NTFS Autodetect Test #1

Digital Forensics Tool Testing Image (#10)



This test has four images. One is a disk image that contains two partitions and the partitions are also included as individual files. The fourth image is an additional partition image. The purpose of this test case is to test the file system detection routines of your analysis tools. A typical partition contains only one file system, but the layout of some file systems allows multiple file systems to exist in a single partition. Each of the partitions in this disk image contain two file systems. The first partition is formatted for NTFS and Ext2, the second is formatted for NTFS and UFS2, and the third is formatted for NTFS and UFS1. Both file systems are valid and can be mounted in their respective operating system. The test is whether your tool will warn you that there are two valid file systems or if it will show you only one and hide the other.


This test case has one 'raw' disk image and two 'raw' partition images. In total, the images are 275 MB, but they compress to under 1 MB. The MD5 of the disk image (which contains partitions 1 and 2) is 9225ff95b92311a28b2224e9dc324231, partition 1 is 6bd741152ccedd50e12623af5eeba803 and partition 2 is 0b768efb1011b047c9831c1e00d1706c. The MD5 of partition 3 is 5984253cad72d4950c15a9e679139daf. This images are released under the GPL, so anyone can use it.


This section describes the images in more detail. This form can be used to test your tool with these images.


Brian Carrier (carrier at cerias.purdue.edu) created the test cases and the test image. This test was released on January 18, 2005.


These tests are not a complete test suite. These were some of the first ones that I thought of and little formal theory was put into their design.

Passing these tests provides no guarantees about a tool. Always use additional test cases (and email them to me so we can all benefit!).

Copyright © 2005 by Brian Carrier
Email: carrier at users dot sf dot net
SourceForge Logo Last Updated: January 21, 2005