18.3. DFRWS 2006 Forensics Challenge

DFRWS 2006 Forensics Challenge is a data carving challenge. It’s possible to use PhotoRec to recover most files:

  • run photorec dfrws-2006-challenge.raw

  • Choose Proceed

  • Go In Options menu

  • Set “Paranoid : Yes (Brute force enabled)”

  • Set “Keep corrupted files : Yes”

  • Use “Quit” to return to the main menu

  • Chose Search

  • Confirm the filesystem type “[ Other ]”

  • Use ‘C’ key to confirm the destination of the recovered files (current directory)

  • Wait for the recovery to finish

  • Quit

All these steps can also be automated in a single command:

photorec /log /d recup_dir /cmd dfrws-2006-challenge.raw options,paranoid_bf,keep_corrupted_file,search

The file to analyze contained 32 files (not including the embedded files, such as pictures in Word documents or the files inside of ZIP files). The 32 files were used to create 22 different scenarios. Each scenario was designed to test a specific situation that might occur in a real file system.

Category 1 focused on HTML files with ASCII text:
  • 1a) One HTML non-fragmented ✓

  • 1b) One HTML fragmented with a JPEG in between

  • 1c) One HTML fragmented with Unicode text in between

  • 1d) Two HTML files that are intertwined

PhotoRec doesn’t recover fragmented HTML correctly.

Category 2 focused on Microsoft Office documents:
  • 2a) One Word file, non-fragmented ✓

  • 2b) One Word file, fragmented with 3 fragments and random data in between

  • 2c) One Excel file fragmented with random data in between

  • 2d) One Word file fragmented with a JPEG in between ✓

  • 2e) One Word file fragmented with text in between

Category 3 focused on JPEG files:
  • 3a) One JPEG non-fragmented ✓

  • 3b) One JPEG non-fragmented, larger than a typical default max file size ✓

  • 3c) One JPEG non-fragmented, but sector before it has 0xffd8 in the first two bytes ✓

  • 3d) One JPEG fragmented with text in between ✓

  • 3e) One JPEG fragmented with a Word document in between ✓

  • 3f) One JPEG fragmented with random data in between ✓

  • 3g) One JPEG fragmented with a JPEG in between ✓

  • 3h) Two JPEGs that are intertwined

  • 3i) One JPEG non-fragmented that is REALLY big ✓

  • 3j) One JPEG fragmented with singe sector in between that starts with 0xffd9 ✓

PhotoRec has good results in the JPEG category.

Category 4 focused on ZIP files:
  • 4a) One ZIP file, non-fragmented ✓

  • 4b) One ZIP file fragmented with text in between ✓

  • 4c) One ZIP file fragmented with random data in between

Filename

Location

Size

md5

f0000000.html

0-8

4608

1a

f0000009_Alice_in_Wonderland_[…].html

9-44

18147

2c

b0002051.doc

2051-3867 4429-4435 4557-7963 …

4428800

X

3a

f0003868.jpg

3868-4428

287186

1d

f0004436_A_STUDY_IN_SCARLET_1.1.html

4436-4455

10240

X

1d

f0004456_1_Stave_1_Marley_s_Ghost.html

4456-4501

23544

X

1d

f0004502.html

4502-4556

27875

fragment

2d

f0007964_National_Park_Service.doc

7964-8284 9474-10031

450048

2d

f0008285.jpg

8285-9473

608703

3d

f0011619.jpg

11619-11822 11849-12017

190720

3d

f0011823.txt

11823-11848

12828 (+2)

X

3b

f0012222.jpg

12222-26116

7113968

1b

f0027496_Comedy_of_Errors_Entire_Play.html

27496-27606

56832

X

1b

f0027607.jpg

27607-27977

189534

1b

f0027978.html

27978-28196

111693

fragment

1c

f0028244_Chapter_cxxxiv_-_THE_CHASE_[…].html

28244-28306 (X)

31850

X

1c

f0028307.html

28307-28344

18995

fragment

4a

f0028439_4n6rodeo3-fix_copy.zip

28439-28726

147150

4b

f0028729_file1.zip

28729-29528 29896-31368

1163745

4b

f0029529_The_Tempest_Entire_Play.html

29529-29895

187793 (-2)

X

3h

b0031475.jpg

31475-31532

29696

X

3h

b0031533.jpg

31533-31887

181760

X

2a

f0032837_Fact_Sheet_-_Permitted_and_[…].doc

32837-33397

287232

2e

b0034288.doc

34288-34398 34413-36291 36641-36997

1201664

X

2e

f0034399.txt

34399-34412

6781

fragment

3c

f0036292.jpg

36292-36640

178659

2b

b0036998.doc

36998-40637 41220-41238 41610 …

3133440

X

3f

f0040638.jpg

40638-41219 41239-41609

487473

3g

f0041611.jpg

41611-43433 44029-44200

1021085

3g

f0043434.jpg

43434-44028

304413

3e

f0045566.jpg

45566-45963 46104-46826

573499

3e

f0045964_Statements_of_Financial_Condition.doc

45964-46103

71680

3i

f0046910.jpg

46910-94836

24538540

3j

f0094846.jpg

94846-95628 95630-96653

924877