top of page

Resources

Resources provided for use by the DFIR community

Raw disk image - Khyrenz-FileCarvingImage

Logical image of a 2GB volume taken from a USB, designed to be used to validate file carving tools.

ZIP archive contains:
- Raw volume image: Khyrenz-FileCarvingImage-USB-logical-2GB-formatted.dd
- Acquisition text file (generated by FTK Imager): Khyrenz-FileCarvingImage-USB-logical-2GB-formatted.001.txt
- List of files present in Unallocated Space: Khyrenz-FileCarvingImage-USB-logical-2GB-test_file_list.pdf

A selection of test files of varying file formats was collected or generated, and then copied onto a USB device, which had been formatted to contain a 2GB FAT16 volume. This volume was subsequently re-formatted using the built-in Windows ‘quick format’ process, in order to remove filesystem metadata.

A raw logical image of the USB device volume was generated using FTK Imager 4.

 

ZIP hashes:

MD5: 7de6d9aa72948184487b558df4aa9a9a

SHA-1: 24cf57902a1b218cc22b43c38a761cd7fd49449e

SHA-256: b60f0ef79a21e3bead194c61d72e420acf3d8f4830ed1139b9c6b1c1ab4ffc5f

carving
Image by Gayatri Malhotra

Tool Validation Reports
- File Carving

Tool Validation Report - AXIOM 6.9.0.34051
Evaluated against known data set Khyrenz-FileCarvingImage linked above

PDF hashes:
MD5: 3b6dfd8f315c9ebf655eaab48dfa6494
SHA-1: 8b057b00262a9be88812575e250ed093440f1ce4
SHA-256: 730e728570151669e1e5b591ce6df6af7ea02b074b10bd9976621a0915c4e1dd

Tool Validation Report - AXIOM 5.10.0.30634
Evaluated against known data set Khyrenz-FileCarvingImage linked above
 

PDF hashes:
MD5: 62cc3b71d7761af035a34455325a6fdf
SHA-1: 419ccb17c64ccb889f136826fa74369b6fd6b9dc
SHA-256: 89c6de802c7dc7de596c746c735fb244541e1435aa5c23cc49d8fe9dff55e55b

Tool Validation Report - foremost 1.5.7
Evaluated against known data set Khyrenz-FileCarvingImage linked above
 

PDF hashes:
MD5: 1baec80ac46eb27003e762b47b779e9a
SHA-1: 741b2bb800bfe985bf24aaedf7caa1b06ad6dd00
SHA-256: f7f21977498a28959de6193aeee53f5284e46b473866db2d256b840490b8d2fe

Tool Validation Report - PhotoRec 7.2
Evaluated against known data set Khyrenz-FileCarvingImage linked above
 

PDF hashes:
MD5: 47bb8753808590159e66694829cdfb65
SHA-1: e06781617ed36d2c67c5a72b68be27efff42ea1b
SHA-256: bd78d5be838e1f5fc40bd36f07e69b1a9d401dd569e0660a3744067c30af6c60

Tool Validation Report - X-Ways Forensics 20.4
Evaluated against known data set Khyrenz-FileCarvingImage linked above
 

PDF hashes:

MD5: c2a5fe2428a521c336c98f812d133332
SHA-1: 019f7f970ae55680407d43c38330fcc76c37bde3
SHA-256: 773d8138b922e289f416f7704c74cedbcca56553545bf2babbe414f46d606210

Tool Validation Report - Example template
 

Document hashes:

MD5: e14cc28fb16b2b99678b474178e048a3
SHA-1: a441258ca8d67d6f6c4fb7022f40ff2f0aeee00d
SHA-256: 37f75798db607445503d5bef3931c27218c6e083061eaf4701b4fd6e80a74e48

bottom of page