Model-Based Generation of Synthetic Disk Images for Digital Forensic Tool Testing

Abstract

Testing digital forensic tools is important to determine relevant tool properties like effectiveness and efficiency. Since many different forensic tool categories exist, different testing techniques and especially suitable test data are required. Considering test data for disk analysis and data recovery tools, synthetic disk images provide significant advantages compared to disk images created from real-world storage devices. In this work we propose a framework for generating synthetic disk images for testing digital forensic analysis tools. The framework provides functionality for building models of real-world scenarios in which data on a storage device like a hard disk is created, changed, or deleted. Using such a model our framework allows simulating actions specified in the model in order to generate synthetic disk images with realistic characteristics. These disk images can then be used for testing the performance of forensic disk analysis and data recovery tools.