Digital-Forensics-Lab : Free Hands-On Digital Forensics Labs For Students And Faculty


Digital-Forensics-Lab is a Free Hands-On Digital Forensics Labs For Students And Faculty.

Features Of Repository

  • Hands-on Digital Forensics Labs: designed for Students and Faculty
  • Linux-based lab: All labs are purely based on Kali Linux
  • Lab screenshots: Each lab has PPTs with instruction screenshots
  • Comprehensive: Cover many topics in digital forensics
  • Free: All tools are open source
  • Updated: The project is funded by DOJ and will keep updating
  • Two formalized forensic intelligence in JSON files based-on case studies

Tool Installation (newly added on 12/6/2021)

Method 1: Importing customized Kali VM image

The customized Kali VM = Kali (2020.4) + tools used for completing most of the labs listed above (except p2p Data Leakage case)

  • Install Virtualbox
  • Import the customized Kali 2020.4. Notes: the default harddisk size is 80G.

Method 2: Installing tools using the customized script (the script ONLY is tested on Kali 2020.4)

The following script will install tools needed for completing most of the labs listed above (except p2p Data Leakage case, which has its own script described in PPTs). Please let us know if you need us to add more tools to the script.

  • Install Virtualbox
  • Install Kali 2020.4. Notes: Suggest You configure the disk size of Kali VM 80G because the size of each leakage cases image is 30G+
  • How to run the installation script instructions, or you can simply follow the commands below

chmod +x

Installed tools. Note that most of the commands for tools can executed globally. Now you can skip most of tool installation steps in PPTs.

Investigating NIST Data Leakage

The case study is to investigate an image involving intellectual property theft. The study include

  • A large and complex case study created by NIST. You can access the Scenario, DD/Encase images. You can also find the solutions on their website.
  • 14 hands-on labs/topics in digital forensics

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Environment Setting Up2M
Lab 1Windows Registry3M
Lab 2Windows Event and XML3M
Lab 3Web History and SQL3M
Lab 4Email Investigation3M
Lab 5File Change History and USN Journal2M
Lab 6Network Evidence and shellbag2M
Lab 7Network Drive and Cloud5M
Lab 8Master File Table ($MFT) and Log File ($logFile) Analysis13M
Lab 9Windows Search History4M
Lab 10Windows Volume Shadow Copy Analysis6M
Lab 11Recycle Bin and Anti-Forensics3M
Lab 12Data Carving3M
Lab 13Crack Windows Passwords2M

Investigating P2P Data Leakage

The P2P data leakage case study is to help students to apply various forensic techniques to investigate intellectual property theft involving P2P. The study includes

  • A large and complex case involving a uTorrent client. The case is similar to NIST data leakage lab. However, it provides a clearer and more detailed timeline.
  • Solid evidence with explanations. Each evidence that is associated with each activity is explained along with the timeline.
  • 10 hands-on labs/topics in digital forensics

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Lab Environment Setting Up4M
Lab 1Disk Image and Partitions5M
Lab 2Windows Registry and File Directory15M
Lab 3MFT Timeline6M
Lab 4USN Journal Timeline3M
Lab 5uTorrent Log File9M
Lab 6File Signature8M
Lab 7Emails9M
Lab 8Web History11M
Lab 9Website Analysis2M
Lab 10Timeline (Summary)13K

Investigating Illegal Possession of Images

The case study is to investigate the illegal possession of Rhino images. This image was contributed by Dr. Golden G. Richard III, and was originally used in the DFRWS 2005 RODEO CHALLENGE. NIST hosts the USB DD image. A copy of the image is also available in the repository.

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0HTTP Analysis using Wireshark (text)3M
Lab 1HTTP Analysis using Wireshark (image)6M
Lab 2Rhion Possession Investigation 1: File recovering9M
Lab 3Rhion Possession Investigation 2: Steganography4M
Lab 4Rhion Possession Investigation 3: Extract Evidence from FTP Traffic3M
Lab 5Rhion Possession Investigation 4: Extract Evidence from HTTP Traffic5M

Investigating Email Harassment

The case study is to investigate the harassment email sent by a student to a faculty member. The case is hosted by You can access the senario description and network traffic from their website. The repository only provides lab instructions.

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Investigating Harassment Email using Wireshark3M
Lab 1t-shark Forensic Introduction2M
Lab 2Investigating Harassment Email using t-shark2M

Investigating Illegal File Transferring

The case study is to investigate computer memory for reconstructing a timeline of illegal data transferring. The case includes a scenario of transfer sensitive files from a server to a USB.

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Memory Forensics11M
part 1Understand the Suspect and Accounts
part 2Understand the Suspect’s PC
part 3Network Forensics
part 4Investigate Command History
part 5Investigate Suspect’s USB
part 6Investigate Internet Explorer History
part 7Investigate File Explorer History
part 8Timeline Analysis

Investigating Hacking Case

The case study, including a disk image provided by NIST is to investigate a hacker who intercepts internet traffic within range of Wireless Access Points.

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Hacking Case8M

Investigating Android 10

The image is created by Joshua Hickman and hosted by digital corpora.

LabsTopics CoveredSize of PPTs
Lab 0Intro Pixel 33M
Lab 1Pixel 3 Image2M
Lab 2Pixel 3 Device4M
Lab 3Pixel 3 System Setting5M
Lab 4Overview: App Life Cycle11M
Lab 5.1.1AOSP App Investigations: Messaging4M
Lab 5.1.2AOSP App Investigations: Contacts3M
Lab 5.1.3AOSP App Investigations: Calendar1M
Lab 5.2.1GMS App Investigations: Messaging6M
Lab 5.2.2GMS App Investigations: Dialer2M
Lab 5.2.3GMS App Investigations: Maps8M
Lab 5.2.4GMS App Investigations: Photos6M
Lab 5.3.1Third-Party App Investigations: Kik4M
Lab 5.3.2Third-Party App Investigations: textnow1M
Lab 5.3.3Third-Party App Investigations: whatapp3M
Lab 6Pixel 3 Rooting5M

Investigating Drone DJI

The dataset includes logical files extracted from a DJI controller (mobile device) and a SD card image used by the device. The Drone dataset is created by VTO Labs. The lab covers GPS investigation and cached image retrieval. Note that it is a draft. We will improve the lab later.

LabsTopics CoveredSize of PPTs
Lab 0DJI Mavic Air Mobile13M
Lab 1DJI Mavic Air MicroSD Raw2M
Lab 2DJI Mavic Air MicroSD Encase Format2M


  • Commands tested
NameCommandRepositoryInstallation Method
Winewine –version
Vinettovinetto -h
imgclipimgclip -h install -h scirpt -h -h install
libesedb-utilsesedbexport -h install
libpffpffexport -h install -h install -h install -h clone -h scirpt
libvshadowvshadowinfo -h scirpt –Customized scirpt
carving sqlite .dbundark -h scirpt
stegdetectstegdetect -VCustomized scirpt
stegbreakstegbreak -VCustomized scirpt
stego-toolkitjphideCustomized scirpt
jpsestego-toolkitekjpseekCustomized scirpt -h scirpt
liblnk-utilslnkinfo -hapt install
JLECmd clone
LogFileParser clone
UsnJrnl2Csvttps:// clone
  • Other tools installed via apt install python3-pip, leafpad, terminator, sqlite3, tree, xmlstarlet, libhivex-bin, pasco, libhivex-bin, npm, binwalk, foremost, hashdeep, ewf-tools, nautilus


Please enter your comment!
Please enter your name here