DCFL CONTROL STANDARD v1.0

The files contained in this archive can be used as a control to test the accuracy and effectiveness of forensic tools such as Encase, FTK, Ilook, etc.  If you have any suggestions or comments please email control@dc3.mil

The archive should contain 2 files in addition to this text file:
1)  control.dd  MD5:  58C8B1B9983051E132C694B4203F8D8D
2)  1bitoff.dd  MD5:  789D375C34F26008B83F7A4B12C823A8

Both files are identical except for a bit-swap near the end of the file at offset 07D81FF0.
control.dd h07D872A0=000000000000000083A0B3C9000055AA
1bitoff.dd h07D872A0=000000000000000083A0B3C9000155AA


The following artifacts are present in the images (hex offset given):

a. The control image should have the string "DCFL C0NTR0L" in 3 places:
0114AC80
03A24DA0
03EC6010

The files should not contain the string "MECFL C0NTR0L"

b.  The following non-system files should be present on the logical level of the disk:

039C8A00  Scientific control.mp3    MD5:   e73a608dfb422a206ce7a62deb90ff9b
029D4A00  Export_me.JPG    MD5:   c0c3892606849fd76a8534ef80956705

c.  The following deleted files should be present:
03EC5E00  deleted.JPG    MD5:   bce5a9c171ab1dfd6a2786e1917bc0ab
039CEE00  MVC-577V.MPG    MD5:   af3f26039fc2e13ff3055021ffe69833

d.  Once extracted, deleted.JPG should show a blue background with the text "CURSES, FOILED AGAIN!"

e.  Once extracted, MVC-577V.MPG should be a 15 second movie file.

f.  Scientific control.MP3 is actually a MS Word document.  

g.  A signature carve should find JPG image files but not zip archive files

h.  There is a jpg in unallocated beginning at offset: 074223E0