DFB: The Digital Forensics Benchmark
The reference arena where forensic software, AI forensic agents and human examiners test their tools against advanced, reproducible cases. The hardest part of forensics is not finding evidence, it is recovering the truth without being deceived. DFB measures exactly that.
Soundness, not just recall
Planted false evidence is everywhere. A tool that reports it as real is penalized hard. We measure truth and deception-resistance together.
Stratified anti-forensics
From clean (AF-0) to multi-technique chained adversaries (AF-4): hidden volumes, timestomping, journal wiping, fileless memory, all in one case.
Cross-artifact correlation
A key in RAM unlocks a hidden volume on disk, referenced in a pcap, whose timestamp refutes a disk timestomp. Single-artifact tools collapse.
How it works
- Download the forensic artifact (disk/E01, RAM dump, pcap, logs, mobile extraction).
- Analyze with your own tool: EnCase, X-Ways, Axiom, Autopsy, Volatility, your AI agent, or your team.
- Submit your answers and structured report to the submission API.
- Score instantly: recall, soundness and anti-forensics resilience, then your leaderboard rank.
Categories
Disk & File System
Deleted/partial recovery, carving, $MFT, slack, VSS
Memory (RAM)
Hidden process (DKOM), fileless malware, keys in RAM
Anti-Forensics (AF-0..4)
Wiping, timestomp, hidden volumes, false trails
Cryptanalysis
Classic→hash→AES/RSA→encrypted disk→ransomware→JWT
Windows & AD Logs
Event logs, Kerberoast/Golden Ticket/DCSync traces
Photo / Image
EXIF, geolocation, manipulation, deepfake, PRNU, stego
Network (PCAP)
Exfil reconstruction, C2 detection, covert channels
Mobile (Android/iOS)
Deleted messages, app SQLite/WAL, location, keystore
Cloud & SaaS
M365 UAL, OAuth abuse, ephemeral compute