I teach a digital forensics unit and required a simple solution to create multiple digital forensics training virtual machine datasets.
The following sample PowerShell script file is a ready-to-deploy example that can be run inside a Windows VM with Admininstrator privileges to automate most of the evidence setp for the forensic case.
What it can do:
create the case folders and files
plant suspicious project documents
create keyword-searchable evidence
generate browser-like artefacts as text notes
create ZIP archives
create a disguised file
create deleted artefacts
create timeline-separated actions
leave clear forensic traces in the file system and registry through normal program execution
It is designed to support a scenario built around:
keyword search
multimedia analysis
hidden/disguised files
deleted files
registry artefacts
Limitations;
A few things still need a manual step:
real USB registry artefacts: best created by actually attaching a USB device once
real Outlook PST evidence: this script creates realistic email-text evidence instead
real EXIF geotags/device tags: the script creates image placeholders; for richer EXIF, real photos need to be inserted afterward
true JPEG header overwrite in hex: the script renames and disguises a file. An optional section can be included to corrupt the header bytes for additional realism