DFRWS 2006 Forensics Challenge is a data carving challenge. It's possible to use PhotoRec to recover most files:
- run :command:`photorec dfrws-2006-challenge.raw`
- Choose Proceed
- Go In Options menu
- Set "Paranoid : Yes (Brute force enabled)"
- Set "Keep corrupted files : Yes"
- Use "Quit" to return to the main menu
- Chose Search
- Confirm the filesystem type "[ Other ]"
- Use 'C' key to confirm the destination of the recovered files (current directory)
- Wait for the recovery to finish
- Quit
All these steps can also be automated in a single command:
photorec /log /d recup_dir /cmd dfrws-2006-challenge.raw options,paranoid_bf,keep_corrupted_file,search
The file to analyze contained 32 files (not including the embedded files, such as pictures in Word documents or the files inside of ZIP files). The 32 files were used to create 22 different scenarios. Each scenario was designed to test a specific situation that might occur in a real file system.
- Category 1 focused on HTML files with ASCII text:
- 1a) One HTML non-fragmented |check|
- 1b) One HTML fragmented with a JPEG in between
- 1c) One HTML fragmented with Unicode text in between
- 1d) Two HTML files that are intertwined
PhotoRec doesn't recover fragmented HTML correctly.
- Category 2 focused on Microsoft Office documents:
- Category 3 focused on JPEG files:
- 3a) One JPEG non-fragmented |check|
- 3b) One JPEG non-fragmented, larger than a typical default max file size |check|
- 3c) One JPEG non-fragmented, but sector before it has 0xffd8 in the first two bytes |check|
- 3d) One JPEG fragmented with text in between |check|
- 3e) One JPEG fragmented with a Word document in between |check|
- 3f) One JPEG fragmented with random data in between |check|
- 3g) One JPEG fragmented with a JPEG in between |check|
- 3h) Two JPEGs that are intertwined
- 3i) One JPEG non-fragmented that is REALLY big |check|
- 3j) One JPEG fragmented with singe sector in between that starts with 0xffd9 |check|
PhotoRec has good results in the JPEG category.
- Category 4 focused on ZIP files:
| Filename | Location | Size | md5 | |
| f0000000.html | 0-8 | 4608 | ||
| 1a | f0000009_Alice_in_Wonderland_[...].html | 9-44 | 18147 | |check| |
| 2c | b0002051.doc | 2051-3867 4429-4435 4557-7963 ... | 4428800 | X |
| 3a | f0003868.jpg | 3868-4428 | 287186 | |check| |
| 1d | f0004436_A_STUDY_IN_SCARLET_1.1.html | 4436-4455 | 10240 | X |
| 1d | f0004456_1_Stave_1_Marley_s_Ghost.html | 4456-4501 | 23544 | X |
| 1d | f0004502.html | 4502-4556 | 27875 | fragment |
| 2d | f0007964_National_Park_Service.doc | 7964-8284 9474-10031 | 450048 | |check| |
| 2d | f0008285.jpg | 8285-9473 | 608703 | |check| |
| 3d | f0011619.jpg | 11619-11822 11849-12017 | 190720 | |check| |
| 3d | f0011823.txt | 11823-11848 | 12828 (+2) | X |
| 3b | f0012222.jpg | 12222-26116 | 7113968 | |check| |
| 1b | f0027496_Comedy_of_Errors_Entire_Play.html | 27496-27606 | 56832 | X |
| 1b | f0027607.jpg | 27607-27977 | 189534 | |check| |
| 1b | f0027978.html | 27978-28196 | 111693 | fragment |
| 1c | f0028244_Chapter_cxxxiv_-_THE_CHASE_[...].html | 28244-28306 (X) | 31850 | X |
| 1c | f0028307.html | 28307-28344 | 18995 | fragment |
| 4a | f0028439_4n6rodeo3-fix_copy.zip | 28439-28726 | 147150 | |check| |
| 4b | f0028729_file1.zip | 28729-29528 29896-31368 | 1163745 | |check| |
| 4b | f0029529_The_Tempest_Entire_Play.html | 29529-29895 | 187793 (-2) | X |
| 3h | b0031475.jpg | 31475-31532 | 29696 | X |
| 3h | b0031533.jpg | 31533-31887 | 181760 | X |
| 2a | f0032837_Fact_Sheet_-_Permitted_and_[...].doc | 32837-33397 | 287232 | |check| |
| 2e | b0034288.doc | 34288-34398 34413-36291 36641-36997 | 1201664 | X |
| 2e | f0034399.txt | 34399-34412 | 6781 | fragment |
| 3c | f0036292.jpg | 36292-36640 | 178659 | |check| |
| 2b | b0036998.doc | 36998-40637 41220-41238 41610 ... | 3133440 | X |
| 3f | f0040638.jpg | 40638-41219 41239-41609 | 487473 | |check| |
| 3g | f0041611.jpg | 41611-43433 44029-44200 | 1021085 | |check| |
| 3g | f0043434.jpg | 43434-44028 | 304413 | |check| |
| 3e | f0045566.jpg | 45566-45963 46104-46826 | 573499 | |check| |
| 3e | f0045964_Statements_of_Financial_Condition.doc | 45964-46103 | 71680 | |check| |
| 3i | f0046910.jpg | 46910-94836 | 24538540 | |check| |
| 3j | f0094846.jpg | 94846-95628 95630-96653 | 924877 | |check| |