This test image is a FAT file system with several ASCII strings. The goal of this test is to identify which tools can find different types of strings. Therefore, not all strings shown in the table below will be found. If one of the below strings is not found by a tool, that does not mean that the tool has an error in it. For example, the '1slack1' string crosses between the end of a file and into the slack space of the file. Some tools will find this and others will not. As long as the functionality of the tool is properly documented, then it is up to the user to use his tools in the needed way to gather the possible evidence.
A full description of each search string can be found here.
Instructions and file templates for creating the image can be found here.
This test also includes several 'grep' regular expressions to test how the regular expression algorithms work.
This test image is a 'raw' partition image (i.e. 'dd') of a FAT file system. The file system is 25MB and is compressed to 380KB. The MD5 of the image is bac12239bd466fa6c86ceb0b0426da0a. This image is released under the GPL, so anyone can use it.
These should all be performed case sensitive and not as regular expressions.
| Num | String | Sector | Offset | File | Note |
|---|---|---|---|---|---|
| 1 | first | 271 | 167 | file1.dat | in file |
| 2 | SECOND | 272 | 288 | file2.dat | in file |
| SECOND | 239 | 480 | N/A | in dentry - file name | |
| 3 | 1cross1 | 271 | 508 | file1.dat and /file2.dat | crosses two allocated files |
| 4 | 2cross2 | 273 | 508 | file3.dat | crosses consecutive sectors in a file |
| 5 | 3cross3 | 283 | 508 | N/A | crosses in unalloc |
| 6 | 1slack1 | 272 | 396 | file2.dat and file2.dat slack | crosses a file into slack |
| 7 | 2slack2 | 274 | 508 | file3.dat slack and file4.dat | crosses slack into a file |
| 8 | 3slack3 | 277 | 385 | file4.dat slack | in slack |
| 9 | 1fragment1 | 275 | 507 | file4.dat | crosses fragmented sectors |
| 10 | 2fragment sentence2 | 278 | 502 | file6.dat | crosses fragmented sectors on ' ' |
| 11 | deleted | 276 | 230 | file5.dat (deleted) | deleted file |
| 12 | a?b\c*d$e#f[g^ | 279 | 160 | file7.dat | regexp values |
The following are case insensitive.
| Num | String | Description |
|---|---|---|
| 13 | FirST | should find 'first' |
The following are case sensitive and regular expressions.
| Num | String | Description |
|---|---|---|
| 14 | f[[:alpha:]]rst | should find 'first' |
| 15 | f[a-z]r[0-9]?s[[:space:]]*t | should find 'first' |
| 16 | d[a-z]l.?t.?d | should find 'deleted' |
| 17 | [r-t][[:space:]]?[j-m][[:space:]]?[a-c]{2,2}[[:space:]]?[j-m] | should find '1slack1', '2slack2', '3slack' |
| 18 | [1572943][[:space:]]?fr.{2,3}ent[[:space:]]? | should find '1fragment', '2fragment' |
| 19 | a\??[a-c]\\*[a-c]\** | should find a?b\c* |
| 20 | [[:alpha:]]\??x?y?Q?[a-c]\\*u*[a-c]\**d\$[0-9]*e# | should find a?b\c*d$e# |
Neither Purdue University or CERIAS sponsor this work.
These tests are not a complete test suite. These were the first ones that I thought of and no formal theory was put into their design.
Passing these tests provides no guarantees about a tool. Always use additional test cases (and email them to me so we can all benefit!).
| Brian Carrier [carrier AT cerias.purdue.edu] | Last Updated: Aug 29, 2003 |