Overview

This page has linkes to two dd images containing container files: The images are intended for testing forensic string search tools. files and nests have the same content but differ in the way each was structured. While FILES contains archives with one level of compression, NESTS contains archives with both root and child directories compressed.

Layout of Containers

container file structure

The above picture is a representation of the file structure used for each archive. The files underlined in red are common to all archives while the remaining files are unique to each archive. Country.txt is named after a real country and it contains a list of three cities of that country. Capitol.txt has the following content: "The capitol of X is Y, not Z" where X is the country of Country.txt, Y is the capital and Z is a city not listed in Coutnry.txt.

The selection of countries, capitals and cities:

Archive Type
 Country
 Capital
 The Z countries
 Other Cities
zip
 China
 Beijing
 Nanjing
 Nanjing, Shanghai
rar
 Spain
 Madrid
 Bilbao
 Barcelona, Valencia
tar
 Nigeria
 Abuja
 Lagos
 Kano, Aba
tar.gz
 Ethiopia
 Addis Ababa
 Adama
 Dire Dawa, Axum
tar.bz2
 Italy
 Rome
 Turin
 Bologna, Milan
tar.xz
 Colombia
 Bogota
 Medellin
 Cali, Cartagena
cab
 Russia
 Moscow
 Bor
 Abakan, Azov
7z
 England
 London
 Liverpool
 Leeds, Manchester
wim
 Argentina
 Buenos Aires
 Avellaneda
 Rosario, Salta
iso
 Germany
 Berlin
 Frankfurt
 Munich, Leverkusen
cpio
 Japan
 Tokyo
 Kyoto
 Osaka, Yono
alz
 India
 New Delhi
 Calcutta
 Mumbai, Kanpur
lzh
 France
 Paris
 Lyon
 Marseille, Nice
dmg
 Sweden
 Stockholm
 Kista
 Goteborg, Malmoe
uue
 Angola
 Luanda
 Jamba
 Andulo, Cela
sitx
 Mexico
 Mexico City
 Chihuahua
 Guadalajara, Puebla
lah
 Brazil
 Brasilia
 Curitiba
 Manaus, Salvador

Image file files.dd

Each container file in the files image has the following content.

Image file nests.dd

Each container file in the nests image has the following content. Although the content is the same as files.dd, each sub directory in nests.dd has been compressed using the same format of its parent directory (For example the zip file would have a folder called Sub.zip).

Creating the image files

Archive Type
 Created with...
zip
 7zip
rar
 WinRAR
tar
 7zip
tar.gz
 7zip
tar.bz2
 7zip
tar.xz
 7zip
cab
 BitZipper, makecab*
7z
 7zip
wim
 7zip
iso
 ALZip
cpio
 Unix shell with cpio* command
alz
 ALZip
lzh
 ALZip
dmg
 TransMac
uue
 StuffIt
sitx
 StuffIt
lah
 StuffIt

*makecab
Windows OS command line tool. To use the command type the following in the command line
prompt> makecab /f directive_file.dd
where directive_file.dd is a file which is needed to preserve the hierarchical structure of directories. Here is an example of a directive file.
*cpio
Unix command. to use the command type the following in the command line
find . -type f \( ! -iname "*.cpio" \) | cpio -ov > output_filename

Scenerios

Here are some searches to try on files.dd:
  1. String common to all containers (at top level):
  2. String common to all containers (in subdirectory):
  3. String in file name (not in file data):
  4. String in both file name and file data:
  5. String unique to a single container: