How to Create A Sample Data Set

ISO

https://www.microsoft.com/en-us/software-download/windows11arm64 (MAC)

https://www.microsoft.com/en-us/software-download/windows11 (PC with INTEL)

STEP 1: Set Up a Virtual Machine (Optional but Recommended)

Using a virtual machine (VM) allows you to simulate suspicious or criminal behavior safely.

• Tool suggestions:

  1. VirtualBox (free)

  2. VMware Workstation or Player

• OS suggestions:

  1. Windows 10/11 (typical user environment), Windows 10 went end of support on October 10th, 2025

  2. Linux (Kali, Ubuntu), if you’re interested in Linux artifacts too

STEP 2: Simulate User Activity

Perform a variety of common and suspicious activities:

Normal Activity

• Create/delete folders and files (e.g., .docx, .pdf, .jpg)

• Browse the internet (download files, visit websites)

• Send and receive emails using a client (e.g., Thunderbird)

• Use USB drives (attach/detach)

Suspicious/Forensic-Relevant Activity

• Use a web browser in private/incognito mode

• Create and delete users

• Use the command line or PowerShell

• Delete files and clear the Recycle Bin

• Install software like:

  1. TOR Browser

  2. FileZilla (for FTP)

  3. CCleaner (for wiping traces)

  4. Signal or Telegram (for encrypted messages)

Let a few hours or days pass to create realistic timestamps and logs.

STEP 3: Capture the Disk Image

Once you’ve completed the activity on the VM:

Tools:

• FTK Imager (Windows)

• dd (Linux/Mac/WSL)

• Guymager (Linux GUI)

Example with FTK Imager:

1. Launch FTK Imager

2. File > Create Disk Image

3. Choose Physical Drive or Logical Drive (select your VM’s disk)

4. Choose image format (E01 or Raw .dd)

5. Save the image

   
   

STEP 4: Use a Tool to import the Image into Autopsy

1. Open Autopsy and create a new case

2. Add your disk image as a data source

3. Autopsy will begin parsing:

   • File system artifacts

   • Web history

   • Email, registry, deleted files, etc.

     
     

Sample Ideas for Learning Objectives

You can customize your dataset based on what you want to learn:

• Learn about browser history

• Visit different websites using Chrome and Firefox

• Analyze USB usage

• Plug in and remove multiple USB drives

• Practice file recovery

• Create then and delete .docx and .jpg files

• Examine chat apps

• Install and use Signal or Telegram

• Spot data exfiltration

• Upload files to the cloud or FTP

  
  

Bonus: Pre-made Sample Images

If you’d rather skip building your own image:

• Digital Corpora – Free disk images for forensic research

• NIST CFReDS – Forensic Reference Datasets

• DFIR Training – Training examples