I have often wondered too if there was a microsoft sanctioned windows image(s) out there that could be shared with the forensics community for the purposes of education. Alas, all I can say is: 1. Go out to your nearest computer show and pickup a used drive and see what you can find. 2. Head to your nearest independant computer repair shop and tell them that you are interested in buying any small used drives they may come across for 5-10 dollars. These places usually have many of these drives and no real market for them. 3. Go to a thrift shop. 4. Yard Sales. The last two will probably cost you more. I usually pickup drives <1GB for anywhere from 5-10 bucks. Also, have a look at this story that ran a while back, I loved the concept and want to do the same thing so I can go from being book smart about forensics, to being book and "bench time" smart. http://news.bbc.co.uk/1/hi/technology/2676461.stm I know my company has a large forensics dept. and if I can make some inroads there, I'm sure I can borrow a copy of Encase and Fob/Dongle (assuming the licensing is cool with that) and practice, practice, practice. Perhaps one day "sanitized" windows images will be able to be distributed to the forensics community in an open forum. Heck, I would love to see a computer forensics book that started you off with something simple like an image on a floppy, walked you through the data, the recovery, the track layout and the filesystem, then worked its way up to a windows disk image, then moved from there to other operating systems so the concepts could build on one another. (I put windows first simply because I think it would be a better stepping stone towards understanding other filesystems) My apologies for late reply, I hope the moderator allows it anyway. Karlo A. Veridian Corp. -----Original Message----- From: Altheide, Cory B. [mailto:AltheideCat_private] Sent: Monday, July 14, 2003 5:13 PM To: forensicsat_private Subject: RE: Windows HD image for forensics testing I don't think that you'll find such a beast, thanks to commercial licensing. Anyone posting a Windows drive image is, in effect, illegally distributing copyrighted material, and will likely be ripped to shreds hounds of the BSA posthaste. If you want to practice on Windows images, you'll have to set up a Windows honeypot yourself. Cory Altheide Computer Forensics Specialist NNSA Cyber Forensics Center altheidecat_private > -----Original Message----- > From: Job 317 [mailto:job317at_private] > Sent: Monday, July 14, 2003 11:13 AM > To: forensicsat_private > Subject: Windows HD image for forensics testing > > > Does anyone know of a web site where I can download a Windows > (any flavor but preferably NT/2000/XP Pro) hard drive > image/partition in order to do some forensics testing. I > looked at the forensics challenge images for the Redhat 6.2 > system from honeynet.org but I would like to try a Windows image now. > > Thanks, > > Job > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Aug 09 2003 - 06:49:37 PDT