“Does anyone know which publicly-accessible disk images contain (insert your artifact of interest)?”
We have been using publicly-accessible disk images for testing and training over many years. As we were testing internal builds of Arsenal Image Mounter toward the end of 2023, we started thinking about all the things about these disk images which would be nice to have in a single living spreadsheet… then we started thinking about how the entire digital forensics community could benefit from having this kind of spreadsheet online. So, here we are! We call this spreadsheet the “Publicly-Accessible Disk Images & Mobile Extractions Grid for DFIR.” The first version of our grid began with particular things we care about at Arsenal in terms of disk images containing Windows - for example, how many Volume Shadow Copies they contain, the names and types of their Windows accounts, and whether their hibernation files are actually populated with hibernation data. Later versions included mobile extractions and then disk images containing Linux.
Remember, this is a living spreadsheet! Please get in touch and tell us the kinds of things you would like to know about publicly-accessible disk images and mobile extractions, and we will see about adding them. Particular disk images and mobile extractions you think we should add? Particular artifacts we should add? Also, don’t be shy if you think we got something wrong, tell us - we can take it. Oh, and bookmark this page.
Change log:
September 24, 2024 - Added a Windows disk image, five more mobile extractions, and a new Linux disk images section
May 28, 2024 - Added a new mobile extractions section
March 21, 2024 - Added 13 more Windows disk images
January 12, 2024 - Initial version
Are you running the latest version of Arsenal Image Mounter? Updates to v3.11.293 included an improved DPAPI bypass & new EFI boot cleanup option when launching Windows virtual machines from disk images or actual physical disks, Recon Report enhancements (e.g. simpler display of VSC timestamps), & more - see change log details at https://ArsenalRecon.com/downloads.