18.3. DFRWS 2006 Forensics Challenge
DFRWS 2006 Forensics Challenge is a data carving challenge. It’s possible to use PhotoRec to recover most files:
run photorec dfrws-2006-challenge.raw
Choose Proceed
Go In Options menu
Set “Paranoid : Yes (Brute force enabled)”
Set “Keep corrupted files : Yes”
Use “Quit” to return to the main menu
Chose Search
Confirm the filesystem type “[ Other ]”
Use ‘C’ key to confirm the destination of the recovered files (current directory)
Wait for the recovery to finish
Quit
All these steps can also be automated in a single command:
photorec /log /d recup_dir /cmd dfrws-2006-challenge.raw options,paranoid_bf,keep_corrupted_file,search
The file to analyze contained 32 files (not including the embedded files, such as pictures in Word documents or the files inside of ZIP files). The 32 files were used to create 22 different scenarios. Each scenario was designed to test a specific situation that might occur in a real file system.
- Category 1 focused on HTML files with ASCII text:
1a) One HTML non-fragmented ✓
1b) One HTML fragmented with a JPEG in between
1c) One HTML fragmented with Unicode text in between
1d) Two HTML files that are intertwined
PhotoRec doesn’t recover fragmented HTML correctly.
- Category 2 focused on Microsoft Office documents:
2a) One Word file, non-fragmented ✓
2b) One Word file, fragmented with 3 fragments and random data in between
2c) One Excel file fragmented with random data in between
2d) One Word file fragmented with a JPEG in between ✓
2e) One Word file fragmented with text in between
- Category 3 focused on JPEG files:
3a) One JPEG non-fragmented ✓
3b) One JPEG non-fragmented, larger than a typical default max file size ✓
3c) One JPEG non-fragmented, but sector before it has 0xffd8 in the first two bytes ✓
3d) One JPEG fragmented with text in between ✓
3e) One JPEG fragmented with a Word document in between ✓
3f) One JPEG fragmented with random data in between ✓
3g) One JPEG fragmented with a JPEG in between ✓
3h) Two JPEGs that are intertwined
3i) One JPEG non-fragmented that is REALLY big ✓
3j) One JPEG fragmented with singe sector in between that starts with 0xffd9 ✓
PhotoRec has good results in the JPEG category.
- Category 4 focused on ZIP files:
4a) One ZIP file, non-fragmented ✓
4b) One ZIP file fragmented with text in between ✓
4c) One ZIP file fragmented with random data in between
Filename |
Location |
Size |
md5 |
|
f0000000.html |
0-8 |
4608 |
||
1a |
f0000009_Alice_in_Wonderland_[…].html |
9-44 |
18147 |
✓ |
2c |
b0002051.doc |
2051-3867 4429-4435 4557-7963 … |
4428800 |
X |
3a |
f0003868.jpg |
3868-4428 |
287186 |
✓ |
1d |
f0004436_A_STUDY_IN_SCARLET_1.1.html |
4436-4455 |
10240 |
X |
1d |
f0004456_1_Stave_1_Marley_s_Ghost.html |
4456-4501 |
23544 |
X |
1d |
f0004502.html |
4502-4556 |
27875 |
fragment |
2d |
f0007964_National_Park_Service.doc |
7964-8284 9474-10031 |
450048 |
✓ |
2d |
f0008285.jpg |
8285-9473 |
608703 |
✓ |
3d |
f0011619.jpg |
11619-11822 11849-12017 |
190720 |
✓ |
3d |
f0011823.txt |
11823-11848 |
12828 (+2) |
X |
3b |
f0012222.jpg |
12222-26116 |
7113968 |
✓ |
1b |
f0027496_Comedy_of_Errors_Entire_Play.html |
27496-27606 |
56832 |
X |
1b |
f0027607.jpg |
27607-27977 |
189534 |
✓ |
1b |
f0027978.html |
27978-28196 |
111693 |
fragment |
1c |
f0028244_Chapter_cxxxiv_-_THE_CHASE_[…].html |
28244-28306 (X) |
31850 |
X |
1c |
f0028307.html |
28307-28344 |
18995 |
fragment |
4a |
f0028439_4n6rodeo3-fix_copy.zip |
28439-28726 |
147150 |
✓ |
4b |
f0028729_file1.zip |
28729-29528 29896-31368 |
1163745 |
✓ |
4b |
f0029529_The_Tempest_Entire_Play.html |
29529-29895 |
187793 (-2) |
X |
3h |
b0031475.jpg |
31475-31532 |
29696 |
X |
3h |
b0031533.jpg |
31533-31887 |
181760 |
X |
2a |
f0032837_Fact_Sheet_-_Permitted_and_[…].doc |
32837-33397 |
287232 |
✓ |
2e |
b0034288.doc |
34288-34398 34413-36291 36641-36997 |
1201664 |
X |
2e |
f0034399.txt |
34399-34412 |
6781 |
fragment |
3c |
f0036292.jpg |
36292-36640 |
178659 |
✓ |
2b |
b0036998.doc |
36998-40637 41220-41238 41610 … |
3133440 |
X |
3f |
f0040638.jpg |
40638-41219 41239-41609 |
487473 |
✓ |
3g |
f0041611.jpg |
41611-43433 44029-44200 |
1021085 |
✓ |
3g |
f0043434.jpg |
43434-44028 |
304413 |
✓ |
3e |
f0045566.jpg |
45566-45963 46104-46826 |
573499 |
✓ |
3e |
f0045964_Statements_of_Financial_Condition.doc |
45964-46103 |
71680 |
✓ |
3i |
f0046910.jpg |
46910-94836 |
24538540 |
✓ |
3j |
f0094846.jpg |
94846-95628 95630-96653 |
924877 |
✓ |