Overview DFR Test Images

This page contains links to compressed dd images used to test metadata based deleted file recovery forensic tools. Metadata based deleted file recovery uses residual metadata left behind after a file is deleted to attempt to reconstruct the file. These images are not for testing file carving tools (tools that scan unallocated blocks to find file headers and trailers and then reconstructing deleted files). This page also contains a link to a document describing the creation and layout of each image. Most of the images are simple with just a few files. This is so that the tool behavior in common situations likely to be encountered can be clearly observed. Each image contains one or more partitions (logical drives) within a group of similar file systems.

The FAT images contain three partitions: FAT12, FAT16 & FAT32. Note about the FAT12 partition: The Linux fdisk reports the partition type as FAT12, but the FAT table is 16 bit, i.e., the partition is really FAT16 for most of the images. The actual file system type for the first partition of each FAT image is listed below.
The EXT images contain three partitions: ext2, ext3 & ext4.
The XFAT images contain one partition: ExFAT.
The NTFS images contain one partition: NTFS
There are two HFS+ (aka OSX) images with four partitions with these combinations: not case sensitive with no journal (OSX), case sensitive with no journal (OSXC), not case sensitive with journal (OSXJ), and case sensitive with journal (OSXCJ).

True file system type for the first partition of each fat image.

images/fat-01-recycle/dfr-01-recycle-fat.dd is FAT16
images/fat-01/dfr-01-fat.dd is FAT16
images/fat-02/dfr-02-fat.dd is FAT16
images/fat-03/dfr-03-fat.dd is FAT16
images/fat-04/dfr-04-fat.dd is FAT16
images/fat-05-braid/dfr-05-braid-fat.dd is FAT16
images/fat-05-nest/dfr-05-nest-fat.dd is FAT16
images/fat-05/dfr-05-fat.dd is FAT16
images/fat-06/dfr-06-fat.dd is FAT12
images/fat-07-one/dfr-07-one-fat.dd is FAT12
images/fat-07-two/dfr-07-two-fat.dd is FAT12
images/fat-07/dfr-07-fat.dd is FAT12
images/fat-08/dfr-08-fat.dd is FAT12
images/fat-09/dfr-09-fat.dd is FAT12
images/fat-10/dfr-10-fat.dd is FAT12
images/fat-11/dfr-11-fat.dd is FAT12
images/fat-12/dfr-12-fat.dd is FAT16
images/fat-13/dfr-13-fat.dd is FAT16
images/fat-14/dfr-14-fat.dd is FAT16
images/fat-15/dfr-15-fat.dd is FAT16
images/fat-16/dfr-16-fat.dd is FAT16
images/fat-17/dfr-17-fat.dd is FAT16

Downloading the Test Images

The images are compressed with bzip2. To uncompress an image, run the bunzip2 program on the image. The command will look something like:
bunzip2 dfr-01-xfat.dd.bz2
The uncompressed file is then dfr-01-xfat.dd.
Of course, bunzip2 runs in a Linux environment. After uncompressing, the image file can be moved to another operating system where the tool under test

Image Creation

The image layout document describes the creation and final layout of each image. Several tools have been created to allow the creation of controlled file layouts and to characterize files for comparison after recovery:

not-used – tag each sector of a device with the string “not used,”
mk-file – create a file of tagged blocks,
ap-file – append more tagged blocks to an existing file,
fill-fs – allocate all free blocks to a single file,
layout – categorize all blocks in the image of a file system as: file, unused, fill or metadata, and
fana – file analysis (characterize and summarize file content to simplify comparison of a recovered file to the original file).

The general process for using these tools to create a test image is as follows:

Run the not-used program to mark each sector of a device.
Format the device with one or more partitions of the same family.
Synchronize the drive state by unmounting all partitions. This ensures that the current state of the drive is on the drive with no parts of the drive state only in memory.
Image the drive to capture the base state of the formatted file system. The base image serves as a reference point to identify the initial state of file system metadata.
Mount the file systems. The file systems are now ready to be manipulated in a controlled manner. File operations need to be grouped such that a smart operating system does not skip steps for efficient operation. For example, if we create a file and then delete the file, a smart OS may note that nothing needs to be written to secondary storage. This would undermine the effort to have something to actually recover. Operations are grouped into sets of actions such that no action should modify the result of another action within the same set. Between each set of actions, file systems are unmounted, imaged and remounted. The actual state of the file systems can be confirmed by examining the image before continuing to the next set of actions.
Use the mk-file program to create some files.
Unmount the file systems, image and remount.
Do additional actions (create and append) to achieve the relationship between data blocks and metadata required for the specific test image.
Use the fana program to characterize every file to be deleted.
Set MAC times for every file to be deleted.
Unmount, image and remount.
Record MAC times for every file to be deleted.
Delete the files.
Unmount and image the final state of the device. This final image is the test image.

Image Layout Description

The image document describes each image in several sections:

List of deleted files
MAC times just before file deletion
File delete times
Steps for creating an image
List of overwrites
Image layout after each step
Sectors allocated to each file

Test Image Links

Test Case	Case Description	Image Links
DFR-01	Recover one non-fragmented file.	FAT XFAT NTFS EXT OSX
DFR-01-RECYCLE	Recover one file from emptied recycle bin.	FAT XFAT NTFS EXT
DFR-02	Recover file with two fragments.	FAT XFAT NTFS EXT
DFR-03	Recover file with multiple fragments.	FAT XFAT NTFS EXT
DFR-04	Recover several non-fragmented files with non-ASCII file names.	FAT XFAT NTFS EXT OSX
DFR-05	Recover several fragmented files.B1B2E1E2	FAT XFAT NTFS EXT
DFR-05-BRAID	Recover several fragmented files. B1C1B2C2	FAT XFAT NTFS EXT
DFR-05-NEST	Recover several fragmented files.B1D1D2B2	FAT XFAT NTFS EXT
DFR-06	Recover one large file.	FAT XFAT NTFS EXT
DFR-07	Recover one overwritten file.	FAT XFAT NTFS EXT
DFR-07-ONE	Recover one overwritten file.	FAT XFAT NTFS EXT
DFR-07-TWO	Recover one overwritten file.	FAT XFAT NTFS EXT
DFR-08	Recover several overwritten files.	FAT XFAT NTFS EXT
DFR-09	Recover large number of files no overwrite.	FAT XFAT NTFS EXT
DFR-10	Recover large number of files, with some overwritten.	FAT XFAT NTFS EXT
DFR-11	Recover one non-fragmented directory.	FAT XFAT NTFS EXT
DFR-11-MFT	Recover one non-fragmented directory (stored in NTFS MFT).	FAT XFAT NTFS EXT
DFR-11-COMPRESSED	Recover one non-fragmented directory (stored in Compressed NTFS).	FAT XFAT NTFS EXT
DFR-12	Recover one fragmented directory.	FAT XFAT NTFS EXT
DFR-13	Recover random file system activity.	FAT XFAT NTFS EXT
DFR-14	Recover other file system object.	FAT XFAT NTFS EXT
DFR-15	List one of each file system object.	FAT XFAT NTFS EXT
DFR-16	List a large number of files.	FAT XFAT NTFS EXT
DFR-17	List deep file paths.	FAT XFAT NTFS EXT

Often, as in the case of a FAT file system, the tool has only the location of the first data block and the file size. In this situation, tools may guess as to which file system blocks to assign to the recovered file. Test cases 02, 03, 05, 05-braid & 05-nest often produce interesting results, especially for the FAT images.