This test image is an NTFS file system with 10 JPEG pictures in it. The pictures include files with incorrect extensions, pictures embedded in zip and Word files, and alternate data streams. The goal of this test image is to test the capabilities of automated tools that search for JPEG images.
This test image is a 'raw' partition image (i.e. 'dd') of a NTFS file system. The file system is 10MB and is compressed to 2 MB. The MD5 of the image is 9bdb9c76b80e90d155806a1fc7846db5. This image is released under the GPL, so anyone can use it.
These are the files that may be found, their MD5 hashes, and a note about their function in the test. (Fill in the blank results form)
|1||alloc\file1.jpg||75b8d00568815a36c3809b46fc84ba6d||A JPEG file with a JPEG extension|
|2||alloc\file2.dat||de5d83153339931371719f4e5c924eba||A JPEG file with a non-JPEG extension|
|3||invalid\file3.jpg||1ba4e91591f0541eda255ee26f7533bc||A random file with a JPEG extension|
|4||invalid\file4.jpg||c8de721102617158e8492121bdad3711||A random file with 0xffd8 as the first two bytes (the JPEG header signature). There is no JPEG footer or other header data.|
|5||invalid\file5.rtf||86f14fc525648c39d878829f288c0543||A random file with the 0xffd8 signature value in several locations inside of the file.|
|6||del1\file6.jpg - MFT Entry #32||afd55222024a4e22f7f5a3a665320763||A deleted JPEG file with a JPEG extension.|
|7||del2\file7.hmm - MFT Entry #31||0c452c5800fcfa7c66027ae89c4f068a||A deleted JPEG file with a non-JPEG extension.|
|8||archive\file8.zip||d41b56e0a9f84eb2825e73c24cedd963||A ZIP file with a ZIP extension and a JPEG picture named file8.jpg inside of it.|
|file8.jpg||f9956284a89156ef6967b49eced9d1b1||A JPEG file that is inside of a ZIP file with a ZIP extension.|
|9||archive\file9.boo||73c3029066aee9416a5aeb98a5c55321||A ZIP file with a non-ZIP extension and a JPEG picture named file9.jpg inside of it.|
|file9.jpg||c5a6917669c77d20f30ecb39d389eb7d||A JPEG file that is inside of a ZIP file with a non-ZIP extension.|
|10||archive\file10.tar.gz||d4f8cf643141f0c2911c539750e18ef2||A gzipped tar file that contains a JPEG picture named file10.jpg .|
| ||file10.jpg||c476a66ccdc2796b4f6f8e27273dd788||A JPEG file that is inside of a gzipped tar file.|
|11||misc\file11.dat||f407ab92da959c7ab03292cfe596a99d||A file with 1572 bytes of random data and then a JPEG picture. This was created using the '+' option in the Windows copy.exe tool.|
|12||misc\file12.doc||61c0b55639e52d1ce82aba834ada2bab||A Word document with the JPEG picture inside of it.|
|13||misc\file13.dll:here||9b787e63e3b64562730c5aecaab1e1f8||A JPEG file in an ADS.|
Tests 8, 9, 10, 11, and 12 may not be included in the expected behavior of an application. The documentation of the tool should identify if embedded pictures will be found.
These tests are not a complete test suite. These were some of the first ones that I thought of and little formal theory was put into their design.
Passing these tests provides no guarantees about a tool. Always use additional test cases (and email them to me so we can all benefit!).
Copyright © 2004 by Brian Carrier
Email: carrier <at> digital-evidence <dot> org
|Last Updated: June 10, 2004|