ADFIR forensic dataset

An important aspect of digital forensics research is the ability to create datasets that meet specific requirements and reflect realistic scenarios. In general, there is no single dataset suitable for all research purposes in digital forensics, and researchers often face challenges related to dataset availability, documentation, and formal description of its construction. For our research, we aimed to develop a dataset representing real-world scenarios that may occur during security incidents, enabling the comparison of methods for analyzing digital evidence. The dataset was created by Pavol Jozef Šafárik University in Košice (Slovakia) and IstroSec (Slovakia) within the project Automation of Digital Forensics and Incident Response (referred to as “ADFIR”), funded by the European Union – Next GenerationEU through the Recovery and Resilience Plan of the Slovak Republic under project No. 09-I05-03-V02-00079. The dataset was primarily derived from CTF competition datasets and supplemented with realistically simulated attack data to enhance coverage and applicability. It consists of two complementary parts: (1) a dataset generated through simulation of various attacker techniques, collected in a controlled environment by IstroSec and processed using the Athena tool, and (2) a dataset created from disk images of devices (computers and laptops) obtained from CTF competitions and publicly available cases. Specifically, we used data from The Stolen Szechuan Sauce case from the DFIR Madness Portal, Magnet CTFs (2019, 2020, 2022), and the NIST Data Leakage Case. These datasets are widely used for training in digital forensics, incident response, and threat hunting. The dataset includes tabular data (CSV files), a SQL database, and embedding data derived from multiple forensic artifacts of the Windows operating system, all based on the NTFS file system. Disk images include DC01 and Desktop Disk Image (E01) from The Stolen Szechuan Sauce, as well as Magnet CTF 2019 Windows Desktop, Magnet CTF 2022 Windows Laptop, and the NIST Data Leakage Case images. The simulated attack dataset provides a diverse set of attack techniques, whereas the CTF-based dataset captures realistic post-incident system states. Evaluated and processed outputs from forensic tools, along with embedded datasets, are included for data analysis and machine learning experiments.