This test image is an EXT3FS file system with several ASCII strings. There are only 4 strings to search for, so this one is quite simple and short. It only tests the basic features of EXT3FS.
This test image is a 'raw' partition image (i.e. 'dd') of an EXT3FS file system. The file system is 5MB and is compressed to 4MB. The MD5 of the image is 30e7f792cc853e34e17335b243605d3a. This image is released under the GPL, so anyone can use it.
These should all be performed case sensitive and not as regular expressions. Results Form
| Num | String | Sector - Offset | Fragment - Offset | File | Note |
|---|---|---|---|---|---|
| 1 | first | 330 - 100 | 165 - 100 | /, /., /.., /lost+found/.. | File Name |
| first | 392 - 100 | 196 - 100 | inode #8 | Journal entry | |
| first | 432 - 100 | 216 - 100 | inode #8 | Journal entry | |
| first | 2416 - 181 | 1208 - 181 | /file1 | Allocated file | |
| 2 | second | 2419 - 509 | 1209 - 1021 | /file2 | Fragmented String |
| 3 | third | 2420 - 80 | 1210 - 80 | /file3 (deleted) | Unallocated file |
| 4 | slacker | 2417 - 179 | 1208 - 691 | /file1 | Slack space of file1 |
Neither Purdue University or CERIAS sponsor this work.
These tests are not a complete test suite. These were the first ones that I thought of and no formal theory was put into their design.
Passing these tests provides no guarantees about a tool. Always use additional test cases (and email them to me so we can all benefit!).
| Brian Carrier [carrier <at> digital-evidence <dot> org] | Last Updated: Nov 23, 2003 |