FAT Undelete Test #1

Digital Forensics Tool Testing Image (#6)

http://dftt.sourceforge.net

Introduction

This test image is a 6MB FAT file system with six deleted files and two deleted directories. The files range from single cluster files to multiple fragments. No data structures were modified in this process to thwart recovery. They were created in Windows XP, deleted in XP, and imaged in Linux.

Download

This test image is a 'raw' partition image (i.e. 'dd') of a FAT file system. The file system is 6MB and is compressed to 21KB (lots of zeros). The MD5 of the image is 4aeb06ecd361777242ab78735d51ace6. This image is released under the GPL, so anyone can use it.

Files

These are the files that should be recovered, their sizes, and their MD5 values. (Fill in the blank results form)

NumNameSizeMD5Note
1\sing.dat78059b20779f69ff9f0ac5fcd2c38835a79single cluster file
2\mult1.dat3801ffd27bd782bdce67750b6b9ee069d2efmultiple cluster, non-fragmented file
3\frag1.dat15847a3bc5b763bef201202108f4ba128149fragmented file
4\frag2.dat38730e80ab84ef0087e60dfc67b88a1cf13efragmented file with frag1.dat mixed in
5\dir1\1024N/Adirectory
6\dir1\mult2.dat171559cf0e9cd107bc1e75afb7374f6e05bbmultiple cluster, non-fragmented in deleted directory
7\dir1\dir2\1024N/Adirectory in deleted directory
8\dir1\dir2\frag3.dat202721121699487f3fbbdb9a4b3391b6d3e0fragmented file in deleted directories

NOTE: The image also has directories for System Volume Information and _restore..., which were not part of the test.

If a tool does not notice that the clusters in the fragmented files are not consecutive, then the following hashes are expected. These occur because the tool starts with the starting cluster (which still exists for the deleted file) and copies the number of bytes that correspond to the original size of the file (which also still exists for the deleted file).

NameIncorrect MD5
\frag1.datc4f3b9a0f17d464f4fc61b94ecf6cc21
\frag2.dat965370acfa85aa7e26ab04bbd45cdcae
\frag3.data7a14ac62f79fdea4056ed5e8bcf97ef

Although not every recovery tool was tested on the CFTT list, the ones that were tested did not recover the fragmented files.

Layout

Here is the actual layout of the image.

ClusterSectorsFile
1 88-89\frag1.dat (part 1 of 2)
290-91\frag2.dat (part 1 of 3)
3 92-93\frag1.dat (part 2 of 2)
4-594-97\frag2.dat (part 2 of 3)
6 98-99\sing.dat
7-10100-107\mult1.dat
11 108-109\frag2.dat (part 3 of 3)
12 110-111\dir1\
13116-117\dir1\dir2\
14118-119\dir1\dir2\frag3.dat (part 1 of 2)
15-16 120-123\dir1\mult2.dat
17124-125 \dir1\dir2\frag3.dat (part 2 of 2)

Author

Brian Carrier (carrier at cerias.purdue.edu) created the test cases and the test image. This test was released on February 14, 2004.

Disclaimers

Neither Purdue University or CERIAS sponsor this work.

These tests are not a complete test suite. These were the first ones that I thought of and no formal theory was put into their design.

Passing these tests provides no guarantees about a tool. Always use additional test cases (and email them to me so we can all benefit!).

SourceForge Logo


Brian Carrier [carrier AT cerias.purdue.edu] Last Updated: Feb 24, 2004