DFIR Artifact Museum
Description
The DFIR Artifact Museum is a community-driven archive of DFIR-related artifacts. It was created to provide a centralized location for examples of artifacts from various operating systems.
Purpose
To increase accessibility to sample artifacts without individual researchers having to duplicate efforts to generate data that frankly should be done once and then shared with the community so more time and energy can be spent on analysis rather than artifact generation.
Benefits
Hopefully, with more exposure to artifacts from various operating systems centralized in a single location, someone who never uses Linux might gain more familiarity with what Linux artifacts look like. Same with someone who only uses Linux and doesn't use Windows.
Additionally, with more exposure to artifacts, hopefully those who enjoy creating tools will have sample data from which they can create a parser and share with the community. Having an artifact readily available as sample data takes one major hassle out of the way when it comes to having an idea for a parsing tool to actually creating it and sharing it.
DFIRArtifactMuseum Roadmap
Want to see what the future holds for the DFIRArtifactMuseum repo? Check out the project boards where the to-do lists can be found!
Contributing to DFIRArtifactMuseum
Please check out CONTRIBUTING.md if you want guidance on how you can contribute to the DFIRArtifactMuseum.
Other Projects of Interest
- EVTX-ETW-Resources - This repo contains XML and CSV files that contain every Event ID, Event Message, etc for every Event Provider for nearly every major version of Windows 8, 10, and 11 and Windows Server 2016, 2019, and 2022. Did you know most Event Providers in Windows are disabled? Now you have visibility into every single one that ships with Windows. Additionally, you'll never have to wonder what an Event ID means for a Provider that's native to Windows. Just search the repo and your answer will be there! ETWProvidersManifests will have the raw XMLs generated from WEPExplorer and ETWEventsList will have the CSVs generated from those XMLs. One CSV per version of Windows will have all event Providers and associated event IDs enumerated.
- VanillaWindowsRegistryHives - This repo contains zip files containing raw Registry hives post-clean install and JSON dumps of these Registry hives (from the topmost ROOT key) for nearly every major version of Windows 8, 10, and 11 and Windows Server 2016, 2019, and 2022. This is a great way for seeing what's normal within the Registry before user activity kicks in.
- VanillaWindowsReference - This repo contains a CSV file that consists of a directory listing of every file that comes in a clean install for for nearly every major version of Windows 8, 10, and 11 and Windows Server 2016, 2019, and 2022. This includes filenames, parent folders, hash values, file sizes, etc for EVERY file. A perfect way to see where files are supposed to be located on Windows system. Also, once could technically generate an open source hash database of known good files from this dataset.
- AboutDFIR - Tool Testing - AboutDFIR has a Tool Testing page which contains links to many other forensic images. Use them to tinker with for research or to validate your findings!
Acknowledgements
Special thank you to Kevin Pagano for the awesome logo!
Licensing/Source Attribution
- Android 7-10 Images - Digital Corpora (with explicit permission from Josh Hickman and under public domain)
- Android 11-12 - Josh Hickman's blog (with explicit permission)
- Belkasoft CTF artifacts - Belkasoft CTF - Insider Threat (with explicit permission)
- Eric Zimmerman's artifacts - Eric Zimmerman (with explicit permission)
- James Smith - The Case of the Stolen Szechuan Sauce (with explicit permission)
- Maxim Suhanov - Various samples from his GitHub repositories (with explicit permission)
Please see Digital Corpora's Research Paper on Bringing science to digital forensics with standardized forensic corpora