NIST is developing Computer Forensic Reference Data Sets (CFReDS) for digital evidence. These reference data sets (CFReDS) provide to an investigator documented sets of simulated digital evidence for examination. Since CFReDS would have documented contents, such as target search strings seeded in known locations of CFReDS, investigators could compare the results of searches for the target strings with the known placement of the strings. Investigators could use CFReDS in several ways including validating the software tools used in their investigations, equipment check out, training investigators, and proficiency testing of investigators as part of laboratory accreditation. The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations. National Institute of Justice funded this work in part through an interagency agreement with the NIST Office of Law Enforcement Standards.
In addition to test images, the CFReDS site
contains resources to aid in
creating your own test images. These creation aids will be
form of interesting data files, useful software tools and
for specific tasks.
This web site is under development and may change or be
There are several uses envisioned for the data
sets, but we also expect that there will be unforeseen
The four most obvious applications are testing forensic tools,
establishing that lab equipment is functioning properly,
proficiency in specific skills and training laboratory staff. Each
of data set has slightly different requirements. Most data sets
used for more than one function. For example, the Russian Tea Room can be used
evaluate the behavior of a tool to search UNICODE text or display
UNICODE text. This set can also be used as a skill test for an
to demonstrate proficiency in working with UNICODE text or as a
Data sets for tool testing need to be
documented. The user of the data set needs to know exactly what is
the data set and where it is located. These data sets should also
provide specification for a set of explicit tests. However, the
should have sufficient documentation to develop and execute other
cases if necessary or desirable. These data sets could be part of
realistic investigation scenario, but it is easier to control
results if each data set is focused on a particular type of tool
function. Examples of focused function areas are string searching,
deleted file recovery and email extraction.
There will tend to be many small test images,
focused on a particular feature for the tool function being
These data sets need to focus on issues in acquisition, access and restoration of data. These data sets might need to have a strong procedural component.
These data sets would be primarily
scenario based tests to give a real flavor to the data set. These
be similar to the data sets for proficiency testing, but generally
The degree of documentation required for a data set varies depending on the use of the data set. For example, a data set for testing string searching requires absolute disk addresses for strings located in unallocated space, but an investigation scenario data set may only need to say that the file at C:\mystuff\social-security-numbers.txt contains the information to be found.
Several data set distribution schemes were considered. Using actual hard disk drives was ruled out as too costly and impractical. We will need to balance several factors, including realism, cost, and practicality.
||Hacking case removed. Any names in the image are fictional and do no refer to real people.
|Russian Tea Room
search in Russian or English (Bigendian)
|asb image, dd, E01
search in Russian (UTF-8)
||Create a drive
known hash values. The creation process also verifies that
hardware and the drive are working as expected.
|Basic Mac image
||Mac File Systems
OS Extended Journaling, HP OS Extended, HP OS Standard &
||Look for images
an image file and network traces.
|| Live memory
||DCFL Control image|
|Mobile Device Images||Mobile device / SIM internal memory images|
|Container Files||String searching on container and nested container files|
|Deleted File Recovery
deleted file recovery images
Carving CFTT Images
||Images used for CFTT file carving test
(Fax) +1(301) 926-3696
Program Manager — Forensic Science
100 Bureau Drive, Stop 8102
Gaithersburg, MD 20899-8102
(Voice) (301) 975-8750
Privacy Poilcy/Security Notice -- Disclaimer | FOIA
Last updated: March 1, 2013
Technical comments: firstname.lastname@example.org
Search NIST website