public
Digital Corpora M57-Patents (4 PCs + RAM + PCAP), M57-Jean, Lone Wolf (Win10 + RAM), govdocs1 (~1M files), NPS test images Multi-source correlation, capstone, carving 🔍🛡️📜 MB → 100s of GB Scenario docs/keys vary Free, redistributable
DFRWS Forensic Challenges Annual datasets: memory (2005), carving (2006/07), Linux+anti-forensics (2008), Android (2011), IoT (2018)… Deep single-topic drills 🔍🛡️ varies Yes (winning write-ups) Free
The Honeynet Project Network captures, compromised-host images, malware, log puzzles ("Challenges," "Scan of the Month") Network & malware forensics 🛡️ varies Yes (community write-ups) Free
Magnet Forensics CTF Periodic CTF images (Windows/mobile/cloud); free utilities (MAGNET RAM Capture, EDD) Modern artifacts, mobile, CTF skills 🔍🛡️ GB Community write-ups Free images; AXIOM trial
Belkasoft Free test images (iOS/Android/Windows) + regular CTFs Mobile & quick artifact practice 🔍 MB–GB CTF write-ups Free images; BEC X trial
Volatility Foundation samples Classic memory images (Cridex, Zeus, Stuxnet, R2D2…) Memory forensics fundamentals 🛡️🔍 10s–100s MB Yes (wiki + write-ups) Free
MemLabs 6 progressive memory-forensics CTF labs Guided memory practice 🛡️ 100s MB Yes (write-ups) Free
malware-traffic-analysis.net Daily PCAPs + "traffic analysis exercises" with answers Network & malware traffic 🛡️ MB Yes Free (zips: pw infected)
Wireshark SampleCaptures Protocol-by-protocol PCAP samples Protocol learning 🛡️ KB–MB N/A Free
NETRESEC PcapFiles Master index of other people's public PCAP repos Finding more PCAPs 🛡️ index varies Free
Josh Hickman test images Documented Android & iOS public images (thebinaryhick) Mobile forensics 🔍 GB Documented contents Free
AboutDFIR "Ultimate Test Image" page A maintained index of nearly all the above Discovery / staying current index links to keys Free

Tool Tip — bookmark two aggregators. When this appendix ages, the AboutDFIR "Ultimate Test Image Page" (disk/memory/mobile) and NETRESEC's "Publicly available PCAP files" page (network) are the two living indexes the community keeps current. Start there to find anything not listed above.


J.3 NIST CFReDS

The Computer Forensic Reference Data Sets project, run by NIST, publishes documented "evidence" built specifically so an examiner can practice and so tools can be validated against a known ground truth. Two sets earn their keep first.

The Hacking Case (the classic first exam)

The single most-used teaching image in the field. The scenario: in 2004 a Dell CPi laptop is recovered and suspected to belong to a hacker ("Mr. Evil," Greg Schardt). You receive a raw dd image (SCHARDT.001, on the order of a few GB) of a Windows XP system and a list of roughly 30 investigative questions (network configuration and the wardriving angle, installed tools, email, recovered deleted files, web activity). NIST does not publish an official answer key, but well-known community walkthroughs exist.

Property Value
Image format Raw dd (SCHARDT.001)
OS / FS Windows XP / NTFS
Size A few GB (verify published size/hash)
Comes with ~30 guided questions
Maps to Ch.5, Ch.6, Ch.16, Ch.18, Ch.21

Limitation. The Hacking Case is Windows XP with a FAT/NTFS layout from 2004 — perfect for learning fundamentals, dated for modern artifacts (no SRUM, no modern AmCache, no BitLocker, partition often starts at sector 63, not 2048). Use it to learn the process; use Lone Wolf or a Magnet/Belkasoft image to see modern Windows.

The Data Leakage Case

A richly documented insider-threat scenario: a suspect exfiltrates confidential data through multiple channels (USB, cloud upload, email, printing). It ships as an E01 with an extensive answer guide, which makes it the best CFReDS set for self-grading your artifact analysis — and a near-perfect rehearsal for this book's anchor #2 (the employee who covered their tracks). Maps to Ch.16, Ch.18, Ch.19, Ch.30.

CFReDS also hosts mobile (Android) images, memory images, and small file-system test sets (deleted-file recovery, string-search, carving) that pair cleanly with Ch.4, Ch.6, and Ch.7.


J.4 Digital Corpora

Simson Garfinkel's digitalcorpora.org is the deepest well of realistic, freely redistributable scenarios. Three things to grab.

M57-Patents (the multi-source masterpiece)

A small startup, M57.biz, run by a handful of employees, simulated across roughly three weeks of operation in 2009. Each business day produced a disk image of every employee's PC, a RAM capture, and a network packet capture. Woven through the data: a confidential-document exfiltration, a planted-contraband subplot, and ordinary office noise to hide it in. Because it spans multiple machines + memory + network over time, M57-Patents is the only public set that lets you practice the skill that actually wins real cases: correlating evidence across sources and across days.

Property Value
Format E01 disk images, RAM images, PCAP
Hosts Four employee workstations
Span ~3 weeks (daily snapshots)
Size Tens of GB (full set; grab selected days to start)
Maps to The whole of Part III + the capstone (Ch.38); anchor #2

There is also M57-Jean — a single-machine subset (the CFO accidentally leaks an employee spreadsheet). It is small, fast, and the ideal first end-to-end case before you commit to the full M57-Patents set.

Lone Wolf (the modern single-machine case)

A 2018 scenario: one Windows 10 laptop belonging to a (fictional) individual planning a mass-casualty attack. You get a disk E01 and a memory image, built to be worked like a live case. It is the best public stand-in for a modern Windows exam — current registry, browsers, cloud-sync artifacts, and a real timeline to reconstruct.

Ethics Note. The Lone Wolf and M57 scenarios contain simulated sensitive themes (planned violence; planted contraband as a benign stand-in). They contain no real illegal material — these corpora are built precisely so you can train without it. Treat them with full professional discipline anyway: it is exactly the reflex you want automatic before you ever touch a real case. See Chapter 28 — Ethics.

govdocs1 and NPS images

govdocs1 is a corpus of roughly one million real, freely-redistributable files (PDF, DOC, XLS, JPG, HTML, PPT…) harvested from .gov domains, organized into 1,000 folders (000999) of ~1,000 files each. It is the standard test set for file carving, file-type identification, EXIF/metadata, and bulk_extractor. You do not need all of it — pull a few folders (a few GB) to start. The NPS test images (e.g., camera/SD-card and USB images) are small, purpose-built sets for partition recovery and carving. Maps to Ch.7, Ch.20.


J.5 DFRWS Forensic Challenges

Since 2005 the Digital Forensic Research Workshop has posted an annual challenge with a dataset and (afterward) the winning write-ups — effectively a free, graduate-level problem set. The standouts:

Year Topic Pairs with
2005 Windows memory analysis (the challenge that launched memory forensics) Ch.22
2006 / 2007 File carving (fragmented files, missing headers) Ch.7
2008 Compromised Linux server + anti-forensics Ch.17, Ch.30
2011 Android mobile Ch.24
2018 IoT / smart-device forensics Ch.34

Try This. The DFRWS 2006/2007 carving challenges are deliberately hard — fragmented and out-of-order files designed to defeat naive header-to-footer carvers. Run foremost and scalpel against them, see what breaks, then read the winning write-up to learn why. That gap between "I ran the tool" and "I understand the data" is the whole point of Chapter 7.


J.6 The Honeynet Project

honeynet.org publishes "Forensic Challenges" (and the archived "Scan of the Month" series): real captured attacks — network traces of intrusions, images of compromised honeypots, captured malware, and log puzzles — each with community solutions. It is the best free source for network forensics (Ch.23) and malware forensics (Ch.32) practice on adversarial data rather than sanitized lab data.

Recovery vs. Forensics. Most sources in this appendix are framed for the 🔍 forensic examiner. The Honeynet sets are framed for the 🛡️ incident responder: the question shifts from "what can I prove about the past" to "what is the attacker doing, and how do I stop it." Same artifacts, different clock — and a reminder that this book teaches both lenses on the same evidence.


J.7 Magnet and Belkasoft

Two commercial vendors give the community generous free practice data — and free or trial tools to work it with.

  • Magnet Forensics runs recurring CTFs (the Magnet Weekly CTF, Virtual Summit CTFs) and releases the images publicly afterward, frequently covering modern Windows, mobile, and cloud artifacts. Magnet also ships genuinely useful free utilities: MAGNET RAM Capture (memory acquisition), Encrypted Disk Detector, and Web Page Saver. AXIOM itself is available as a time-limited trial. Community write-ups for each CTF are easy to find.
  • Belkasoft publishes free test images (iOS, Android, and Windows) on a dedicated page, plus regular CTFs. Belkasoft Evidence Center X (BEC X) has a free trial. The Belkasoft images are small and well-suited to a fast artifact drill when you do not want to download tens of GB.

Both pair best with Ch.15, Ch.16, Ch.24, and Ch.36 — The Forensic Toolkit.


J.8 Memory images

Memory forensics (Chapter 22) needs RAM captures, and there are excellent free ones.

Source Contents Notes
Volatility Foundation "Memory Samples" wiki cridex.vmem, zeus.vmem, stuxnet.vmem, R2D2, many more The canonical teaching set; mostly Windows XP/7 → Volatility 2 profiles
MemLabs (GitHub: stuxnet999/MemLabs) 6 progressive CTF labs with write-ups Beginner-friendly, guided
M57 / Lone Wolf RAM (Digital Corpora) RAM matched to disk images Practice disk↔memory correlation
DFRWS 2005 Windows memory challenge Historic; deep
Your own capture Whatever you run in your VM Guaranteed-modern; see below

The fastest way to get a modern memory image is to capture one from your own analysis VM — then you know exactly what is in it:

# Windows guest: capture RAM with a free acquisition tool (run as Administrator)
# MAGNET RAM Capture (GUI) — or winpmem on the CLI:
winpmem_mini_x64_rc2.exe physmem.raw
Get-FileHash -Algorithm SHA256 .\physmem.raw   # hash the capture immediately
# Linux guest: capture RAM with Microsoft AVML (static binary, no kernel module needed)
sudo ./avml memory.lime
sha256sum memory.lime

Tool Tip — Volatility 2 vs 3 on samples. The classic samples (Cridex, Zeus, Stuxnet — Windows XP/7) are most reliable under Volatility 2 with an explicit --profile= (e.g., --profile=WinXPSP2x86). Volatility 3 needs no profile (it uses symbol tables) and is the right choice for modern Windows 10/11 captures. Install both (J.14); reach for the one that matches the sample's era.


J.9 Network captures (PCAP)

Source What it is Best for
malware-traffic-analysis.net Brad Duncan's daily blog: real malware PCAPs + "traffic analysis exercises" with answers Malware C2, exploit kits, infection chains 🛡️
Wireshark SampleCaptures (wiki) One capture per protocol Learning protocols cleanly 🛡️
NETRESEC "PcapFiles" Curated index of public PCAP repositories Finding more of everything 🛡️
The Honeynet Project Intrusion traces, scans Adversarial network forensics 🛡️
DFRWS / CTFs Challenge PCAPs Topic drills 🛡️

Safe Handling. Malware PCAP archives are commonly zipped with the password infected specifically so they cannot auto-extract or be scanned/blocked in transit. The PCAP itself is inert capture data, but it often references live malicious URLs/IPs — analyze it on an isolated VM (J.16) and never click through to the hosts it names.

Work these with tcpdump, tshark/Wireshark, NetworkMiner (free; superb for file/credential extraction), and Zeek — all covered in Chapter 23.


J.10 Mobile images

Mobile is the hardest data to obtain legally because real extractions require physical devices and licensed tools. Use purpose-built public images:

Source Platforms Notes
Josh Hickman's images (thebinaryhick.blog) Android & iOS, multiple OS versions Documented "what was done on the device," so you can self-grade
NIST CFReDS mobile Android Reference-quality
Belkasoft test images iOS, Android Small, fast
Magnet CTF iOS, Android Modern artifacts
DFRWS 2011 Android Classic challenge

Parse them with the free ALEAPP (Android) and iLEAPP (iOS) tools and the methods in Chapter 24 — Mobile Device Forensics. For the recovery angle (deleted SQLite rows, carving), see Chapter 11 — Mobile Device Recovery.


J.11 Roll-your-own practice images

Sometimes the best image is one where you planted the evidence yourself, because you know the ground truth exactly. This is the cheapest, fastest way to drill Chapter 4, Chapter 6, and Chapter 7.

A deleted-file recovery image, start to finish (Linux)

# 1) Create a 256 MB raw image with one FAT32 partition starting at 1 MiB (sector 2048)
dd if=/dev/zero of=practice.dd bs=1M count=256
LOOP=$(sudo losetup -Pf --show practice.dd)        # -P creates partition nodes (loopNp1)
sudo parted -s "$LOOP" mklabel msdos mkpart primary fat32 1MiB 100%
sudo mkfs.vfat "${LOOP}p1"

# 2) Mount, write a "secret," then DELETE it (deletion removes the pointer, not the data)
sudo mount "${LOOP}p1" /mnt/practice
echo "TOP SECRET: the meeting is at noon" | sudo tee /mnt/practice/secret.txt
sudo sync && sudo rm /mnt/practice/secret.txt
sudo umount /mnt/practice
sudo losetup -d "$LOOP"

# 3) Now recover it from the raw image, working ONLY on the file (the original is sacred)
mmls practice.dd                                   # confirm the partition start sector (2048)
fls -r -d -o 2048 practice.dd                      # -d = show DELETED entries; note the inode
icat -o 2048 practice.dd <inode> > recovered.txt   # carve it back by inode
tsk_recover -o 2048 practice.dd ./recovered/       # or bulk-recover everything deleted

The byte offset of any partition is start-sector × 512: here 2048 × 512 = 1048576 (1 MiB), which is why every Sleuth Kit command takes -o 2048. That single equation — sector × sector-size = byte offset — is the spine of Chapter 2.

Other images you can build in minutes

  • RAID practice (Ch.10): create three small image files, assemble them with mdadm --create --level=5 --raid-devices=3 … over loop devices, write data, "fail" a member, and rebuild. You will understand stripe order and parity by doing it.
  • Encrypted-container practice (Ch.29): make a small VeraCrypt container with a known password, then practice detecting it (entropy, headers), mounting it with the key, and reasoning about what is and is not recoverable without the password.
  • Carving practice (Ch.7): cat a handful of JPGs/PDFs into a blank image with gaps of zeros between them, wipe the file system, and carve them back with foremost/photorec. Compare recovered files to the originals by hash.

J.12 The lab: host requirements

You can practice everything in this book on one reasonably modern computer. Bigger just means less waiting.

Component Minimum Comfortable Why it matters
CPU 4 cores, virtualization (VT-x/AMD-V) on 8+ cores VMs, carving, plaso, hashing are CPU-bound
RAM 16 GB 32–64 GB Host + 1–2 VMs; Volatility on a large memory image is RAM-hungry
System disk 256 GB SSD free 1–2 TB NVMe Tools, VMs, snapshots
Evidence disk a 1 TB external a dedicated multi-TB drive Images are huge (M57 = tens of GB; govdocs1 = 100s of GB) — keep them off the system disk
GPU none any modern GPU Optional: password attacks (Ch.29), AI/deepfake work (Ch.35)

Limitation — Apple Silicon. On an M-series Mac you can run ARM Linux guests well (UTM/VMware Fusion), but x86 Windows guests run only under slow emulation. If your target is Windows forensics and you are on Apple Silicon, plan on a separate x86 box, a cloud VM, or running the EZ Tools and Autopsy on a borrowed Windows host.


J.13 Hypervisor choice

Hypervisor Host OS Cost Notes
VirtualBox Win/macOS(Intel)/Linux Free Easiest start; great snapshots; fine for this book
VMware Workstation Pro / Fusion Win/Linux / macOS Free for personal use Robust; many DFIR VMs ship as VMware appliances
Hyper-V Windows Pro/Enterprise Included Native; can conflict with VirtualBox/VMware — pick one
KVM/QEMU Linux Free Powerful, scriptable; steeper curve
UTM macOS (Apple Silicon) Free Best path to ARM Linux guests on M-series

Whichever you choose, the two non-negotiable habits are snapshots (clean baseline before every exercise) and isolated networking (J.16).


J.14 The Linux analysis VM

Linux is the recovery/forensic workhorse — the Sleuth Kit, carvers, plaso, and Volatility all feel most at home here. You have two routes.

Route 1: a prebuilt DFIR distribution (fastest)

Distro Base Strength
SIFT Workstation (SANS) Ubuntu The reference DFIR build; install script or ready VM
CAINE Ubuntu Live ISO; write-blocking by default; great for imaging
Tsurugi Linux Ubuntu Broad DFIR + OSINT + malware tooling
Kali Linux Debian Pentest-first, includes a Forensics boot mode
Paladin (Sumuri) Ubuntu Live triage and imaging
REMnux Ubuntu Malware analysis specialist — pair with Ch.32

Download the VM/ISO, verify its hash, import it, snapshot, and you are ready.

Route 2: build your own on Ubuntu (you learn more)

Start from a clean Ubuntu 22.04/24.04 VM, then install the stack this book uses:

sudo apt update && sudo apt -y upgrade

# --- The Sleuth Kit: fls, icat, mmls, fsstat, blkls, istat, tsk_recover, img_stat ---
sudo apt -y install sleuthkit

# --- Imaging + evidence-container handling ---
sudo apt -y install dc3dd dcfldd gddrescue ewf-tools afflib-tools
#   gddrescue -> 'ddrescue';  ewf-tools -> ewfacquire/ewfmount/ewfverify (E01)

# --- Recovery & carving ---
sudo apt -y install foremost scalpel testdisk
#   'testdisk' also installs 'photorec'

# --- Metadata, strings, hashing ---
sudo apt -y install libimage-exiftool-perl binutils hashdeep
#   libimage-exiftool-perl -> 'exiftool';  binutils -> 'strings';  hashdeep -> md5deep/hashdeep

# --- Network forensics ---
sudo apt -y install wireshark tshark tcpdump

# --- Carving/triage extras + YARA + bulk_extractor (if packaged) ---
sudo apt -y install yara bulk-extractor

# --- Python tooling base ---
sudo apt -y install python3-pip git

Verify the core tools came through:

fls -V            # The Sleuth Kit X.Y.Z
ewfverify -V      # libewf version
exiftool -ver     # exiftool version

Sleuth Kit and Autopsy on Linux — read this carefully

apt install sleuthkit gives you the command-line TSK (fls, icat, mmls, fsstat, tsk_recover, …) — everything Chapter 6 and Appendix H need. The GUI is the catch:

  • sudo apt install autopsy installs the legacy Autopsy 2.x — an old Perl/HTML front-end to TSK. It works, but it is not the modern product.
  • The modern Autopsy 4.x (the Java desktop application) is officially built for Windows. On Linux you install it by downloading the ZIP from the Sleuth Kit/Autopsy site, installing a matching TSK build and OpenJDK 17, then running the bundled unix_setup.sh and ./autopsy. It is community-supported on Linux, not the primary platform.

Recommendation. Do CLI work (TSK, carving, Volatility, plaso) on Linux; run Autopsy 4 on your Windows VM (J.15), where it is best supported. This is also how most working examiners split the two.

Volatility (install both versions)

# Volatility 3 (Python 3, no profiles, modern Windows/Linux/macOS) — recommended
python3 -m pip install --user volatility3
vol -f memory.raw windows.info               # 'vol' entry point after pip install
vol -f memory.raw windows.pslist
#   or from source:
git clone https://github.com/volatilityfoundation/volatility3
python3 volatility3/vol.py -f memory.raw windows.pslist

# Volatility 2 (Python 2.7, profile-based) — for the CLASSIC samples (Cridex, Zeus…)
git clone https://github.com/volatilityfoundation/volatility
python2 volatility/vol.py -f cridex.vmem --profile=WinXPSP2x86 pslist

Tool Tip. Python 2 is end-of-life and missing from current distros. If Volatility 2 will not run, drop it in a Python-2 container or pin a venv — or just analyze the classic samples by accepting that some plugins differ. For anything you capture yourself from a modern OS, Volatility 3 is the answer.

plaso (super-timelines)

python3 -m pip install --user plaso          # provides log2timeline.py + psort.py
log2timeline.py timeline.plaso image.dd      # build the storage file
psort.py -o l2tcsv -w timeline.csv timeline.plaso   # render to CSV for Timeline Explorer

Pair this with Chapter 21 — Timeline Analysis. RegRipper is not reliably in apt; clone it (keydet89/RegRipper3.0) when you reach Chapter 16.


J.15 The Windows analysis VM

Many forensic crown jewels are Windows-only. Build a clean Windows 10/11 VM (use a legitimate evaluation/Insider image), snapshot it, and install — only from official sources, hashes verified:

Tool Source Use Chapter
FTK Imager Exterro (free) Image drives, mount E01, preview, export Ch.14
Autopsy 4 sleuthkit.org/autopsy (free) Full GUI examination Ch.36
Eric Zimmerman's Tools (EZ Tools) ericzimmerman.github.io (free) MFTECmd, Registry Explorer, PECmd, AmcacheParser, JLECmd/LECmd, EvtxECmd, SrumECmd, Timeline Explorer Ch.16, Ch.21
KAPE Kroll (free, non-commercial) Triage collection + parsing modules Ch.15
Volatility 3 GitHub / pip Memory analysis Ch.22
Arsenal Image Mounter / OSFMount Arsenal / PassMark (free tiers) Mount images (read-only / cached-write) Ch.14
RegRipper GitHub (free) Registry plugin parsing Ch.16
Wireshark + NetworkMiner wireshark.org / NETRESEC (free) PCAP analysis, file/credential extraction Ch.23
HxD, 7-Zip official (free) Hex editing, archives general

Tool Tip — WSL2 gives you both worlds. Enable WSL2 on the Windows VM and apt install the Linux stack from J.14 right alongside the Windows tools. You can fls/icat in WSL and open the same image in Autopsy and EZ Tools without leaving the box. For many learners, one well-built Windows + WSL2 VM is the entire lab.

Verify a tool downloaded intact before you run it:

Get-FileHash -Algorithm SHA256 .\AccessData_FTK_Imager.exe
# compare the output against the vendor's published SHA-256

J.16 Networking and isolation

Default to disconnected. Connect only deliberately, and never put an analysis VM on your real LAN.

VM network mode Internet? VM↔VM? VM↔host? Use it for
Not attached / disabled No No No Default while analyzing any untrusted image
NAT Yes No Limited Downloading tools and OS updates, then turn it off
Host-only No Yes (same net) Yes A private analysis network; moving files between your VMs
Internal only No Yes No An isolated detonation network (REMnux + a fake-internet service)
Bridged Yes (real LAN) Avoid for analysis — it exposes the VM and your network

War Story. Examiners have re-infected their own corporate networks by analyzing a malware sample on a bridged VM "just to download one tool." The beacon found the LAN in seconds. Snapshot a clean state, set the network to not attached, do your analysis, and revert the snapshot afterward. For live malware traffic, build a separate internal-only network with REMnux running a simulated internet (e.g., INetSim) so the sample talks to you, not the world. See Chapter 32 and Chapter 37.


J.17 Safe handling and the law

These rules apply to practice data too — partly to protect your host, mostly because rehearsing the discipline is the point.

The safe-handling checklist

  • ☐ Download over HTTPS; verify the published hash before trusting the file.
  • ☐ Keep the master copy read-only (chmod 444, or a read-only volume); work on a copy.
  • Hash the working copy and confirm it equals the master before and after analysis.
  • Snapshot the VM clean before each exercise; revert after anything untrusted.
  • ☐ Analyze on a disconnected VM; isolate anything that might be live malware (J.16).
  • ☐ Keep practice data on a separate volume from real work — never mix practice and real evidence.
  • ☐ Record what you did in a contemporaneous note (J.18).

Verify a download's hash

# If the site ships a checksum file:
sha256sum -c SCHARDT.001.sha256
# Otherwise compute and eyeball it against the published value:
sha256sum SCHARDT.001
Get-FileHash -Algorithm SHA256 .\SCHARDT.001    # compare to the published SHA-256
# Cross-platform, memory-safe hashing of a large image (chunked)
import hashlib, sys

def sha256(path, block=1 << 20):              # 1 MiB chunks
    h = hashlib.sha256()
    with open(path, "rb") as f:
        for chunk in iter(lambda: f.read(block), b""):
            h.update(chunk)
    return h.hexdigest()

if __name__ == "__main__":
    print(sha256(sys.argv[1]), sys.argv[1])

Mount images read-only (Linux)

# Raw image, partition starting at sector 2048:
sudo mount -o ro,loop,offset=$((2048*512)),noexec,nosuid,nodev image.dd /mnt/evidence

# E01: expose it as a raw device first, then loop-mount read-only:
sudo ewfmount image.E01 /mnt/ewf
sudo mount -o ro,loop,offset=$((2048*512)) /mnt/ewf/ewf1 /mnt/evidence

On Windows, mount with FTK Imager or Arsenal Image Mounter in read-only mode. Either way, the image you analyze must remain provably identical to the one you downloaded — the same principle (the original is sacred) that makes real evidence admissible.

Ethics & Legal Note. The public corpora here are built to contain no real illegal material — they use benign stand-ins precisely so you can train safely. But train the reflex anyway: if, on any real device, you ever encounter material that even might be child sexual abuse material (CSAM), stop, do not copy or further view it, document, and report under your jurisdiction's mandatory-reporting law (in the U.S., 18 U.S.C. § 2258A). This is non-negotiable and is covered in Chapter 25 — The Legal Framework, Chapter 28 — Ethics, and Appendix E. Practice data is also licensed for education — read each source's terms; do not re-host or use it for anything but learning.


J.18 Organizing your evidence

A consistent layout turns a pile of downloads into a defensible case file. Keep master images read-only and separate; keep per-case working folders for your analysis.

~/forensics/
├── images/                       # MASTER practice images — read-only (chmod 444)
│   ├── nist-hacking-case/
│   │   ├── SCHARDT.001
│   │   └── SCHARDT.001.sha256    # published hash, kept beside the image
│   ├── m57-patents/
│   ├── lone-wolf/
│   └── samples/                  # memory (.vmem/.raw/.lime) + network (.pcap)
├── cases/                        # YOUR analysis — one folder per case/exercise
│   └── 2026-001_hacking-case/
│       ├── 00_intake/            # assignment, authority, hash-on-receipt
│       ├── 01_acquisition/       # working copy + verification log
│       ├── 02_analysis/          # tool output, extracted artifacts
│       ├── 03_timeline/          # plaso storage + rendered CSV
│       ├── 04_exhibits/          # what will go in the report
│       ├── notes.md              # contemporaneous lab notebook
│       └── report.md             # your findings (see Appendix F)
└── tools/                        # cloned repos, EZ Tools, KAPE, etc.

A minimal lab-notebook / intake header to drop at the top of notes.md (the real chain-of-custody and report forms live in Appendix F):

CASE:        2026-001  Hacking Case (NIST CFReDS — practice)
EXAMINER:    <you>                       DATE OPENED: 2026-06-28
SOURCE:      SCHARDT.001  (raw/dd)        FROM: cfreds.nist.gov (dl 2026-06-27)
HASH (RECV): <sha256>  — matches published? [ ] yes
WORKING COPY: cases/2026-001/01_acquisition/SCHARDT-working.dd
HASH (COPY): <sha256>  — equals source?     [ ] yes
TOOLS+VER:   TSK 4.12, Autopsy 4.21, Volatility 3 2.x, plaso 2024.x
OBJECTIVE:   <what this session is trying to establish>
----------------------------------------------------------------------
TIME   ACTION                                  RESULT / OUTPUT REF / HASH
0900   sha256sum SCHARDT.001                   matches published  ✓
0905   cp -> working copy; re-hashed           equals source      ✓
0912   mmls working.dd                         1 NTFS part @ sector 63
0920   fls -r -o 63 working.dd > files.txt     342 entries (29 deleted)
...

Chain of Custody (rehearsal). You will never produce a real chain of custody for a practice image — but writing the intake header and the timestamped action log every single time builds the habit so it is automatic when the evidence is real and a defense attorney is reading your notes line by line.


J.19 Mapping the book to practice images

Recommended practice data per chapter. (Chapters that are conceptual, hardware-bound, or legal — e.g., 1, 3, 8, 13, 25–28, 33, 39, 40 — are best practiced through their own exercises rather than an image.)

Chapter Recommended image(s) What you practice
02 — How Data Is Stored self-made dd image; any govdocs1 file in a hex editor sectors, offsets, hex, signatures
04 — File Systems CFReDS FS test sets; self-made FAT/NTFS/ext4 images mmls/fsstat; MFT/inode structures
05 — Forensic Process NIST Hacking Case; M57-Jean acquire→verify→analyze→report end-to-end
06 — Logical Recovery CFReDS deleted-file set; Hacking Case; self-made fls -d, icat, tsk_recover
07 — File Carving govdocs1; DFRWS 2006/2007; NPS images foremost/scalpel/photorec; fragmentation
10 — RAID Recovery self-made mdadm array stripe order, parity, rebuild
11 — Mobile Recovery Hickman Android; CFReDS mobile deleted SQLite rows, carving
12 — Ransomware Recovery malware-traffic-analysis ransomware PCAPs; self-made "encrypted" set shadow copies, slack, triage
14 — Forensic Acquisition a spare USB you image yourself FTK Imager/dc3dd; E01 + hash verify
15 — Live Response & Triage your own VM + KAPE; Magnet/Belkasoft targeted collection, order of volatility
16 — Windows Forensics Data Leakage Case; Lone Wolf; Hacking Case registry, Prefetch, AmCache, LNK, USB
17 — macOS/Linux Forensics DFRWS 2008 (Linux); Ali Hadi's Linux cases logs, auth.log, persistence
18 — Browser/Internet Lone Wolf; M57; Hacking Case history/cache SQLite; downloads
19 — Email/Chat/Social M57-Patents; Enron email corpus PST/mbox, headers, attachments
20 — Photo/Video/Document govdocs1; Lone Wolf; your own photos EXIF/GPS (exiftool), document metadata
21 — Timeline Analysis Hacking Case or M57 with plaso super-timelines; $STANDARD_INFO` vs `$FILE_NAME
22 — Memory Forensics Volatility samples; MemLabs; M57/Lone Wolf RAM pslist, netscan, malfind, dump
23 — Network Forensics malware-traffic-analysis; Wireshark samples; Honeynet flows, carving files from PCAP, C2
24 — Mobile Forensics Hickman iOS/Android; Belkasoft; Magnet ALEAPP/iLEAPP, app artifacts
29 — Encrypted Devices self-made VeraCrypt container detection, key-in-RAM, limits
30 — Anti-Forensics Data Leakage Case; DFRWS 2008; M57 timestomping, wiper traces (CCleaner)
32 — Malware Forensics Honeynet; malware-traffic-analysis; Volatility static/dynamic on REMnux (isolated)
34 — IoT/Vehicle/Embedded DFRWS 2018 IoT embedded FS, flash dumps
35 — AI-Assisted/Deepfakes public deepfake datasets (e.g., FaceForensics++) detection, provenance
38 — Capstone M57-Patents (or Lone Wolf) the whole pipeline, correlated

J.20 The progressive project spine

The Forensic Case File project runs across the book; you should carry one primary image through it from acquisition (Ch.5/Ch.14) to the capstone report (Ch.38). Pick by appetite:

Option Image Pros Cons Choose if
NIST Hacking Case 1 × WinXP dd (~few GB) Tiny, ~30 guided questions, hugely documented, classic Dated (XP); no memory/network You want a guided first pass while learning Parts I–III
Lone Wolf 1 × Win10 E01 + RAM Modern Windows; disk and memory; realistic single-custodian case Sensitive (simulated) theme You want a modern single-machine capstone
M57-Patents 4 PCs + RAM + PCAP Richest; multi-source correlation; email exfil + network; maps to anchor #2 Large (tens of GB); more setup You want the full multi-evidence capstone (recommended for Ch.38)

Recommended path. Use the Hacking Case as a guided end-to-end rehearsal while you work Parts I–III, then adopt M57-Patents (or Lone Wolf if disk space or time is tight) as the spine of your Forensic Case File. M57's multiple machines, RAM, and packet captures are the only public data that let you practice the capstone's defining skill — building one coherent timeline and narrative from many independent sources — which is exactly what anchor #2 (the employee who covered their tracks) demands.


J.21 Quick start: your first hour

Two on-ramps. Do whichever gives you the bigger jolt of momentum — then go back and build the lab properly.

Track A — disk (Sleuth Kit on the Hacking Case), ~30 min

# 1) Download SCHARDT.001 from CFReDS, then verify integrity before trusting it
sha256sum SCHARDT.001                       # compare to NIST's published hash

# 2) Find the partition (XP images often start at sector 63, NOT 2048 — always check)
mmls SCHARDT.001

# 3) List files, INCLUDING deleted, from that partition
fls -r -o 63 SCHARDT.001 | less             # use the Start sector mmls reported

# 4) Recover one deleted file by its inode
icat -o 63 SCHARDT.001 <inode> > recovered.bin
file recovered.bin                          # what did you get back?

Track B — memory (Volatility 3 on a modern sample), ~20 min

# Use a modern Windows memory image (a MemLabs lab, or capture your own VM's RAM)
vol -f memory.raw windows.info              # OS build, profile-free
vol -f memory.raw windows.pslist            # running processes
vol -f memory.raw windows.netscan           # network connections in RAM
vol -f memory.raw windows.malfind           # injected/suspicious memory regions
#  (for the classic XP samples like cridex.vmem, use Volatility 2 with --profile=WinXPSP2x86)

That is the whole craft in miniature: verify, then examine a copy, then recover and interpret what was supposedly gone. Everything else in this book is depth on those moves.


J.22 Troubleshooting

Symptom Likely cause Fix
mmls/fls: "cannot determine file system type" Pointed at the whole disk without an offset, or it is an E01 not raw Run mmls first; pass -o <start sector>; for E01 use ewfmount then point at ewf1
fls finds nothing deleted Wrong offset, or the FS reuses entries aggressively Re-check the mmls Start column; try tsk_recover; carve with photorec
Volatility 3: "unsatisfied requirement / symbol table not found" Old build, or an OS it lacks symbols for Update vol3; for classic XP/7 samples use Volatility 2 with --profile=
Volatility 2 won't run Python 2 absent (EOL) Use a Python-2 venv/container, or switch to a vol3-friendly sample
Autopsy won't launch on Linux TSK/Java mismatch Install OpenJDK 17 + matching TSK; or run Autopsy on the Windows VM
Hash mismatch after download Truncated/corrupt download, or split files not concatenated Re-download; cat split parts in order; re-verify against the published hash
E01 won't loop-mount E01 is a container, not a raw device ewfmount image.E01 /mnt/ewf, then mount /mnt/ewf/ewf1 read-only
"Out of disk space" Images are huge (M57/govdocs1) Store on a separate large volume; download subsets (selected days/threads)
VM won't enable 64-bit/virtualization VT-x/AMD-V off, or hypervisor conflict Enable virtualization in BIOS/UEFI; don't run Hyper-V alongside VirtualBox/VMware
Malware sample "phoned home" VM was bridged/NAT during analysis Set network to not attached; revert snapshot; use an internal-only detonation net

J.23 See also

The bottom line. Pick one image, build one VM, hash everything, work on the copy, and write down what you do. Do that ten times and the procedures in this book stop being something you read and become something you can do — which is the only thing a courtroom, a client, or a breach victim will ever actually care about.