Resources

Resources provided for use by the DFIR community

Raw disk images

Logical image of a 2GB volume taken from a USB, designed to be used to validate file carving tools.

ZIP archive contains:
- Raw volume image: Khyrenz-FileCarvingImage-USB-logical-2GB-formatted.dd
- Acquisition text file (generated by FTK Imager): Khyrenz-FileCarvingImage-USB-logical-2GB-formatted.001.txt
- List of files present in Unallocated Space: Khyrenz-FileCarvingImage-USB-logical-2GB-test_file_list.pdf

A selection of test files of varying file formats was collected or generated, and then copied onto a USB device, which had been formatted to contain a 2GB FAT16 volume. This volume was subsequently re-formatted using the built-in Windows ‘quick format’ process, in order to remove filesystem metadata.

A raw logical image of the USB device volume was generated using FTK Imager 4.

ZIP hashes:

MD5: 7de6d9aa72948184487b558df4aa9a9a

SHA-1: 24cf57902a1b218cc22b43c38a761cd7fd49449e

SHA-256: b60f0ef79a21e3bead194c61d72e420acf3d8f4830ed1139b9c6b1c1ab4ffc5f

Tool validation reports

Tool Validation Report - AXIOM 5.10.0.30634
Evaluated against known data set Khyrenz-FileCarvingImage linked above

MD5: 62cc3b71d7761af035a34455325a6fdf
SHA-1: 419ccb17c64ccb889f136826fa74369b6fd6b9dc
SHA-256: 89c6de802c7dc7de596c746c735fb244541e1435aa5c23cc49d8fe9dff55e55b
Khyrenz - Tool_Validation_Report - AXIOM[...]
Adobe Acrobat document [433.0 KB]

Tool Validation Report - foremost 1.5.7
Evaluated against known data set Khyrenz-FileCarvingImage linked above

MD5: 1baec80ac46eb27003e762b47b779e9a
SHA-1: 741b2bb800bfe985bf24aaedf7caa1b06ad6dd00
SHA-256: f7f21977498a28959de6193aeee53f5284e46b473866db2d256b840490b8d2fe
Khyrenz - Tool_Validation_Report - forem[...]
Adobe Acrobat document [420.7 KB]

Tool Validation Report - PhotoRec 7.2
Tool validation report for PhotoRec 7.2.

Evaluated against known data set Khyrenz-FileCarvingImage linked above.

MD5: 47bb8753808590159e66694829cdfb65
SHA-1: e06781617ed36d2c67c5a72b68be27efff42ea1b
SHA-256: bd78d5be838e1f5fc40bd36f07e69b1a9d401dd569e0660a3744067c30af6c60
Khyrenz - Tool_Validation_Report - Photo[...]
Adobe Acrobat document [446.1 KB]

Tool Validation Report - X-Ways Forensics 20.4
Evaluated against known data set Khyrenz-FileCarvingImage linked above

MD5: c2a5fe2428a521c336c98f812d133332
SHA-1: 019f7f970ae55680407d43c38330fcc76c37bde3
SHA-256: 773d8138b922e289f416f7704c74cedbcca56553545bf2babbe414f46d606210
Khyrenz - Tool_Validation_Report - X-Way[...]
Adobe Acrobat document [421.4 KB]

Tool validation report example template

Example Tool Validation Report Template
Document file hashes:

MD5: e14cc28fb16b2b99678b474178e048a3
SHA-1: a441258ca8d67d6f6c4fb7022f40ff2f0aeee00d
SHA-256: 37f75798db607445503d5bef3931c27218c6e083061eaf4701b4fd6e80a74e48
Tool_Validation_Report - Template.docx
Microsoft Word document [175.0 KB]