How to create a sample data set
- The Siren
- Nov 21, 2025
- 2 min read
Updated: Nov 24, 2025
ISO
https://www.microsoft.com/en-us/software-download/windows11 (PC with INTEL)
STEP 1: Set Up a Virtual Machine (Optional but Recommended)
Using a virtual machine (VM) allows you to simulate suspicious or criminal behavior safely.
Tool suggestions:
VirtualBox (free)
VMware Workstation or Player
OS suggestions:
Windows 10/11 (typical user environment), Windows 10 went end of support on October 10th, 2025
Linux (Kali, Ubuntu) if you're interested in Linux artifacts too
STEP 2: Simulate User Activity
Perform a variety of common and suspicious activities:
Normal Activity
Create/delete folders and files (e.g., .docx, .pdf, .jpg)
Browse the internet (download files, visit websites)
Send and receive emails using a client (e.g., Thunderbird)
Use USB drives (attach/detach)
Suspicious/Forensic-Relevant Activity
Use a web browser in private/incognito mode
Create and delete users
Use command line or PowerShell
Delete files and clear Recycle Bin
Install software like:
TOR Browser
FileZilla (for FTP)
CCleaner (for wiping traces)
Signal or Telegram (for encrypted messages)
Let a few hours or days pass to create realistic timestamps and logs.
STEP 3: Capture the Disk Image
Once you've completed the activity on the VM:
Tools:
FTK Imager (Windows)
dd (Linux/Mac/WSL)
Guymager (Linux GUI)
Example with FTK Imager:
Launch FTK Imager
File > Create Disk Image
Choose Physical Drive or Logical Drive (select your VM’s disk)
Choose image format (E01 or Raw .dd)
Save the image
STEP 4: Use a Tool Import the Image into Autopsy
Open Autopsy and create a new case
Add your disk image as a data source
Autopsy will begin parsing:
File system artifacts
Web history
Email, registry, deleted files, etc.
Sample Ideas for Learning Objectives
You can customize your dataset based on what you want to learn:
Goal | Dataset Behavior |
Learn about browser history | Visit different websites using Chrome and Firefox |
Analyze USB usage | Plug in and remove multiple USB drives |
Practice file recovery | Create then and delete .docx and .jpg files |
Examine chat apps | Install and use Signal or Telegram |
Spot data exfiltration | Upload files to the cloud or FTP |
Bonus: Pre-made Sample Images
If you'd rather skip building your own image:
Digital Corpora – Free disk images for forensic research
NIST CFReDS – Forensic Reference Datasets
DFIR Training – Training examples
Comments