“Does anyone know which publicly-accessible disk images contain (insert your artifact of interest)?”
We have been using publicly-accessible disk images for testing and training over many years. As we were testing internal builds of Arsenal Image Mounter toward the end of 2023, we started thinking about all the things about these disk images which would be nice to have in a single living spreadsheet… then we started thinking about how the entire digital forensics community could benefit from having this kind of spreadsheet online. So, here we are! We will call this spreadsheet the “Publicly-Accessible Disk Images Grid for DFIR” and the first draft will focus on some of the particular things we care about at Arsenal in terms of disk images containing Windows - for example, how many Volume Shadow Copies they contain, the names and types of their Windows accounts, and whether their hibernation files are actually populated with hibernation data.
Remember, this is a living spreadsheet! Please get in touch and tell us the kinds of things you would like to know about publicly-accessible disk images, and we will see about adding them. Do you want us to add publicly-accessible physical and logical images/backups from cell phones? What about disk images containing Linux? Also, don’t be shy if you think we got something wrong, tell us - we can take it. Oh, and bookmark this page.
Change log:
January 12, 2024 - Initial version
March 21, 2024 - Added 13 more Windows disk images
Did you know that Arsenal Image Mounter v3.11.279 was recently released? Updates include new database-driven password attack functionality (and our "Password Sledgehammer" database), new Volume Shadow Copy mount methods, CLI updates, performance improvements, & much more. Check out the change log and download the latest AIM at https://ArsenalRecon.com/downloads.