This test image is an NTFS file system with several ASCII strings. The goal of this test is less ambitious than the previous FAT keyword search test and only tests the unique features of NTFS. It only has 10 test cases and there will likely be another test image in the future that tests additional features of NTFS. The focus of this test is resident versus non-resident file content and multiple data attributes (or alternate data streams).
This test image is a 'raw' partition image (i.e. 'dd') of an NTFS file system. The file system is 8MB and is compressed to 6MB. The MD5 of the image is 389e42124eb23c5053ff6596976d6710. This image is released under the GPL, so anyone can use it.
These should all be performed case sensitive and not as regular expressions.
Num | String | Sector | Offset | File | Note |
---|---|---|---|---|---|
1 | r-alloc | 1342 | 83 | $LogFile | Log File Entry |
r-alloc | 5409 | 347 | file-r-1.dat | Resident allocated file | |
2 | r-unalloc | 1350 | 92 | $LogFile | Log File Entry #1 |
r-unalloc | 1915 | 156 | $LogFile | Log File Entry #2 | |
r-unalloc | 5423 | 380 | file-r-2.dat (deleted) | Resident unallocated file | |
3 | r-fads | 1391 | 43 | $LogFile | Log File Entry |
r-fads | 5414 | 331 | file-r-3.dat:here | Resident alternate data stream in an allocated file | |
4 | r-dads | 1528 | 258 | $LogFile | Log File Entry |
r-dads | 5415 | 346 | dir-r-4:there | Resident alternate data stream in an allocated directory | |
5 | n-alloc | 8050 | 161 | file-n-1.dat | Non-resident allocated file |
6 | n-unalloc | 8053 | 86 | file-n-2.dat (deleted) | Non-resident unallocated file |
7 | n-frag | 8059 | 509 | file-n-3.dat | Crosses fragmented clusters in a non-resident allocated file |
8 | n-slack | 8062 | 485 | file-n-4.dat | Slack space of a non-resident allocated file |
9 | n-fads | 8067 | 370 | file-n-5.dat:here | Non-resident alternate data stream in an allocated file |
10 | n-dads | 8068 | 314 | dir-n-6:there | Non-resident alternate data stream in an allocated directory |
Neither Purdue University or CERIAS sponsor this work.
These tests are not a complete test suite. These were the first ones that I thought of and no formal theory was put into their design.
Passing these tests provides no guarantees about a tool. Always use additional test cases (and email them to me so we can all benefit!).
Brian Carrier [carrier <at> digital-evidence <dot> org] | Last Updated: Oct 27, 2003 |