Hosting Provided By

RE: Windows HD image for forensics testing

From: madmex <madmex(at)luna.moonstar.com>
Date: Sat Aug 09 2003 - 01:32:05 EDT

I have often wondered too if there was a microsoft sanctioned windows image(s) out there that could be shared with the forensics community for the purposes of education.

Alas, all I can say is:
1. Go out to your nearest computer show and pickup a used drive and see what you can find.
2. Head to your nearest independant computer repair shop and tell them that you are interested in buying any small used drives they may come across for 5-10 dollars. These places usually have many of these drives and no real market for them.
3. Go to a thrift shop.
4. Yard Sales.

The last two will probably cost you more. I usually pickup drives <1GB for anywhere from 5-10 bucks.

Also, have a look at this story that ran a while back, I loved the concept and want to do the same thing so I can go from being book smart about forensics, to being book and "bench time" smart.

http://news.bbc.co.uk/1/hi/technology/2676461.stm

I know my company has a large forensics dept. and if I can make some inroads there, I'm sure I can borrow a copy of Encase and Fob/Dongle (assuming the licensing is cool with that) and practice, practice, practice.

Perhaps one day "sanitized" windows images will be able to be distributed to the forensics community in an open forum. Heck, I would love to see a computer forensics book that started you off with something simple like an image on a floppy, walked you through the data, the recovery, the track layout and the filesystem, then worked its way up to a windows disk image, then moved from there to other operating systems so the concepts could build on one another. (I put windows first simply because I think it would be a better stepping stone towards understanding other filesystems)

Do you need help?

My apologies for late reply, I hope the moderator allows it anyway.

Karlo A.
Veridian Corp.

-----Original Message-----
From: Altheide, Cory B. [mailto:AltheideC@nv.doe.gov] Sent: Monday, July 14, 2003 5:13 PM
To: forensics@securityfocus.com
Subject: RE: Windows HD image for forensics testing

I don't think that you'll find such a beast, thanks to commercial licensing.

Anyone posting a Windows drive image is, in effect, illegally distributing copyrighted material, and will likely be ripped to shreds hounds of the BSA posthaste.

If you want to practice on Windows images, you'll have to set up a Windows honeypot yourself.

Cory Altheide
Computer Forensics Specialist
NNSA Cyber Forensics Center
altheidec@nv.doe.gov

> -----Original Message-----

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sat Aug 9 09:49:38 2003

Do you need more help?

This message: [ Message body ]
Next message: Michael Scott: "drive integrity check problems"
Previous message: Michael Edwards: "Proprietary hard drive interfaces"
In reply to: Altheide, Cory B.: "RE: Windows HD image for forensics testing"
In reply to Altheide, Cory B.: "RE: Windows HD image for forensics testing"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT