This test image is a 6MB FAT file system with six deleted files and two deleted directories. The files range from single cluster files to multiple fragments. No data structures were modified in this process to thwart recovery. They were created in Windows XP, deleted in XP, and imaged in Linux.
This test image is a 'raw' partition image (i.e. 'dd') of a FAT file system. The file system is 6MB and is compressed to 21KB (lots of zeros). The MD5 of the image is 4aeb06ecd361777242ab78735d51ace6. This image is released under the GPL, so anyone can use it.
These are the files that should be recovered, their sizes, and their MD5 values. (Fill in the blank results form)
|1||\sing.dat||780||59b20779f69ff9f0ac5fcd2c38835a79||single cluster file|
|2||\mult1.dat||3801||ffd27bd782bdce67750b6b9ee069d2ef||multiple cluster, non-fragmented file|
|4||\frag2.dat||3873||0e80ab84ef0087e60dfc67b88a1cf13e||fragmented file with frag1.dat mixed in|
|6||\dir1\mult2.dat||1715||59cf0e9cd107bc1e75afb7374f6e05bb||multiple cluster, non-fragmented in deleted directory|
|7||\dir1\dir2\||1024||N/A||directory in deleted directory|
|8||\dir1\dir2\frag3.dat||2027||21121699487f3fbbdb9a4b3391b6d3e0||fragmented file in deleted directories|
NOTE: The image also has directories for System Volume Information and _restore..., which were not part of the test.
If a tool does not notice that the clusters in the fragmented files are not consecutive, then the following hashes are expected. These occur because the tool starts with the starting cluster (which still exists for the deleted file) and copies the number of bytes that correspond to the original size of the file (which also still exists for the deleted file).
Although not every recovery tool was tested on the CFTT list, the ones that were tested did not recover the fragmented files.
Here is the actual layout of the image.
|1||88-89||\frag1.dat (part 1 of 2)|
|2||90-91||\frag2.dat (part 1 of 3)|
|3||92-93||\frag1.dat (part 2 of 2)|
|4-5||94-97||\frag2.dat (part 2 of 3)|
|11||108-109||\frag2.dat (part 3 of 3)|
|14||118-119||\dir1\dir2\frag3.dat (part 1 of 2)|
|17||124-125||\dir1\dir2\frag3.dat (part 2 of 2)|
Neither Purdue University or CERIAS sponsor this work.
These tests are not a complete test suite. These were the first ones that I thought of and no formal theory was put into their design.
Passing these tests provides no guarantees about a tool. Always use additional test cases (and email them to me so we can all benefit!).
|Brian Carrier [carrier <at> digital-evidence <dot> org]||Last Updated: Feb 24, 2004|