Instructions for Making the FAT Keyword Search Image

Digital Forensics Tool Testing Image

http://dftt.sourceforge.net

Brian Carrier

Introduction

This document explains how the keyword search FAT image was made. This image was created in Linux, but a similar image could be made in Windows using other tools. The files in the image were created before the image was created and they can be found in 2-kwsrch-fat-files.zip. This process can be used again to create images with different file systems. If you create other file system images, send me a link to them so I can reference them from the main testing page.

Process

  1. Create a 15MB image with random values:

    # dd if=/dev/random of=fat-img.dd bs=1m count=15

  2. Format it as FAT with 1 sector per cluster:

    # mkdosfs -s 1 fat-img.dd

  3. Mount the image in loopback:

    mount -o loop fat-img.dd /mnt

  4. Copy file1.dat to /mnt (sector 271)
  5. Copy file2.dat to /mnt (sector 272)
  6. Copy file3.dat to /mnt (sectors 273 & 274)
  7. Copy temp.dat as /mnt/file4.dat (sector 275)
  8. Copy file5.dat to /mnt (sector 276)
  9. Open /mnt/file4.dat in a hexeditor to manually extend it and make it fragmented. (sectors 275 & 277)
    • start file (sector 275, offset 0) with 'ck2'
    • end first sector (sector 275, offset 507) with '1frag'
    • start next sector (sector 277, offset 0) with 'ment1'
    • enter random values after 'ment1' to extend the file further.
  10. Copy temp.dat as /mnt/file6.dat (sector 278)
  11. Copy file7.dat to /mnt (sector 279)
  12. Open /mnt/file6.dat in a hexeditor to manually extend it and make it fragmented. (sectors 278 and 280)
    • end the first sector (sector 278, offset 502) with '2fragment ' (note the space)
    • begin the second sector (sector 280, offset 0) with 'sentence2'
    • enter random values after 'sentence2' to extend the file furter.
  13. Copy second to /mnt (sector 281)
  14. Delete /mnt/file5.dat (sector 276)
  15. Unmount the image:

    # umount /mnt/

  16. Use 'fls' and 'istat' from The Sleuth Kit to identify the sectors that the following files have allocated:
    • file2.dat (272)
    • file3.dat (273, 274)
    • file4.dat (275, 277)
    • second (281)
  17. Open the entire image in a hexeditor to add slack space strings.
  18. Add 'ck1' to byte offset 400 of the sector that file2.dat allocated (272).
  19. Add '2sla' to the final 4 bytes of the last sector that file3.dat allocated (274).
  20. Add '3slack3' to anywhere after 288 bytes of the last sector for file4.dat (sector 277). (the file has a total size of 800 bytes)
  21. Add '3cross3' so that it crosses any two sectors after the sector that 'second' allocated (281)
    • Add '3cro' to sector 283, offset 508
    • Add 'ss3' to sector 284, offset 0
  22. Optional: The entire image is currently random values and therefore will not compress. To make it more portable, find a big area of the image that is not being used and wipe it with zeros.
  23. Test it.

SourceForge Logo

Brian Carrier [carrier <at> digital-evidence <dot> org] Last Updated: Aug 29, 2003