JPEG Search Test #1

Digital Forensics Tool Testing Image (#8)


This test image is an NTFS file system with 10 JPEG pictures in it. The pictures include files with incorrect extensions, pictures embedded in zip and Word files, and alternate data streams. The goal of this test image is to test the capabilities of automated tools that search for JPEG images.


This test image is a 'raw' partition image (i.e. 'dd') of a NTFS file system. The file system is 10MB and is compressed to 2 MB. The MD5 of the image is 9bdb9c76b80e90d155806a1fc7846db5. This image is released under the GPL, so anyone can use it.


These are the files that may be found, their MD5 hashes, and a note about their function in the test. (Fill in the blank results form)

1alloc\file1.jpg75b8d00568815a36c3809b46fc84ba6dA JPEG file with a JPEG extension
2alloc\file2.datde5d83153339931371719f4e5c924ebaA JPEG file with a non-JPEG extension
3 invalid\file3.jpg 1ba4e91591f0541eda255ee26f7533bc A random file with a JPEG extension
4 invalid\file4.jpg c8de721102617158e8492121bdad3711 A random file with 0xffd8 as the first two bytes (the JPEG header signature). There is no JPEG footer or other header data.
5 invalid\file5.rtf 86f14fc525648c39d878829f288c0543 A random file with the 0xffd8 signature value in several locations inside of the file.
6 del1\file6.jpg - MFT Entry #32 afd55222024a4e22f7f5a3a665320763 A deleted JPEG file with a JPEG extension.
7 del2\file7.hmm - MFT Entry #31 0c452c5800fcfa7c66027ae89c4f068a A deleted JPEG file with a non-JPEG extension.
8 archive\ d41b56e0a9f84eb2825e73c24cedd963 A ZIP file with a ZIP extension and a JPEG picture named file8.jpg inside of it.
  file8.jpg f9956284a89156ef6967b49eced9d1b1 A JPEG file that is inside of a ZIP file with a ZIP extension.
9 archive\ 73c3029066aee9416a5aeb98a5c55321 A ZIP file with a non-ZIP extension and a JPEG picture named file9.jpg inside of it.
  file9.jpg c5a6917669c77d20f30ecb39d389eb7d A JPEG file that is inside of a ZIP file with a non-ZIP extension.
10 archive\file10.tar.gz d4f8cf643141f0c2911c539750e18ef2 A gzipped tar file that contains a JPEG picture named file10.jpg .
  file10.jpg c476a66ccdc2796b4f6f8e27273dd788 A JPEG file that is inside of a gzipped tar file.
11 misc\file11.dat f407ab92da959c7ab03292cfe596a99d A file with 1572 bytes of random data and then a JPEG picture. This was created using the '+' option in the Windows copy.exe tool.
12 misc\file12.doc 61c0b55639e52d1ce82aba834ada2bab A Word document with the JPEG picture inside of it.
13 misc\file13.dll:here 9b787e63e3b64562730c5aecaab1e1f8 A JPEG file in an ADS.

Tests 8, 9, 10, 11, and 12 may not be included in the expected behavior of an application. The documentation of the tool should identify if embedded pictures will be found.


Brian Carrier (carrier <at> digital-evidence <dot> org) created the test cases and the test image. This test was released on June 10, 2004.


These tests are not a complete test suite. These were some of the first ones that I thought of and little formal theory was put into their design.

Passing these tests provides no guarantees about a tool. Always use additional test cases (and email them to me so we can all benefit!).

Copyright © 2004 by Brian Carrier
Email: carrier <at> digital-evidence <dot> org
SourceForge Logo Last Updated: June 10, 2004