Extended DOS Partition Test

Digital Forensics Tool Testing Image (#1)

http://dftt.sourceforge.net

Introduction

Most DOS partition tools will not allow the user to create a third entry in an extended partition. A test image was created by modifying the partition table by hand with a hex editor and the system was booted. Both Windows and Linux read the third entry in the extended partition table and allowed the user to mount the partition. This test was to verify that forensic tools also allowed the investigator to view the partition in the third entry.

Download

This test image is a 'raw' disk image (i.e. 'dd'). The disk is 150MB and is compressed to 160KB. This image is released under the GPL, so anyone can use it.

Layout

The following is the partition layout of the disk image. A tool should show all six FAT16 partitions. Each partition has a file in it whose name corresponds to the partition. Each file has zero size.

Table EntryStartEndLengthDescription
Primary Table #1
00000000006300000524150000052353DOS FAT16 (0x04)
010000052416 0000104831 0000052416 DOS FAT16 (0x04)
02 0000104832 0000157247 0000052416 DOS FAT16 (0x04)
03 0000157248 0000312479 0000155232 DOS Extended (0x05)
Extended Table #1
00 0000157311 0000209663 0000052353 DOS FAT16 (0x04)
01 0000209727 0000262079 0000052353 DOS FAT16 (0x04)
02 0000262080 0000312479 0000050400 DOS Extended (0x05)
Extended Table #2
00 0000262143 0000312479 0000050337 DOS FAT16 (0x06)

Author

Brian Carrier (carrier <at> digital-evidence <dot> org) created the test image. This test was released on July 24, 2003.

Disclaimers

Neither Purdue University or CERIAS sponsor this work.

These tests are not a complete test suite. These were the first ones that I thought of and no formal theory was put into their design.

Passing these tests provides no guarantees about a tool. Always use additional test cases (and email them to me so we can all benefit!).

SourceForge Logo


Brian Carrier [carrier <at> digital-evidence <dot> org] Last Updated: Aug 25, 2003