FAT Keyword Search

Digital Forensics Tool Testing Image (#2)



This test image is a FAT file system with several ASCII strings. The goal of this test is to identify which tools can find different types of strings. Therefore, not all strings shown in the table below will be found. If one of the below strings is not found by a tool, that does not mean that the tool has an error in it. For example, the '1slack1' string crosses between the end of a file and into the slack space of the file. Some tools will find this and others will not. As long as the functionality of the tool is properly documented, then it is up to the user to use his tools in the needed way to gather the possible evidence.

A full description of each search string can be found here.

Instructions and file templates for creating the image can be found here.

This test also includes several 'grep' regular expressions to test how the regular expression algorithms work.


This test image is a 'raw' partition image (i.e. 'dd') of a FAT file system. The file system is 25MB and is compressed to 380KB. The MD5 of the image is bac12239bd466fa6c86ceb0b0426da0a. This image is released under the GPL, so anyone can use it.

Standard Terms

These should all be performed case sensitive and not as regular expressions.

1first 271 167file1.dat in file
2SECOND272 288file2.datin file
 SECOND 239480 N/Ain dentry - file name
31cross1271508file1.dat and /file2.dat crosses two allocated files
42cross2 273 508file3.dat crosses consecutive sectors in a file
53cross3 283508 N/A crosses in unalloc
61slack1 272396file2.dat and file2.dat slack crosses a file into slack
72slack2 274508file3.dat slack and file4.datcrosses slack into a file
83slack3 277385 file4.dat slackin slack
91fragment1275507file4.datcrosses fragmented sectors
102fragment sentence2278502file6.datcrosses fragmented sectors on ' '
11deleted276230file5.dat (deleted)deleted file
12a?b\c*d$e#f[g^279160file7.datregexp values


The following are case insensitive.
13FirSTshould find 'first'

The following are case sensitive and regular expressions.
14f[[:alpha:]]rstshould find 'first'
15f[a-z]r[0-9]?s[[:space:]]*tshould find 'first'
16d[a-z]l.?t.?dshould find 'deleted'
17[r-t][[:space:]]?[j-m][[:space:]]?[a-c]{2,2}[[:space:]]?[j-m] should find '1slack1', '2slack2', '3slack'
18[1572943][[:space:]]?fr.{2,3}ent[[:space:]]? should find '1fragment', '2fragment'
19a\??[a-c]\\*[a-c]\** should find a?b\c*
20[[:alpha:]]\??x?y?Q?[a-c]\\*u*[a-c]\**d\$[0-9]*e# should find a?b\c*d$e#


Brian Carrier (carrier <at> digital-evidence <dot> org) created the test cases and the test image. The idea was proposed by Troy Larson. This test was released on August 26, 2003.


Neither Purdue University or CERIAS sponsor this work.

These tests are not a complete test suite. These were the first ones that I thought of and no formal theory was put into their design.

Passing these tests provides no guarantees about a tool. Always use additional test cases (and email them to me so we can all benefit!).

SourceForge Logo

Brian Carrier [carrier <at> digital-evidence <dot> org] Last Updated: Aug 29, 2003