Test Results for String Search Tool

Test Results for String Search Tool:
Autopsy Version 4.6

Text formatted like this (Bold, Italics and Green) should be removed and replaced. These are instructions to the report writer.

You should begin with a cover page and an introductory section and maybe a table of contents.

How to Read This Report

This report is organized into the following sections:
Of course, you can reorganize sections, but then you should update this list.

Tested Tool Description. The tool name, version, and vendor information are listed.
Testing Organization. Contact information and approvals.
Results Summary. This section identifies any significant anomalies observed in the test runs. This section provides a narrative of key findings identifying where the tool meets expectations and provides a summary of any ways the tool did not meet expectations. The section also provides any observations of interest about the tool or about testing the tool including any observed limitations or organization imposed restrictions on tool use.
Test Environment & Selected Cases. Description of hardware, software and support environment (e.g., version of Federated Testing used, device firmware version, etc) used in tool testing and a list identifying the applicable test cases selected from the Federated Testing String Search Test Suite.
Test Result Details by Case. Automatically generated test results that identify anomalies.

Test Results for String Search Tool:
Autopsy Version 4.6

Tested Tool Description

Tool Name: Autopsy
Tool Version: 4.6
Vendor: Insert vendor name and contact information.

Testing Organization

The following items in this section may be included or omitted as per organization's policy for tool test reports.
Organization conducting test: Insert Organization name.
Contact: Insert contact name.
Report date: Insert date.
Authored by: Insert author name.
Reviewed by: Insert name of reviewer.
Reviewed by date: Insert date.
Approved: Insert name of approving official.
Approved by date: Insert date.

This test report was generated using CFTT's Federated Testing Forensic Tool Testing Environment, see Federated Testing Home Page.

Results Summary

Provide a narrative of key findings -- did the tool meet expectations. If not provide a summary of how the tool did not meet expectations. Provide any observations of interest about the tool or about testing the tool including any observed limitations or organization imposed restrictions on tool use.

Test Environment & Selected Cases

This section describes test hardware, software, test data sets and test cases.

Test Hardware and Software

Hardware

List and describe any hardware used during testing in sufficient detail to repeat the tests.

Software

List and describe any additional software used during testing in sufficient detail to repeat the tests.

Test Data Sets

String search test data set package Version 1.1 was used. The package can be downloaded from either the CFTT web site (www.cftt.nist.gov then select String Searching) or the CFReDS web site (www.cfreds.nist.gov). The package includes two dd files with known content. One of the dd test images contains target strings within FAT, ExFAT and NTFS file systems (Windows), the other dd test image contains target strings from HFS+ journaled, case insensitive (OSXJ), HFS+ journaled, case sensitive (OSXC), ext4 file system and APFS (Apple file system) (UNIX-like).

In general, each target string is encoded in ASCII and located in an active file and a recoverable deleted file in each partition of the test image. The Windows dd image also has a block of unallocated storage that contains the target strings without a file system. Some of the target strings are also encoded in Unicode UTF-8, UTF-16BE and UTF-16LE with a byte-order-mark. Test case FT-SS-09 is organized to test specific situations such as formatted strings, strings spanning file fragments, Unicode UTF-16 without a byte-order-mark, Unicode text with and without combining characters (diacritic marks), Unicode text with and without ligatures ("fi" as two characters and as one character) and strings located in inaccessible areas. Each instance of a target string also has a unique associated string ID located immediately after the target string. The string ID helps identify the specific string matched by the search tool.

Test Case Descriptions

The following table gives a brief description of available test cases in the data sets. Not all test cases are used for all data sets.
You can delete the row in the table for any cases not used.

Case Case Description
FT-SS-01 Search ASCII
FT-SS-02 Search Ignore Case
FT-SS-03 Search for Words
FT-SS-04 Search Logical AND
FT-SS-05 Search Logical OR
FT-SS-06 Search Logical NOT
FT-SS-07-CJK-char Search Unicode Chinese/Japanese ideograms (Asian)
FT-SS-07-CJK-hangul Search Unicode CJK Korean Hangul (Asian)
FT-SS-07-CJK-kana Search Unicode CJK Japanese phonetic Kana (Asian)
FT-SS-07-Cyrillic Search Unicode Cyrillic (Russian)
FT-SS-07-Latin Search Unicode Latin (French & German)
FT-SS-07-NoBOM Search Unicode 16 without a byte-order-mark
FT-SS-07-Norm Normalized Search of Unicode text with diacritic marks (NFC & NFD)
and ligatures (NFKC & NFKD)
FT-SS-07-RTL Search Unicode RTL (Arabic)
FT-SS-08-Email Search Tool-defined Queries -- Email Address
FT-SS-08-Phone Search Tool-defined Queries -- Telephone Number
FT-SS-08-SS Search Tool-defined Queries -- Social Security
FT-SS-09-Doc Search Formatted Document Text
FT-SS-09-Frag Search Fragmented File
FT-SS-09-Lost Search Inaccessible (lost) Areas
FT-SS-09-MFT Search File in MFT
FT-SS-09-Meta Search file name substring in Meta-data
FT-SS-09-Stem Search for matches to word stem
FT-SS-10-Hex Search Hexadecimal Character Match
FT-SS-10-Regex Search Pattern Character Match

Case	Case Description
FT-SS-01	Search ASCII
FT-SS-02	Search Ignore Case
FT-SS-03	Search for Words
FT-SS-04	Search Logical AND
FT-SS-05	Search Logical OR
FT-SS-06	Search Logical NOT
FT-SS-07-CJK-char	Search Unicode Chinese/Japanese ideograms (Asian)
FT-SS-07-CJK-hangul	Search Unicode CJK Korean Hangul (Asian)
FT-SS-07-CJK-kana	Search Unicode CJK Japanese phonetic Kana (Asian)
FT-SS-07-Cyrillic	Search Unicode Cyrillic (Russian)
FT-SS-07-Latin	Search Unicode Latin (French & German)
FT-SS-07-NoBOM	Search Unicode 16 without a byte-order-mark
FT-SS-07-Norm	Normalized Search of Unicode text with diacritic marks (NFC & NFD) and ligatures (NFKC & NFKD)
FT-SS-07-RTL	Search Unicode RTL (Arabic)
FT-SS-08-Email	Search Tool-defined Queries -- Email Address
FT-SS-08-Phone	Search Tool-defined Queries -- Telephone Number
FT-SS-08-SS	Search Tool-defined Queries -- Social Security
FT-SS-09-Doc	Search Formatted Document Text
FT-SS-09-Frag	Search Fragmented File
FT-SS-09-Lost	Search Inaccessible (lost) Areas
FT-SS-09-MFT	Search File in MFT
FT-SS-09-Meta	Search file name substring in Meta-data
FT-SS-09-Stem	Search for matches to word stem
FT-SS-10-Hex	Search Hexadecimal Character Match
FT-SS-10-Regex	Search Pattern Character Match

Some test cases are for specific features, e.g., logical conditions (and, or, not), built in searches (email, telephone numbers), etc. Three test cases, FT-SS-09-Frag, FT-SS-09-Lost & FT-SS-09-MFT, are only applied to the Windows data set.

If a test case applies to a feature that is not supported by the tested tool, the case should be omitted and listed here.

Test Result Details by Case (per Data Set)

This section presents test results grouped by function.

A string search tool may implement more than one search algorithm (also known as a search engine) for searching text. The two most common search engines are indexed search and live search. An indexed search reads all the acquired data once before doing any searching and builds an index to all words found. Each query can be looked up quickly in the index. A Live search reads all the acquired data for each query.

This section presents test results by test image (windows file systems, unix-like file systems or both). For each test image, there is a result table for each search engine tested. Each table shows results by test case of the number of expected search hits, the number of actual search hits and the number of strings missed (i.e., expected hits minus actual hits) for allocated files, deleted files and unallocated space.

The following search engines were tested: Indexed.

Results for Data Set: Windows

This section provides results for the Windows data set.

Results for Indexed Search of Windows Data Set

The table columns contain the following information:

Case The test case identifier.
Expected String The expected strings that should be reported by the search.
Active Files A group of three columns (Expected, Hits and Misses) giving the number of hits and misses when searching for the expected string in an active file.
Deleted Files A group of three columns (Expected, Hits and Misses) giving the number of hits and misses when searching for the expected string in a deleted file.
Unallocated Space A group of three columns (Expected, Hits and Misses) giving the number of hits and misses when searching for the expected string in unallocated space.
Expected The number of instances of the expected string found in the group (i.e., Active files, Deleted files or Unallocated space).
Hits The number of times the expected string was found in the group.
Misses The number of times the expected string was missed (not found) in the group.

Notes: If the row identifies a test case, then the results are a summary for all the strings that should be found.

In the Expected String column for test case FT-SS-09-DOC each string is labeled to indicate features of the expected string. The labels include the file type (.doc, .docx or .html), the encoding of the string in the .doc file and if the string has embedded formatting, labeled as Formatted, e.g., the string crossbow has the substring cross formatted as bold and underlined, i.e., crossbow.

Case Expected String Active Files Deleted Files Unalloc Space

Expected Hits Misses Expected Hits Misses Expected Hits Misses

FT-SS-01 3 3 0 3 3 0 1 1 0

DireWolf 3 3 0 3 3 0 1 1 0

FT-SS-02 15 15 0 15 15 0 5 5 0

WOLF 3 3 0 3 3 0 1 1 0

wolf 3 3 0 3 3 0 1 1 0

Wolf 3 3 0 3 3 0 1 1 0

DireWolf 3 3 0 3 3 0 1 1 0

WereWolf 3 3 0 3 3 0 1 1 0

FT-SS-03 9 9 0 9 9 0 3 3 0

WOLF 3 3 0 3 3 0 1 1 0

wolf 3 3 0 3 3 0 1 1 0

Wolf 3 3 0 3 3 0 1 1 0

FT-SS-07-CJK-char 18 18 0 18 18 0 6 2 4

中国 9 9 0 9 9 0 3 1 2

東京 9 9 0 9 9 0 3 1 2

FT-SS-07-CJK-hangul 9 9 0 9 9 0 3 1 2

서울 9 9 0 9 9 0 3 1 2

FT-SS-07-CJK-kana 18 18 0 18 18 0 6 4 2

スバル 9 9 0 9 9 0 3 1 2

みつびし 9 9 0 9 9 0 3 3 0

FT-SS-07-Cyrillic 9 9 0 9 9 0 3 3 0

Сибирь 9 9 0 9 9 0 3 3 0

FT-SS-07-Latin 18 18 0 18 18 0 6 2 4

garçon 9 9 0 9 9 0 3 1 2

Schönheit 9 9 0 9 9 0 3 1 2

FT-SS-07-NoBOM 39 39 0 39 39 0 13 13 0

Россия 9 9 0 9 9 0 3 3 0

فلافل 9 9 0 9 9 0 3 3 0

中國 9 9 0 9 9 0 3 3 0

QuarterHorse 12 12 0 12 12 0 4 4 0

FT-SS-07-Norm 75 75 0 75 75 0 25 9 16

mañana (NFD) 9 9 0 9 9 0 3 0 3

infinity (No Ligature) 12 12 0 12 12 0 4 4 0

Mäuse (NFD) 9 9 0 9 9 0 3 0 3

inﬁnity (Ligature) 9 9 0 9 9 0 3 0 3

Mäuse (NFC) 9 9 0 9 9 0 3 3 0

libertà (NFC) 9 9 0 9 9 0 3 1 2

libertà (NFD) 9 9 0 9 9 0 3 0 3

mañana (NFC) 9 9 0 9 9 0 3 1 2

FT-SS-07-RTL 9 9 0 9 9 0 3 3 0

الكسكس 9 9 0 9 9 0 3 3 0

FT-SS-08-Email 21 21 0 21 21 0 7 7 0

iron.man@marvel.com 12 12 0 12 12 0 4 4 0

potus@capitol.gov 3 3 0 3 3 0 1 1 0

berlin@deutchland.net 3 3 0 3 3 0 1 1 0

kgb@moscow.red.square.ru 3 3 0 3 3 0 1 1 0

FT-SS-08-Phone 21 18 3 21 18 3 7 6 1

(901)555-1111 3 0 3 3 0 3 1 0 1

301.555-9009 12 12 0 12 12 0 4 4 0

800-555-1122 3 3 0 3 3 0 1 1 0

202.555.3270 3 3 0 3 3 0 1 1 0

FT-SS-09-Doc 16 16 0 0 0 0 16 13 3

longbow
.html 2 2 0 0 0 0 2 2 0

shotgun
Formatted .doc UTF-16 2 2 0 0 0 0 2 2 0

revolver
.doc UTF-16 2 2 0 0 0 0 2 2 0

peroxide
.docx 2 2 0 0 0 0 2 1 1

nitroglycerin
Formatted .docx 2 2 0 0 0 0 2 1 1

rifle
.doc UTF-8 2 2 0 0 0 0 2 2 0

crossbow
Formatted .html 2 2 0 0 0 0 2 1 1

flintlock
Formatted .doc UTF-8 2 2 0 0 0 0 2 2 0

FT-SS-09-Frag 2 2 0 0 0 0 0 0 0

Washington 1 1 0 0 0 0 0 0 0

California 1 1 0 0 0 0 0 0 0

FT-SS-09-Lost 0 0 0 0 0 0 4 4 0

SecretKey 0 0 0 0 0 0 2 2 0

disconnected 0 0 0 0 0 0 2 2 0

FT-SS-09-MFT 4 4 0 4 4 0 0 0 0

bear 4 4 0 4 4 0 0 0 0

FT-SS-09-Meta 6 6 0 6 6 0 2 2 0

cañón 3 3 0 3 3 0 1 1 0

thunderbird 3 3 0 3 3 0 1 1 0

FT-SS-10-Regex 6 6 0 6 6 0 2 2 0

DireWolf 3 3 0 3 3 0 1 1 0

WereWolf 3 3 0 3 3 0 1 1 0

Case	Expected String	Active Files	Deleted Files	Unalloc Space
Expected	Hits	Misses	Expected	Hits	Misses	Expected	Hits	Misses
FT-SS-01		3	3	0	3	3	0	1	1	0
	DireWolf	3	3	0	3	3	0	1	1	0
FT-SS-02		15	15	0	15	15	0	5	5	0
	WOLF	3	3	0	3	3	0	1	1	0
	wolf	3	3	0	3	3	0	1	1	0
	Wolf	3	3	0	3	3	0	1	1	0
	DireWolf	3	3	0	3	3	0	1	1	0
	WereWolf	3	3	0	3	3	0	1	1	0
FT-SS-03		9	9	0	9	9	0	3	3	0
	WOLF	3	3	0	3	3	0	1	1	0
	wolf	3	3	0	3	3	0	1	1	0
	Wolf	3	3	0	3	3	0	1	1	0
FT-SS-07-CJK-char		18	18	0	18	18	0	6	2	4
	中国	9	9	0	9	9	0	3	1	2
	東京	9	9	0	9	9	0	3	1	2
FT-SS-07-CJK-hangul		9	9	0	9	9	0	3	1	2
	서울	9	9	0	9	9	0	3	1	2
FT-SS-07-CJK-kana		18	18	0	18	18	0	6	4	2
	スバル	9	9	0	9	9	0	3	1	2
	みつびし	9	9	0	9	9	0	3	3	0
FT-SS-07-Cyrillic		9	9	0	9	9	0	3	3	0
	Сибирь	9	9	0	9	9	0	3	3	0
FT-SS-07-Latin		18	18	0	18	18	0	6	2	4
	garçon	9	9	0	9	9	0	3	1	2
	Schönheit	9	9	0	9	9	0	3	1	2
FT-SS-07-NoBOM		39	39	0	39	39	0	13	13	0
	Россия	9	9	0	9	9	0	3	3	0
	فلافل	9	9	0	9	9	0	3	3	0
	中國	9	9	0	9	9	0	3	3	0
	QuarterHorse	12	12	0	12	12	0	4	4	0
FT-SS-07-Norm		75	75	0	75	75	0	25	9	16
	mañana (NFD)	9	9	0	9	9	0	3	0	3
	infinity (No Ligature)	12	12	0	12	12	0	4	4	0
	Mäuse (NFD)	9	9	0	9	9	0	3	0	3
	inﬁnity (Ligature)	9	9	0	9	9	0	3	0	3
	Mäuse (NFC)	9	9	0	9	9	0	3	3	0
	libertà (NFC)	9	9	0	9	9	0	3	1	2
	libertà (NFD)	9	9	0	9	9	0	3	0	3
	mañana (NFC)	9	9	0	9	9	0	3	1	2
FT-SS-07-RTL		9	9	0	9	9	0	3	3	0
	الكسكس	9	9	0	9	9	0	3	3	0
FT-SS-08-Email		21	21	0	21	21	0	7	7	0
	iron.man@marvel.com	12	12	0	12	12	0	4	4	0
	potus@capitol.gov	3	3	0	3	3	0	1	1	0
	berlin@deutchland.net	3	3	0	3	3	0	1	1	0
	kgb@moscow.red.square.ru	3	3	0	3	3	0	1	1	0
FT-SS-08-Phone		21	18	3	21	18	3	7	6	1
	(901)555-1111	3	0	3	3	0	3	1	0	1
	301.555-9009	12	12	0	12	12	0	4	4	0
	800-555-1122	3	3	0	3	3	0	1	1	0
	202.555.3270	3	3	0	3	3	0	1	1	0
FT-SS-09-Doc		16	16	0	0	0	0	16	13	3
	longbow .html	2	2	0	0	0	0	2	2	0
	shotgun Formatted .doc UTF-16	2	2	0	0	0	0	2	2	0
	revolver .doc UTF-16	2	2	0	0	0	0	2	2	0
	peroxide .docx	2	2	0	0	0	0	2	1	1
	nitroglycerin Formatted .docx	2	2	0	0	0	0	2	1	1
	rifle .doc UTF-8	2	2	0	0	0	0	2	2	0
	crossbow Formatted .html	2	2	0	0	0	0	2	1	1
	flintlock Formatted .doc UTF-8	2	2	0	0	0	0	2	2	0
FT-SS-09-Frag		2	2	0	0	0	0	0	0	0
	Washington	1	1	0	0	0	0	0	0	0
	California	1	1	0	0	0	0	0	0	0
FT-SS-09-Lost		0	0	0	0	0	0	4	4	0
	SecretKey	0	0	0	0	0	0	2	2	0
	disconnected	0	0	0	0	0	0	2	2	0
FT-SS-09-MFT		4	4	0	4	4	0	0	0	0
	bear	4	4	0	4	4	0	0	0	0
FT-SS-09-Meta		6	6	0	6	6	0	2	2	0
	cañón	3	3	0	3	3	0	1	1	0
	thunderbird	3	3	0	3	3	0	1	1	0
FT-SS-10-Regex		6	6	0	6	6	0	2	2	0
	DireWolf	3	3	0	3	3	0	1	1	0
	WereWolf	3	3	0	3	3	0	1	1	0

Meta-Data results for Indexed Search of Windows Data Set

The following table presents search results for strings located in file system meta-data. The Case column identifies the test case, the String column identifies the search string, the Partition column identifies the partition (file system) where the string is located and the Seen column records if the search tool reported at least one instance of the string (yes or no) in meta-data.

Case String Partition Seen

FT-SS-09-Meta

thunderbird ntfs Yes

cañón fat32 Yes

cañón exfat Yes

cañón ntfs Yes

Case	String	Partition	Seen
FT-SS-09-Meta
	thunderbird	ntfs	Yes
	cañón	fat32	Yes
	cañón	exfat	Yes
	cañón	ntfs	Yes

Comments on Indexed Search of Windows Data Set

The following table presents any comments recorded during testing for a test case.

Case Comments

FT-SS-01 Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.

FT-SS-02 Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.

FT-SS-03 Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.

FT-SS-07-CJK-char Search target 中国 strings encoded as UTF-8 and located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.

FT-SS-07-CJK-hangul Search target strings encoded as UTF-8 and located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.

FT-SS-07-CJK-kana Search target string, スバル, encoded as UTF-8 and located in deleted files is reported twice, once from the deleted file and again as from unallocated storage.
Search target string, みつびし, located in deleted files is reported twice, once from the deleted file and again as from unallocated storage.

FT-SS-07-Cyrillic Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.

FT-SS-07-Latin Search target strings encoded as UTF-8 and located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.

FT-SS-07-NoBOM Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.

FT-SS-07-Norm Tool did not normalize the search string.
Search strings entered in NFC form found all targets in active files and deleted files and all targets located in unallocated space if encoded in UTF-8, but sometimes targets encoded in UTF-16 were missed.
Search strings entered in NFD form found all targets in active files and deleted files and no targets located in unallocated space.
Search results were the same if the combining characters (or ligature) are replaced with a regular expression of mathc any character.

FT-SS-07-RTL Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.

FT-SS-08-Email Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.

FT-SS-08-Phone Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.

FT-SS-09-MFT All the strings are listed as being in the $MFT, except for string ID 7011. However, the string contains the fix-up-byte and is skipped in the "indexed text" window.
The string ID for string 7010 contains a fix-up-byte and appears corrupted in the "indexed text" window.

FT-SS-09-Meta Hits on the string "thunderbird" are reported in the files $MFT and $LogFile.

FT-SS-10-Regex Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.

Case	Comments
FT-SS-01	Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.
FT-SS-02	Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.
FT-SS-03	Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.
FT-SS-07-CJK-char	Search target 中国 strings encoded as UTF-8 and located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.
FT-SS-07-CJK-hangul	Search target strings encoded as UTF-8 and located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.
FT-SS-07-CJK-kana	Search target string, スバル, encoded as UTF-8 and located in deleted files is reported twice, once from the deleted file and again as from unallocated storage. Search target string, みつびし, located in deleted files is reported twice, once from the deleted file and again as from unallocated storage.
FT-SS-07-Cyrillic	Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.
FT-SS-07-Latin	Search target strings encoded as UTF-8 and located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.
FT-SS-07-NoBOM	Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.
FT-SS-07-Norm	Tool did not normalize the search string. Search strings entered in NFC form found all targets in active files and deleted files and all targets located in unallocated space if encoded in UTF-8, but sometimes targets encoded in UTF-16 were missed. Search strings entered in NFD form found all targets in active files and deleted files and no targets located in unallocated space. Search results were the same if the combining characters (or ligature) are replaced with a regular expression of mathc any character.
FT-SS-07-RTL	Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.
FT-SS-08-Email	Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.
FT-SS-08-Phone	Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.
FT-SS-09-MFT	All the strings are listed as being in the $MFT, except for string ID 7011. However, the string contains the fix-up-byte and is skipped in the "indexed text" window. The string ID for string 7010 contains a fix-up-byte and appears corrupted in the "indexed text" window.
FT-SS-09-Meta	Hits on the string "thunderbird" are reported in the files $MFT and $LogFile.
FT-SS-10-Regex	Search target strings located in deleted files are reported twice, once from the deleted file and again as from unallocated storage.

Results for Data Set: UNIX

This section provides results for the UNIX data set.

Results for Indexed Search of UNIX Data Set

The table columns contain the following information:

Case The test case identifier.
Expected String The expected strings that should be reported by the search.
Active Files A group of three columns (Expected, Hits and Misses) giving the number of hits and misses when searching for the expected string in an active file.
Deleted Files A group of three columns (Expected, Hits and Misses) giving the number of hits and misses when searching for the expected string in a deleted file.
Unallocated Space A group of three columns (Expected, Hits and Misses) giving the number of hits and misses when searching for the expected string in unallocated space.
Expected The number of instances of the expected string found in the group (i.e., Active files, Deleted files or Unallocated space).
Hits The number of times the expected string was found in the group.
Misses The number of times the expected string was missed (not found) in the group.

Notes: If the row identifies a test case, then the results are a summary for all the strings that should be found.

In the Expected String column for test case FT-SS-09-DOC each string is labeled to indicate features of the expected string. The labels include the file type (.doc, .docx or .html), the encoding of the string in the .doc file and if the string has embedded formatting, labeled as Formatted, e.g., the string crossbow has the substring cross formatted as bold and underlined, i.e., crossbow.

Case Expected String Active Files Deleted Files Unalloc Space

Expected Hits Misses Expected Hits Misses Expected Hits Misses

FT-SS-01 4 4 0 4 4 0 0 0 0

DireWolf 4 4 0 4 4 0 0 0 0

FT-SS-02 20 20 0 20 20 0 0 0 0

WOLF 4 4 0 4 4 0 0 0 0

wolf 4 4 0 4 4 0 0 0 0

Wolf 4 4 0 4 4 0 0 0 0

DireWolf 4 4 0 4 4 0 0 0 0

WereWolf 4 4 0 4 4 0 0 0 0

FT-SS-03 12 12 0 12 12 0 0 0 0

WOLF 4 4 0 4 4 0 0 0 0

wolf 4 4 0 4 4 0 0 0 0

Wolf 4 4 0 4 4 0 0 0 0

FT-SS-07-CJK-char 24 20 4 24 4 20 0 0 0

中国 12 10 2 12 4 8 0 0 0

東京 12 10 2 12 0 12 0 0 0

FT-SS-07-CJK-hangul 12 10 2 12 4 8 0 0 0

서울 12 10 2 12 4 8 0 0 0

FT-SS-07-CJK-kana 24 22 2 24 16 8 0 0 0

スバル 12 10 2 12 4 8 0 0 0

みつびし 12 12 0 12 12 0 0 0 0

FT-SS-07-Cyrillic 12 12 0 12 12 0 0 0 0

Сибирь 12 12 0 12 12 0 0 0 0

FT-SS-07-Latin 24 24 0 24 8 16 0 0 0

garçon 12 12 0 12 4 8 0 0 0

Schönheit 12 12 0 12 4 8 0 0 0

FT-SS-07-NoBOM 52 52 0 52 52 0 0 0 0

Россия 12 12 0 12 12 0 0 0 0

فلافل 12 12 0 12 12 0 0 0 0

中國 12 12 0 12 12 0 0 0 0

QuarterHorse 16 16 0 16 16 0 0 0 0

FT-SS-07-Norm 100 84 16 100 36 64 0 0 0

mañana (NFD) 12 9 3 12 0 12 0 0 0

infinity (No Ligature) 16 16 0 16 16 0 0 0 0

Mäuse (NFD) 12 9 3 12 0 12 0 0 0

inﬁnity (Ligature) 12 9 3 12 0 12 0 0 0

Mäuse (NFC) 12 10 2 12 4 8 0 0 0

libertà (NFC) 12 12 0 12 12 0 0 0 0

libertà (NFD) 12 9 3 12 0 12 0 0 0

mañana (NFC) 12 10 2 12 4 8 0 0 0

FT-SS-07-RTL 12 12 0 12 12 0 0 0 0

الكسكس 12 12 0 12 12 0 0 0 0

FT-SS-08-Email 28 28 0 28 28 0 0 0 0

iron.man@marvel.com 16 16 0 16 16 0 0 0 0

potus@capitol.gov 4 4 0 4 4 0 0 0 0

berlin@deutchland.net 4 4 0 4 4 0 0 0 0

kgb@moscow.red.square.ru 4 4 0 4 4 0 0 0 0

FT-SS-08-Phone 28 24 4 28 24 4 0 0 0

(901)555-1111 4 0 4 4 0 4 0 0 0

301.555-9009 16 16 0 16 16 0 0 0 0

800-555-1122 4 4 0 4 4 0 0 0 0

202.555.3270 4 4 0 4 4 0 0 0 0

FT-SS-09-Doc 16 16 0 0 0 0 0 0 0

longbow
.html 2 2 0 0 0 0 0 0 0

shotgun
Formatted .doc UTF-16 2 2 0 0 0 0 0 0 0

revolver
.doc UTF-16 2 2 0 0 0 0 0 0 0

peroxide
.docx 2 2 0 0 0 0 0 0 0

nitroglycerin
Formatted .docx 2 2 0 0 0 0 0 0 0

rifle
.doc UTF-8 2 2 0 0 0 0 0 0 0

crossbow
Formatted .html 2 2 0 0 0 0 0 0 0

flintlock
Formatted .doc UTF-8 2 2 0 0 0 0 0 0 0

FT-SS-09-Meta 8 8 0 8 8 0 0 0 0

cañón 4 4 0 4 4 0 0 0 0

thunderbird 4 4 0 4 4 0 0 0 0

FT-SS-10-Regex 8 8 0 8 8 0 0 0 0

DireWolf 4 4 0 4 4 0 0 0 0

WereWolf 4 4 0 4 4 0 0 0 0

Case	Expected String	Active Files	Deleted Files	Unalloc Space
Expected	Hits	Misses	Expected	Hits	Misses	Expected	Hits	Misses
FT-SS-01		4	4	0	4	4	0	0	0	0
	DireWolf	4	4	0	4	4	0	0	0	0
FT-SS-02		20	20	0	20	20	0	0	0	0
	WOLF	4	4	0	4	4	0	0	0	0
	wolf	4	4	0	4	4	0	0	0	0
	Wolf	4	4	0	4	4	0	0	0	0
	DireWolf	4	4	0	4	4	0	0	0	0
	WereWolf	4	4	0	4	4	0	0	0	0
FT-SS-03		12	12	0	12	12	0	0	0	0
	WOLF	4	4	0	4	4	0	0	0	0
	wolf	4	4	0	4	4	0	0	0	0
	Wolf	4	4	0	4	4	0	0	0	0
FT-SS-07-CJK-char		24	20	4	24	4	20	0	0	0
	中国	12	10	2	12	4	8	0	0	0
	東京	12	10	2	12	0	12	0	0	0
FT-SS-07-CJK-hangul		12	10	2	12	4	8	0	0	0
	서울	12	10	2	12	4	8	0	0	0
FT-SS-07-CJK-kana		24	22	2	24	16	8	0	0	0
	スバル	12	10	2	12	4	8	0	0	0
	みつびし	12	12	0	12	12	0	0	0	0
FT-SS-07-Cyrillic		12	12	0	12	12	0	0	0	0
	Сибирь	12	12	0	12	12	0	0	0	0
FT-SS-07-Latin		24	24	0	24	8	16	0	0	0
	garçon	12	12	0	12	4	8	0	0	0
	Schönheit	12	12	0	12	4	8	0	0	0
FT-SS-07-NoBOM		52	52	0	52	52	0	0	0	0
	Россия	12	12	0	12	12	0	0	0	0
	فلافل	12	12	0	12	12	0	0	0	0
	中國	12	12	0	12	12	0	0	0	0
	QuarterHorse	16	16	0	16	16	0	0	0	0
FT-SS-07-Norm		100	84	16	100	36	64	0	0	0
	mañana (NFD)	12	9	3	12	0	12	0	0	0
	infinity (No Ligature)	16	16	0	16	16	0	0	0	0
	Mäuse (NFD)	12	9	3	12	0	12	0	0	0
	inﬁnity (Ligature)	12	9	3	12	0	12	0	0	0
	Mäuse (NFC)	12	10	2	12	4	8	0	0	0
	libertà (NFC)	12	12	0	12	12	0	0	0	0
	libertà (NFD)	12	9	3	12	0	12	0	0	0
	mañana (NFC)	12	10	2	12	4	8	0	0	0
FT-SS-07-RTL		12	12	0	12	12	0	0	0	0
	الكسكس	12	12	0	12	12	0	0	0	0
FT-SS-08-Email		28	28	0	28	28	0	0	0	0
	iron.man@marvel.com	16	16	0	16	16	0	0	0	0
	potus@capitol.gov	4	4	0	4	4	0	0	0	0
	berlin@deutchland.net	4	4	0	4	4	0	0	0	0
	kgb@moscow.red.square.ru	4	4	0	4	4	0	0	0	0
FT-SS-08-Phone		28	24	4	28	24	4	0	0	0
	(901)555-1111	4	0	4	4	0	4	0	0	0
	301.555-9009	16	16	0	16	16	0	0	0	0
	800-555-1122	4	4	0	4	4	0	0	0	0
	202.555.3270	4	4	0	4	4	0	0	0	0
FT-SS-09-Doc		16	16	0	0	0	0	0	0	0
	longbow .html	2	2	0	0	0	0	0	0	0
	shotgun Formatted .doc UTF-16	2	2	0	0	0	0	0	0	0
	revolver .doc UTF-16	2	2	0	0	0	0	0	0	0
	peroxide .docx	2	2	0	0	0	0	0	0	0
	nitroglycerin Formatted .docx	2	2	0	0	0	0	0	0	0
	rifle .doc UTF-8	2	2	0	0	0	0	0	0	0
	crossbow Formatted .html	2	2	0	0	0	0	0	0	0
	flintlock Formatted .doc UTF-8	2	2	0	0	0	0	0	0	0
FT-SS-09-Meta		8	8	0	8	8	0	0	0	0
	cañón	4	4	0	4	4	0	0	0	0
	thunderbird	4	4	0	4	4	0	0	0	0
FT-SS-10-Regex		8	8	0	8	8	0	0	0	0
	DireWolf	4	4	0	4	4	0	0	0	0
	WereWolf	4	4	0	4	4	0	0	0	0

Meta-Data results for Indexed Search of UNIX Data Set

Case String Partition Seen

FT-SS-07-CJK-char

中国 osxj No

中国 osxc No

中国 apfs No

東京 osxj No

東京 osxc No

東京 apfs No

FT-SS-07-Cyrillic

Сибирь osxj No

Сибирь osxc No

Сибирь apfs No

FT-SS-07-NoBOM

فلافل osxj No

فلافل osxc No

فلافل apfs No

Россия osxj No

Россия osxc No

Россия apfs No

中國 osxj No

中國 osxc No

中國 apfs No

FT-SS-07-RTL

الكسكس osxj No

الكسكس osxc No

الكسكس apfs No

FT-SS-09-Meta

thunderbird osxj Yes

thunderbird osxc Yes

thunderbird apfs Yes

thunderbird ext4 Yes

cañón ext4 Yes

Case	String	Partition	Seen
FT-SS-07-CJK-char
	中国	osxj	No
	中国	osxc	No
	中国	apfs	No
	東京	osxj	No
	東京	osxc	No
	東京	apfs	No
FT-SS-07-Cyrillic
	Сибирь	osxj	No
	Сибирь	osxc	No
	Сибирь	apfs	No
FT-SS-07-NoBOM
	فلافل	osxj	No
	فلافل	osxc	No
	فلافل	apfs	No
	Россия	osxj	No
	Россия	osxc	No
	Россия	apfs	No
	中國	osxj	No
	中國	osxc	No
	中國	apfs	No
FT-SS-07-RTL
	الكسكس	osxj	No
	الكسكس	osxc	No
	الكسكس	apfs	No
FT-SS-09-Meta
	thunderbird	osxj	Yes
	thunderbird	osxc	Yes
	thunderbird	apfs	Yes
	thunderbird	ext4	Yes
	cañón	ext4	Yes

Comments on Indexed Search of UNIX Data Set

The following table presents any comments recorded during testing for a test case.

Case Comments

FT-SS-07-CJK-char No UTF-16 search target string 中国 found in unallocated space or APFS.
No search target string 東京 found in unallocated space or APFS.

FT-SS-07-CJK-hangul No search target strings encoded UTF-16 in unallocated space or APFS were reported.

FT-SS-07-CJK-kana No search target strings of Katakana (スバル), encoded UTF-16 in unallocated space or APFS were reported.

FT-SS-07-Latin No search target strings encoded UTF-16 in unallocated space or APFS were reported.

FT-SS-07-Norm Tool did not normalize the search string.
Search strings entered in NFC form found all targets in active files and deleted files and all targets located in unallocated space if encoded in UTF-8, but sometimes targets encoded in UTF-16 were missed.
Search strings entered in NFD form found all targets in active files, no targets located in unallocated space were found.
Search results were the same if the combining characters (or ligature) are replaced with a regular expression of mathc any character.

FT-SS-09-Meta For the string "thunderbird" hits were reported in "0", ".journal", and "$catalog" files in the osxj and osxc (HFS+) file systems.

Case	Comments
FT-SS-07-CJK-char	No UTF-16 search target string 中国 found in unallocated space or APFS. No search target string 東京 found in unallocated space or APFS.
FT-SS-07-CJK-hangul	No search target strings encoded UTF-16 in unallocated space or APFS were reported.
FT-SS-07-CJK-kana	No search target strings of Katakana (スバル), encoded UTF-16 in unallocated space or APFS were reported.
FT-SS-07-Latin	No search target strings encoded UTF-16 in unallocated space or APFS were reported.
FT-SS-07-Norm	Tool did not normalize the search string. Search strings entered in NFC form found all targets in active files and deleted files and all targets located in unallocated space if encoded in UTF-8, but sometimes targets encoded in UTF-16 were missed. Search strings entered in NFD form found all targets in active files, no targets located in unallocated space were found. Search results were the same if the combining characters (or ligature) are replaced with a regular expression of mathc any character.
FT-SS-09-Meta	For the string "thunderbird" hits were reported in "0", ".journal", and "$catalog" files in the osxj and osxc (HFS+) file systems.

END of REPORT

Test Results for String Search Tool: Autopsy Version 4.6

How to Read This Report

Test Results for String Search Tool: Autopsy Version 4.6

Tested Tool Description

Testing Organization

Results Summary

Test Environment & Selected Cases

Test Hardware and Software

Hardware

Software

Test Data Sets

Test Case Descriptions

Test Result Details by Case (per Data Set)

Results for Data Set: Windows

Results for Indexed Search of Windows Data Set

Meta-Data results for Indexed Search of Windows Data Set

Comments on Indexed Search of Windows Data Set

Results for Data Set: UNIX

Results for Indexed Search of UNIX Data Set

Meta-Data results for Indexed Search of UNIX Data Set

Comments on Indexed Search of UNIX Data Set

Test Results for String Search Tool:
Autopsy Version 4.6

Test Results for String Search Tool:
Autopsy Version 4.6