NTFS Keyword Search #1

Digital Forensics Tool Testing Image (#3)

http://dftt.sourceforge.net

Introduction

This test image is an NTFS file system with several ASCII strings. The goal of this test is less ambitious than the previous FAT keyword search test and only tests the unique features of NTFS. It only has 10 test cases and there will likely be another test image in the future that tests additional features of NTFS. The focus of this test is resident versus non-resident file content and multiple data attributes (or alternate data streams).

Download

This test image is a 'raw' partition image (i.e. 'dd') of an NTFS file system. The file system is 8MB and is compressed to 6MB. The MD5 of the image is 389e42124eb23c5053ff6596976d6710. This image is released under the GPL, so anyone can use it.

Search Terms

These should all be performed case sensitive and not as regular expressions.

NumStringSectorOffsetFileNote
1r-alloc134283$LogFileLog File Entry
 r-alloc5409347file-r-1.datResident allocated file
2r-unalloc135092$LogFileLog File Entry #1
 r-unalloc1915156$LogFileLog File Entry #2
 r-unalloc5423380file-r-2.dat (deleted)Resident unallocated file
3r-fads139143$LogFileLog File Entry
 r-fads5414331file-r-3.dat:hereResident alternate data stream in an allocated file
4r-dads1528258$LogFileLog File Entry
 r-dads5415346dir-r-4:thereResident alternate data stream in an allocated directory
5n-alloc8050161file-n-1.datNon-resident allocated file
6n-unalloc805386file-n-2.dat (deleted)Non-resident unallocated file
7n-frag8059509file-n-3.datCrosses fragmented clusters in a non-resident allocated file
8n-slack8062485file-n-4.datSlack space of a non-resident allocated file
9n-fads8067370file-n-5.dat:hereNon-resident alternate data stream in an allocated file
10n-dads8068314dir-n-6:thereNon-resident alternate data stream in an allocated directory

Author

Brian Carrier (carrier at cerias.purdue.edu) created the test cases and the test image. This test was released on October 27, 2003.

Disclaimers

Neither Purdue University or CERIAS sponsor this work.

These tests are not a complete test suite. These were the first ones that I thought of and no formal theory was put into their design.

Passing these tests provides no guarantees about a tool. Always use additional test cases (and email them to me so we can all benefit!).

SourceForge Logo


Brian Carrier [carrier AT cerias.purdue.edu] Last Updated: Oct 27, 2003