“Does anyone know which publicly-accessible disk images contain (insert your artifact of interest)?”
We have been using publicly-accessible disk images for testing and training over many years. As we were testing internal builds of Arsenal Image Mounter toward the end of 2023, we started thinking about all the things about these disk images which would be nice to have in a single living spreadsheet… then we started thinking about how the entire digital forensics community could benefit from having this kind of spreadsheet online. So, here we are! We call this spreadsheet (as of the May 28, 2024 update) the “Publicly-Accessible Disk Images & Mobile Extractions Grid for DFIR” and it will begin with particular things we care about at Arsenal in terms of disk images containing Windows - for example, how many Volume Shadow Copies they contain, the names and types of their Windows accounts, and whether their hibernation files are actually populated with hibernation data.
Remember, this is a living spreadsheet! Please get in touch and tell us the kinds of things you would like to know about publicly-accessible disk images and mobile extractions, and we will see about adding them. Particular disk images and mobile extractions you think we should add? Particular artifacts we should add? Also, don’t be shy if you think we got something wrong, tell us - we can take it. Oh, and bookmark this page.
Change log:
May 28, 2024 - Added mobile extractions
March 21, 2024 - Added 13 more Windows disk images
January 12, 2024 - Initial version
Did you know that Arsenal Image Mounter v3.11.290 was recently released? Updates include a new Recon Report feature, more CLI switches to support automation requests, AIM Virtual Machine tools now displays both passwords & PINs recovered from the same accounts, & more. Check out the change log and download the latest AIM at https://ArsenalRecon.com/downloads.