CFTT String Search Tool Testing

CFTT is developing a test data set for testing forensic string searching. This page links to a test image (dd style, about 2GB), documentation describing the test image and search strings for the tests.

In general, the test image has 4 partitions: FAT, ExFAT, NTFS and unallocated space. Each partition is populated with files generated from a set of strings. For each string, the generated files follow the naming convention as follows:

The letter "a" or "z"
The target string. Blank spaces are replaced with an underscore "_".
The file system type: "fat", "exfat", or "ntfs"
Character encoding: "ascii", "utf-8", "utf-16-be", or "utf-16-le"
.txt

The parts are separated with hyphens "-".

The unallocated space is all the files concatenated together into a single chunk.

Some strings are used to generate ASCII files only, some files are used to generate UNICODE only and some generate all four encodings.

Exact locations of each search string can be found in tab-context-dump.txt and a hex dump of data surrounding the target string is in context-dump.txt.

Test Cases

These are the test cases, search string and search option settings.

FT-SS-01 Search ASCII
Strings:
    DireWolf
Options:
    Case:Match Case
    ASCII:True
    Unicode:False
    Whole Words:False

FT-SS-02 Search Ignore Case
Strings:
    wolf
Options:
    Case:Ignore Case
    ASCII:True
    Unicode:True
    Whole Words:False

FT-SS-03 Search for Words
Strings:
    wolf
Options:
    Case:Ignore Case
    ASCII:True
    Unicode:False
    Whole Words:True

FT-SS-04 Search Logical AND
Strings:
    wolf and fox
Options:
    Logical:True
    ASCII:True
    Whole Words:False
    Case:Match Case

FT-SS-05 Search Logical OR
Strings:
    Were or Dire
Options:
    Logical:True
    Case:Match Case

FT-SS-06 Search Logical NOT
Strings:
    fox and not Tiger
Options:
    Logical:True
    Case:Ignore Case

FT-SS-07-CJK Search Unicode CJK (Asian)
Strings:
    中國
    東京
    서울
    スバル
    みつびし
Options:
    Unicode:True

FT-SS-07-Cyrillic Search Unicode Cyrillic (Russian)
Strings:
    Сибирь
Options:
    Unicode:True

FT-SS-07-Latin Search Unicode Latin (Spanish, French & German)
Strings:
    cañón
    garçon
    Schönheit
Options:
    Unicode:True

FT-SS-07-RTL Search Unicode RTL (Arabic)
Strings:
    الكسكس
Options:
    Unicode:True

FT-SS-08-email Search Tool-defined Queries: Email Address
Strings:
    tool defined
Options:
    Email Address:True

FT-SS-08-phone Search Tool-defined Queries: Telephone Number
Strings:
    tool defined
Options:
    Telephone Number:True

FT-SS-08-ss Search Tool-defined Queries: Social Security
Strings:
    tool defined
Options:
    Social Security:True

FT-SS-09-partition Search Restricted to Single Partition
Strings:
    bear
Options:
    Search Partition:Partition 1 (FAT)

FT-SS-10-hex Search Pattern Hex Escape
Strings:
    thunder\x0a
Options:
    Search Regular Expression:True

FT-SS-10-regex Search Pattern Character Match
Strings:
    [DW]..eWolf
Options:
    Search Regular Expression:True

Expected Results

Expected results for each case are here.