Forensic Images for File Carving

Overview

This page contains links to dd images for the use of testing software applications with file carving capabilities. File carving is the practice of extracting files based on content, rather than on metadata. Extracting files from unallocated blocks is accomplished by identifying unique headers and footers associated with a specific file type.

Image Creation

For each image created there are six different levels, where each level represents a different scenario of fragmentation.

Non fragmented files
Sequential fragmentation
Non sequential fragmentation
Missing fragments
Nested files
Braided files

Five different file types were used to create the images.

Graphics
Documents
Archives
Audio
Video

Image Layouts

A link to the un-fragmented files used to populate the thumb drive is provided below. This provides a comparison to determine how well a tool performs carving on different file types for each level of fragmentation.

Original Files

Test Images

A total of 30 images were created. Each image contained no more than 10 files of a specific type. The files contained within an image are documented as such: file size, start sector, end sector.
The naming convention for the images is LEVEL_Filetype.dd.

Downloading the Test Images

The images are compressed with bzip2. To uncompress an image, run the bunzip2 program on the image. The command will look something like:
bunzip2 L0_Graphic.dd.bz2
The uncompressed file is then L0_Graphic.dd.
Of course, bunzip2 runs in a Linux environment. After uncompressing, the image file can be moved to another operating system where the tool under test is located.

Image	Description	File Types
L0_Graphic.dd	Non-fragmented graphics files	JPG,PNG,BMP,GIF,TIF,PCX
L1_Graphic.dd	Sequentially fragmented graphics files	JPG,PNG,BMP,GIF,TIF,PCX
L2_Graphic.dd	Non-sequentially fragmented graphics files	JPG,PNG,BMP,GIF,TIF,PCX
L3_Graphic.dd	Graphics files with missing fragments	JPG,PNG,BMP,GIF,TIF,PCX
L4_Graphic.dd	Graphics files nested within graphics files	JPG,PNG,BMP,GIF,TIF,PCX
L5_Graphic.dd	Braided graphics files	JPG,PNG,BMP,GIF,TIF,PCX
L0_Documents.dd	Non-fragmented document files	DOC, XLS, PPT, PDF
L1_Documents.dd	Sequentially fragmented document files	DOC, XLS, PPT, PDF
L2_Documents.dd	Non-sequentially fragmented document files	DOC, XLS, PPT, PDF
L3_Documents.dd	Document files with missing fragments	DOC, XLS, PPT, PDF
L4_Documents.dd	Document files nested in document files	DOC, XLS, PPT, PDF
L5_Documents.dd	Braided document files	DOC, XLS, PPT, PDF
L0_Archive.dd	Non-fragmented archive files	7Z,BZ2,GZ,TAR,WIM,RAR,ZIP
L1_Archive.dd	Sequentially fragmented archive files	7Z,BZ2,GZ,TAR,WIM,RAR,ZIP
L2_Archive.dd	Non-Sequentially fragmented archive files	7Z,BZ2,GZ,TAR,WIM,RAR,ZIP
L3_Archive.dd	Archive files with missing fragments	7Z,BZ2,GZ,TAR,WIM,RAR,ZIP
L4_Archive.dd	Archive files nested in archive files	7Z,BZ2,GZ,TAR,WIM,RAR,ZIP
L5_Archive.dd	Braided archive files	7Z,BZ2,GZ,TAR,WIM,RAR,ZIP
L0_Audio.dd	Non-Fragmented audio files	MP3,WAV,AU,WMA
L1_Audio.dd	Sequentially fragmented audio files	MP3,WAV,AU,WMA
L2_Audio.dd	Non-Sequentially fragmented audio files	MP3,WAV,AU,WMA
L3_Audio.dd	Audio files with missing fragments	MP3,WAV,AU,WMA
L4_Audio.dd	Audio files nested in audio files	MP3,WAV,AU,WMA
L5_Audio.dd	Braided audio files	MP3,WAV,AU,WMA
L0_Video.dd	Non-Fragmented video files	MP4,AVI,MOV,FLV,MPG,WMV
L1_Video.dd	Sequentially fragmented video files	MP4,AVI,MOV,FLV,MPG,WMV
L2_Video.dd	Non-sequentially fragmented video files	MP4,AVI,MOV,FLV,MPG,WMV
L3_Video.dd	Video files with missing fragments	MP4,AVI,MOV,FLV,MPG,WMV
L4_Video.dd	Video files nested in video files	MP4,AVI,MOV,FLV,MPG,WMV
L5_Video.dd	Braided video files	MP4,AVI,MOV,FLV,MPG,WMV