File Carving based Digital Forensic Tools Testing Data Sets (Contiguous + Fragmented Files)

Published: 24 August 2021| Version 1 | DOI: 10.17632/gsr59k2rmb.1
Contributors:
,
,

Description

This test image is a NTFS file system and is intended to test data carving tools and their ability to extract various file formats. The image contains several allocated and deleted files that are all stored mixed contiguous and fragmented formats within its allocated space. The reson for fragmented files as a part of the database is that the file retrival capabaility of the tools in such cases also need to be tested and published. All files are random files that that were in my possession or that I created from scratch. This image was created from a NAND USB thumb-drive that was wiped and formatted using the Forensic Toolkit FTK Imager with the file extension of AD1. The image has been eliminated with its meta data so that it cannot be mounted and therefore data carving methods must be used to extract the files. This test image is a 'raw' image (i.e. 'dd') of a NTFS file system. The file system is 2 GB. The MD5, SHA, file types, name of every file and all other details of the image are clearly mentioned in the .csv and .txt files attached to this data set. One can run the image against any data carving based tool and thus can cross check the obtained values with that of our image.

Files