Model-Based Generation of Synthetic Disk Imagesfor Digital Forensic Tool Testing

York Yannikos, Christian Winter

Fraunhofer Institute for Secure Information Technology SIT

Darmstadt, Germany

{firstname.lastname}@sit.fraunhofer.de

Abstract—Testing digital forensic tools is important to deter-mine relevant tool properties like effectiveness and efficiency.Since many different forensic tool categories exist, differenttesting techniques and especially suitable test data are required.Considering test data for disk analysis and data recovery tools,synthetic disk images provide significant advantages comparedto disk images created from real-world storage devices.

In this work we propose a framework for generating syntheticdisk images for testing digital forensic analysis tools. The frame-work provides functionality for building models of real-worldscenarios in which data on a storage device like a hard disk iscreated, changed, or deleted. Using such a model our frameworkallows simulating actions specified in the model in order togenerate synthetic disk images with realistic characteristics.These disk images can then be used for testing the performanceof forensic disk analysis and data recovery tools.

Keywords-Synthetic disk image generation; forensic tool test-ing; disk analysis tools; Markov chains; model-based simulation

I. INTRODUCTION

Today one challenge in digital forensics is how to deal with

large amounts of data. Forensic analysis tools must be capable

of processing hard disks with several terabytes efficiently

while keeping false positive and false negative rates low.

Since many open source as well as commercial tools exist for

different forensic analysis procedures it is crucial to measure

tool performance, including effectiveness and efficiency, by

using unified testing strategies.

Equally important to the testing strategies is test data.

Finding suitable test data for the very different categories

of forensic analysis tools can be difficult: To allow compre-

hensive tool testing an extensive knowledge about the data

is required, i. e. what kind of traces, attacks, evidence are

contained in the data. Unfortunately, only little information

is available about most real-world data used for tool testing.

In this work we propose a framework which allows gener-

ating synthetic disk images to test digital forensic tools for file

system analysis and data recovery. Each synthetic disk image

generation process is based on a model which has to be built

in advance. This can also be done with our framework.

In the following Sect. II we provide a short overview about

the current state of forensic tool testing. Sect. III summarizes

the advantages and disadvantages of using synthetic data and

real-world data for testing. In Sect. IV a short definition

This work was supported by CASED (www.cased.de).

of Markov processes is given. We describe our model-based

approach in Sect. V followed by the description of our frame-

work architecture in Sect. VI. In Sect. VII we demonstrate

the model building process using a sample scenario. An

evaluation of our framework is given in Sect. VIII followed

by a conclusion in Sect. IX.

II. TOOL TESTING IN DIGITAL FORENSICS

Tool testing is especially important in digital forensics:

Investigators rely on results produced by forensic analysis

tools and findings of evidence data is often used in court.

The National Institute of Standards and Technology created the

Computer Forensics Tool Testing (CFTT) program where com-

mercial as well as open source forensic tools are continuously

being tested [1]. A collection of recent test results for disk

imaging software, tools for forensic media preparation, hard-

and software write blockers, and mobile forensics software is

given in [2].

A methodology for validating and verifying digital forensic

tools with focus on search functionality has been proposed

in [3]. The authors use their methodology in [4] to present

a validation/verification framework for tools used to create

forensically sound copies of evidence data.

III. TEST DATA

Digital forensic tool testing needs suitable test data to

provide reliable results. Test data can either be data collected

from real-world samples like a seized storage device or it can

be synthetic data especially created for testing purposes. An

important question is whether real-world data or synthetic data

should be used for digital forensic tool testing.

A. Real-world Data

The main advantage of real-world data is that the data

characteristics are relevant for real-world cases. Hence real-

world data seems to be an ideal basis for testing digital forensic

tools. However, real-world hard disk data can be difficult to use

due to legal restrictions or availability. Generally, real-world

data could be easily collected through simply buying used

hard disks. Their previous owners often think to have their

data deleted just by formatting the hard disk, by removing

the partition layout, or sometimes even by using the trash

bin of the installed operating system. However, using suitable

forensic tools the chances of recovering most or all of the data

2013 International Conference on Availability, Reliability and Security

978-0-7695-5008-4/13 $26.00 © 2013 IEEE

DOI 10.1109/ARES.2013.65

498

is very high. Nevertheless, in some countries exist very strict

privacy laws which state that any private data of a third party

must not be used for any purpose if the owner did not provide a

usage permission or if he simply showed the intention to have

his data deleted (even if the deletion itself was not successful).

Other sources of real-world data are hard disk images

voluntarily provided by third parties. However, the number

and size of freely available real-world hard disk images is

rather small. Real-world hard disks or disk images from

forensic investigation cases are also rarely available for other

parties than law enforcement agencies. With more than 30

TB probably one of the largest collections of real-world data

available for research is described in [5].

Even if real-world hard disk data is available it may be

of only limited use for testing purposes since many different

categories of digital forensic tools exist. For instance a real-

world disk image which does not include many deleted files

provides no suitable test set for testing file recovery tools.

Additionally, no ground truth is known about such a disk

image: There is no better knowledge about what data exists

on the disk image than that provided by the most accurate

recovery tools.

B. Synthetic Data

The advantage of using synthetic disk images for digital

forensic tool testing is having full knowledge about what data

exists in the image. Even the origin and type of small file frag-

ments are known in contrast to real-world disk images where

such knowledge can hardly be achieved. Another advantage is

the availability: Synthetic disk images can be created on de-

mand, with user-defined characteristics, in arbitrary numbers,

and with arbitrary size. This enables a digital forensic tool

tester to generate the data with exactly those characteristics

required for specific test cases without having to search for

suitable real-world data.

Note that synthetic data is only as realistic as the underlying

model used for the data generation. The more accurate the

model represents real-world characteristics the closer is a

simulation based on that model to the corresponding real-

world process, and therefore the more realistic is the data

generated during the simulation. Building a suitable model

with nearly real-world characteristics is crucial for synthetic

data which aims to compete with real-world data.

In [6] the authors presented a tool set for generating

synthetic disk images using virtual machines. In a more recent

work the authors evaluated their tool set by using it for student

education in forensic computing [7]. The authors mention that

the process to generate a synthetic disk image with their tool

set has to be programmed in advance and therefore requires

specific programming skills from the user. In comparison, our

framework uses a high-level model based on Markov processes

for simulating user actions and provides native support for

file system creation/operations without using virtualization.

This allows creating very different synthetic disk images

for identical scenarios in an efficient way without requiring

additional programming.

A small set of synthetic disk images usable for testing

purposes is available at [8]. No information is given about

how these disk images have been created so we assume that

standard Unix tools have been used.

IV. MARKOV PROCESSES

Our framework for synthetic disk image generation is based

on 3LSPG which we proposed in [9]. With our framework we

first build a model where we use Markov processes to simulate

real-world actions for a specific scenario: We define a set of

actions to be simulated together with a probability for each

action to be performed. For possible transitions between two

actions, i. e. when an action may be performed immediately

after another, we calculate the transition probabilities.

Each Markov process we use within a model is defined by

an aperiodic irreducible discrete-time Markov chain consisting

of a non-void finite set of states S (i. e. a set of actions), a

state probability vector π (i. e. the probability for each action

to be performed), and a state transition probability matrix P(i. e. the probabilities to transit from one to another action).

Additionally, π = π · P holds due to the Markov chain

properties. π can be easily calculated if P is given – however,

calculating P for a given π is not trivial.

When building a model for simulating real-world actions

we think that it is more reasonable to define states (actions)

with a given state probability rather than with a given state

transition probability. Therefore, we assume that π is given

and a suitable P has to be found. For this problem we

presented an efficient solution in [10].

V. MODEL-BASED SYNTHETIC DISK IMAGE GENERATION

To generate synthetic disk images with user-specified char-

acteristics we propose a framework which can be used for

modeling and simulating specific real-world actions on a hard

disk responsible for data creation or modification. Examples

for such actions are downloading, copying, removing, or over-

writing a file. The real-world actions are typically performed

by one or several users of a computer system where the hard

disk is installed.

In order to generate a synthetic disk image with our frame-

work, we first build a model which describes a specific real-

world scenario including a set of actions. After building the

model we use our framework to run a simulation based on

the model, i. e. simulating all actions specified in the model,

whereby a synthetic disk image is generated which can be

used for testing purposes. This process is depicted in Fig. 1.

In the following we propose basic components for modeling

real-world actions on hard disks which are relevant from a

digital forensic point of view.

A. Components for Model Building

Our framework allows creating specific models representing

different real-world scenarios. It provides three component

categories for model building which are described in the

following.

499

������������ ��

������������

������� � �� ����������� �� �����������

���������������� ������ �� ����������������� ��

Fig. 1. Process for generating a synthetic disk image based on a real-worldscenario

• Actions: An action is a state i within a process where

a specific activity is performed. In Markov processes

each state occurs with a specific probability πi and is

successor and predecessor of at least one other state.

Therefore, in a model built with our framework no state

probability is equal to 0. Additionally, for each possible

transition between two states a state transition probability

0 < pij ≤ 1 is specified. In linear processes state

probabilities and state transition probabilities are not

relevant and therefore not defined.

• Processes: A process denotes a sequence of actions to

be performed in a simulation. The actions are performed

either in a linear process, i. e. only a single time and

one after another, or in a Markov process, i. e. a spec-

ified number of times and based on the state transition

probabilities. Processes can either be globally active or

inactive which means that they are either run during the

simulation or ignored at run time.

– Linear Process: A linear process denotes a sequence

of actions including one start action and one end

action. Each action is performed exactly one time

and has exactly one predecessor (except the start

action) and one successor (except the end action).

Linear processes are useful for performing prepa-

ration steps for a subsequent Markov process or

finishing tasks after a simulation. For example a

linear process can be used for initially creating an

empty disk image file of a specific size and then

formatting the image file with a file system before

starting to simulate file system activity using Markov

processes.

– Markov Process: Markov processes are discrete-time

processes used for simulating actions which result

in synthetic data. Each Markov process within a

model is defined as a set of states (actions) with

state transitions and corresponding state probabilities

as well as state transition probabilities. The state

probabilities are defined while building the model

and used to calculate the state transition probabilities

with linear programming as shown in [10].

• Global Objects: A global object denotes a specific object

which is accessible or reachable at any time and by any

action within a model. For example when simulating

actions on a synthetic disk image, the disk image file

itself would be defined as global object.

B. Model Building Process

In order to simulate a real-world scenario with our frame-

work a suitable model must be built using the previously

described components. In the following the steps for model

building are described.

1) Subject definition: In the first step the simulation sub-

jects performing different actions are defined. In the

corresponding real-world scenario the subjects are e. g.

users of a computer system with a hard disk where the

disk image file is created from.

2) Global object definition: In the second step all global

objects required for performing actions are defined. At

least the resulting synthetic disk image file has to be

defined as global object.

3) Process definition: In this step the number and type of

processes within the model are defined.

4) Process sequence definition: In this step the sequence

of all defined processes is defined. Linear processes

are typically used for pre- or post-processing Markov

processes where the simulation is done. Within a model

each process can have at most one predecessor and one

successor. A linear process may also succeed another

linear process: This enables creating several linear pro-

cesses with different outcome which could be set active

or inactive at run time.

5) Action definition: The next step in building a model for

synthetic disk image generation is defining the actions

which are to be simulated. Such actions are performed

on the synthetic disk image and are typically file system

operations or direct writes to the image file. Each action

must be part of a previously defined process.

6) Action transition definition: After subject and action

definition the possibilities to transit from one action to

another are defined. Actions can only transit from one

to another within the same process.

7) Probability derivation: In this step the probabilities for

actions to be performed are defined (state probabilities),

e. g. by deriving them from statistics about file system

operations, from studies about user behavior, or from

assumptions about fictive scenarios.

8) Probability calculation: Based on the previous step the

probabilities to transit from one action to another are

calculated (state transition probabilities). This is done

500

automatically within the framework using linear pro-

gramming. Also, the feasibility of the Markov processes

is checked.

VI. FRAMEWORK ARCHITECTURE

Our framework incorporates functionality for model build-

ing and simulation. Global Objects and Actions are im-

plemented as modules using a unified interface which we

specified to allow an easy extension of the framework. The

framework has been implemented in Java SE 1.7 to ensure

cross-platform compatibility.

In the following we describe the specific framework mod-

ules we implemented:

A. Global Object Modules

The following Global Object modules have been imple-

mented:

• Synthetic Disk Image File: A synthetic disk image file

denotes a file which is initially created as a byte sequence

consisting of a user-specified number of null bytes. An

image file can (but does not have to) be formatted with

a file system in order to write a file/directory structure

on the image file during a simulation. Additionally, raw

binary data without any file system information can be

written directly to the image file. After applying a model

and running all linear/Markov processes, the resulting

synthetic disk image file can be used for testing.

• File Pool: A file pool denotes a source of files to be used

during simulation. Actions performed on a synthetic disk

image during a simulation typically include writing files

to the image. With our framework such files can either

be downloaded from the Internet or taken from a local

file pool, e. g. an intranet file storage server or specific

directories on a local hard disk.

B. Action Modules

The following Action modules have been implemented:

• Wait: The wait action is a placeholder action where

nothing relevant happens.

• Create File System: This action formats a disk image with

a specific file system. Currently we implemented native

support for the FAT16, FAT32, and ext2 file systems.

• Create File: This action writes a file to the disk image

using the underlying file system. The file can either be

taken from a file pool, or can contain predefined static

data or random data.

• Delete File: This action removes a file from the disk

image using the underlying file system. Therefore a file

which has been removed by this action still exists on

the disk image (if not overwritten yet) but actually the

corresponding file references in the file system meta data

have been removed or marked as deleted.

• Write Raw Data: This action is the same as the CreateFile action but without using the file system, i. e. writing

data using this action is equal to using the dd tool to

write to a block device. We can use this e. g. to simulate

disk corruptions.

• Download File: This action downloads a random file

from the Internet and stores it on the disk image like

the Create File action. Examples for a random file are

freely available pictures from an online picture database

or binary files from open source software repositories.

• Export Disk Image: This action exports the generated

synthetic disk image.

• Export Disk Image Map: This action exports an image

map which provides information about the location of

each file or file fragment on the generated synthetic disk

image. The image map allows a very detailed comparison

of analysis results from different forensic tools with the

actual data existing on the disk image. This provides a

significant advantage compared to using real-world disk

images.

• Import Disk Image: This action imports an already gener-

ated synthetic disk image with its image map (if available)

for further modification.

C. General User Interface

The framework provides a user interface for model building

and simulation. The user interface also includes a logging

component which provides detailed information for each per-

formed action and process together with a time stamp. The

data provided by the logging component is also used for

creating the disk image map if required. In Fig. 4 a screenshot

of the user interface is shown.

VII. GENERATING A DISK IMAGE FOR A SAMPLE

SCENARIO

In the following we describe a sample real-world scenario

and provide a suitable model in order to generate a synthetic

disk image with our framework.

A. Scenario

Our example scenario focuses on testing different file

carvers. Many commercial as well as open source file carvers

exist – however, there is no comprehensive comparison of

their performance available. File carving tools basically search

raw binary data for header/footer byte signatures of previously

deleted files in order to recover them. While simple file carvers

assume that any data between a found header and footer is not

fragmented and belongs to the same file, advanced file carvers

are also able to handle a specific amount of fragmentation.

In our sample scenario we assume that disk images with the

following properties provide suitable test data for file carvers:

• The disk image contains a significant number of deleted

files without any reference from a potentially existing file

system.

• The number of the different file types is large for the

deleted files.

• A significant amount of the deleted files is fragmented.

• For fragmented files the number of fragments lies within

a specific interval, e. g. 2 to 10 fragments.

501

������������������ !

"�#��� �������� ������ � !

$����� ����������� !

%�&�� ������������!

'�#��� ���������� !

(����������������� !

)�*�� ������ ������ !

Fig. 2. Example set of actions to create a synthetic disk image withfragmented files

Fig. 2 shows a possible first set of actions performed on a

synthetic disk image in order to create deleted and fragmented

files:

1) Create an initial empty disk image file

2) Format the disk image file with a file system (creating

a reserved area for file system meta information at the

beginning of the image file)

3) Download a random file from the Internet and store it

on the disk (creating a reference in the file system)

4) Create a second file on the disk, e. g. by copying it from

a specific source (again creating a reference in the file

system)

5) Delete the downloaded file from the disk (removing the

file system reference but not overwriting the file)

6) Download a third file and store it on the disk (creating

a reference in the file system)

7) Write a small number of random data fragments to the

disk without respecting file system structure (overwriting

any existing data and therefore fragmenting files)

After applying such a set of actions the resulting disk image

can be used to test the performance of different file carvers.

However, all but the first two steps have to be repeated several

times to create synthetic disk images with a reasonable size

and a significant number of files and file fragments on it.

B. Model

For the described sample scenario we use our framework

to build a suitable model. Based on that model we can then

generate a synthetic disk image file which can be used as

test data for different file carvers. Additional meta information

should also be generated along with the disk image file,

e. g. to reuse the disk image file in another simulation with

our framework. In the following we apply the previously

introduced steps of the model building process.

First we define a typical user of a computer system with an

installed hard disk as subject responsible for the actions to be

simulated. For our model the relevant actions performed by

the user are those file system operations where data is written

or deleted from the hard disk.

Then we define two global objects: a synthetic disk image

file where all simulated actions are performed on and a file

pool which can be used as source for files to write on the disk

image.

Based on the scenario properties we specify a sequence of

three processes with different actions and action transitions

which can be used to generate a disk image suitable for testing

file carvers:

1) Linear process• Action la11: Create File System

2) Markov process• Action ma11: Create File• Action ma12: Download File• Action ma13: Delete File• Action ma14: Write Raw Data

3) Linear process• Action la21: Export Disk Image• Action la22: Export Disk Image Map

Fig. 3 gives an overview about the model including the se-

quence of the three processes and possible transitions between

the actions of the Markov process.

��%�

��%% ��%"

��%'

��%%

��"% ��""

+�����,�����

����-,�����

+�����,�����

Fig. 3. Sample model to generate a synthetic disk image for the describedscenario

Note that the creation of a file system and using file system

operations like Create File or Delete File are not really

required to generate a disk image which fits our scenario

– just using the Write Raw Data action with a suitable

data source would be enough. However, using a file system

502

and file system operations makes storing files on the disk

image significantly less difficult since we are not required to

handle an overhead like file position offsets, file sizes, etc. by

ourselves. Additionally, using a file system provides a realistic

file-system specific fragmentation.

The last steps of building the model are deriving suitable

probabilities for the actions in the Markov process as well as

calculating the action transition probabilities. For the actions

ma11, . . . ,ma14 of the Markov process we define the proba-

bilities π1, . . . , π4 as elements of the state probability vector

π as follows:

π = (π1, . . . , π4) = (0.2 , 0.4 , 0.333 , 0.067)

Note that these probabilities are exemplary and not based on

any statistics of hard disk operations caused by user behavior

or likewise. We plan to derive the probabilities from real-world

observations in our future research.

Based on the state probability vector π we use our frame-

work to calculate feasible transition probabilities and define

a state transition probability matrix P which satisfies the

previously mentioned requirement π = π · P :

P =

⎡⎢⎢⎣0.067 0.799 0.067 0.0670.134 0.067 0.732 0.0670.386 0.48 0.067 0.0670.067 0.799 0.067 0.067

⎤⎥⎥⎦

Note that this specific matrix P is also exemplary and no

unique solution. By calculating P we complete the model

building process. Fig. 4 shows a screenshot of the model

builder interface of our framework using the described ex-

ample.

C. Simulation

After the model has been built with our framework the

simulation process has to be configured, i. e. the properties

for each action, subject, and global object has to be defined.

This includes e. g. defining how many actions a subject should

perform during the simulation or specifying a source for files

to be written on the disk image file during a Create File action.

Finally, when the configuration has been finished the syn-

thetic disk image generation process, i. e. the simulation, can

be started and then runs without requiring any user interaction.

When the simulation finishes a synthetic disk image file has

been generated with the properties specified by the scenario-

based model.

VIII. EVALUATION

To evaluate our framework we used the previously described

model for the sample scenario with a slight modification: We

exchanged the Download File action with a second Create Fileaction to avoid potential delays or timeouts while downloading

files from Internet sources.

For the simulation process we used the following configu-

ration:

• Synthetic disk image file size: 1500 MB

1 2 3 4 5 6 7 8 9 10

0

20

40

3136

44

34 34 3237

32

3835

Simulation run

Tim

ein

seco

nds

(a) Required time in seconds for each simulation run

1 2 3 4 5 6 7 8 9 10

0

20

40

60

80

100

46

61

87

50 51 48

66

43

68

46

Simulation run

Use

ddis

ksp

ace

inper

cent

(b) Used space of the generated synthetic disk image after each simulation run

1 2 3 4 5 6 7 8 9 10

0

100

200

167 187

232

180

165

161

214

152

203

157

140

112

70

115

128

133

95

137

107 138

Simulation run

Num

ber

of

file

s

(c) Number of allocated (light gray) and deleted files (dark gray) on thegenerated synthetic disk image after each simulation run

Fig. 5. Evaluation results for 10 simulation runs where a synthetic diskimage was generated (average values shown as gray line)

• File system to be used: FAT32

• File pool location: 2 directories with a total of 2219 files

For the Write Raw Data action we used the following

configuration:

• Data source: 1 random file from file pool

• Number of fragments to write: between 2 and 10, chosen

randomly

• Size of each fragment: between 32 bytes and 16 KiB,

chosen randomly

• Location on the disk image to write the data to: chosen

randomly, excluding areas containing file system meta

data

For the Create File actions the same file pool was specified

as source.

503

Fig. 4. Screenshot of the model builder interface of the framework

All file system operations were perfomed using specific li-

braries which we developed for our framework. By the writing

of this paper, our framework supports read/write operations for

ext2, FAT16, and FAT32.

With this configurations we did 10 simulation runs and

measured the required time, the used disk space of each

resulting synthetic disk image, and the number of allocated

and deleted files on each disk image. All simulation runs

where performed on a PC with 2.8 GHz dual-core CPU, 4

GiB system memory, running Ubuntu Linux. The individual

results for each simulation run are shown in Figs. 5(a), 5(b),

and 5(c).

We were able to completely finish each simulation run in

about 35 seconds on average. After each run an individual

synthetic disk image was created, containing an average of 182

allocated and 118 deleted files, where the former were using

57% of the image disk space. This shows that a synthetic disk

image containing a reasonable amount of data can be generated

in short time with our framework.

IX. CONCLUSION

In this work we provided a short overview about the current

state of forensic tool testing. We described the advantages of

using synthetic data for testing instead of real-world data and

showed that only little work has been done regarding synthetic

test data generation. To support digital forensic tool testing

we proposed a framework which allows generating synthetic

disk images suitable for testing. In order to use the framework

a real-world scenario has to be chosen initially in which

users perform actions which result in suitable test data, e. g. a

computer system where users create, delete, and modify files

on a hard disk. Our framework provides functionality to build

a model for such a scenario and is able to simulate the actions

contained in the model. By that a synthetic disk image can be

created which has the characteristics specified in the model.

Additionally, an image map can be created which contains

detailed information about the content of each single fragment

of the disk image. The synthetic disk image can then be used

to test the performance of disk analysis and data recovery tools

while the image map provides a reference for comparing tool

analysis results.

Additional work has to be done regarding modeling relevant

real-world scenarios. Especially deriving realistic probabilities

for the different actions within a model is important. A survey

about actions performed by users of different file systems

and operating systems could be interesting and may help to

significantly improve the model building process.

REFERENCES

[1] National Institue of Standards and Technology (NIST), “ComputerForensic Tool Testing (CFTT) Program,” 2013. [Online]. Available:http://www.cftt.nist.gov/

[2] ——, “Computer Forensics Tool Testing Handbook,” 2012. [Online].Available: http://www.cftt.nist.gov/CFTT-Booklet-Revised-02012012.pdf

[3] Y. Guo, J. Slay, and J. Beckett, “Validation and verification of computerforensic software tools–searching function,” Digital Investigation, vol. 6,no. Supplement 1, pp. S12–S22, 2009, the Proceedings of the NinthAnnual DFRWS Conference.

[4] Y. Guo and J. Slay, “A Function Oriented Methodology to Validateand Verify Forensic Copy Function of Digital Forensic Tools,” in Inter-national Conference on Availability, Reliability, and Security (ARES).IEEE, 2010, pp. 665–670.

504

[5] S. Garfinkel, “Lessons learned writing digital forensics tools and man-aging a 30TB digital evidence corpus,” Digital Investigation, vol. 9, pp.S80–S89, 2012.

[6] C. Moch and F. Freiling, “The forensic image generator generator(forensig2),” in IT Security Incident Management and IT Forensics,2009. IMF’09. Fifth International Conference on. IEEE, 2009, pp.78–93.

[7] C. Moch and F. C. Freiling, “Evaluating the Forensic Image GeneratorGenerator,” in Digital Forensics and Cyber Crime. Springer, 2012, pp.238–252.

[8] B. Carrier, “Digital Forensics Tool Testing Images,” 2010. [Online].Available: http://dftt.sourceforge.net/

[9] Y. Yannikos, F. Franke, C. Winter, and M. Schneider, “3LSPG: Forensictool evaluation by three layer stochastic process-based generation ofdata,” in Computational Forensics: Fourth International Workshop,IWCF 2010, ser. Lecture Notes in Computer Science. Springer Berlin/ Heidelberg, Nov 2010.

[10] Y. Yannikos, C. Winter, and M. Schneider, “Synthetic Data Creation forForensic Tool Testing: Improving Performance of the 3LSPG Frame-work,” in Seventh International Conference on Availability, Reliabilityand Security (ARES). IEEE, 2012, pp. 613–619.

505