Govdocs1

Govdocs1 — (nearly) 1 million freely-redistributable files

In recent years a significant amount of forensic research has involved the analysis of files or file fragments. In the absence of such corpora, researchers and students who wish to work with files first need to collect files—a surprisingly difficult task if one wishes a large number of files of many types from a variety of sources. Although many files can be freely downloaded from the web, building and running a high-performance document discovery and downloading tool is not a trivial task. Once files are downloaded they need to be analyzed, characterized and curated. Finally, many corpora that might be assembled cannot be easily redistributed due to privacy or copyright concerns.

For these reasons, we have created and released a corpus of 1 million documents that are freely available for research and may be (to the best of our knowledge) freely redistributed. These documents were obtained by performing searches for words randomly chosen from the Unix dictionary, numbers randomly chosen between 1 and 1 million, and randomized combinations of the two, for documents of specified file types that resided on web servers in the .gov domain using the Yahoo an Google search engines.

Each file in the corpus is presented as a numbered file with a file extension (e.g. 0000001.jpg). The file extension is typically the file extension that was provided to us when the file was downloaded. The file extension is a suggestion—it is not part of the corpus.

We are making the corpus available in several ways:

Other metadata:

Note: Due to accidental over-collection involving files from the State of California, approximately 13,722 files have been removed from the original corpus of 1 million files.

Metadata

The following metadata is provided for each of the files:

  • The URL from which the file was downloaded.
  • The date and time of the download.
  • The search term that was used.
  • The search engine that provided the document.
  • The length and SHA1 of the file.
  • A Simple Dublin Core for the file.

Unfortunately, the metadata server is currently down.

Malware

Please note that the files in this corpus are verbatim copies of files downloaded from USG webservers. We are aware that some of these files contain malware in the form of JavaScript exploits and Windows malware that was sent to mailing lists (that are now present in the mailing list archives). Although this may trigger some anti-virus programs, the malware will not be removed from the files because it is legitimately part of the corpus.

A malware scan of the govdocs1 directory is now available from http://downloads.digitalcorpora.org/corpora/files/govdocs1/MetascanClientLog_201306281214.txt .

Analysis

Forensic Innovations, Inc., has kindly made available the following analysis of the corpus using its FITools product:

Citation

Please feel free to let us know if you find this corpus  is useful by leaving a comment below. If you decide to use this corpus in published research, the appropriate citation is: Garfinkel, Farrell, Roussev and Dinolt, Bringing Science to Digital Forensics with Standardized Forensic Corpora, DFRWS 2009, Montreal, Canada

11 Comments

  1. As a software vendor, I think this resource is extremely valuable. It has given us the opportunity to test our tools against a wide range of files collected from the wild. This is much more useful that test data that we have created ourselves. Many software applications create documents with variations, in their file structures, that can cause major problems when identifying and processing files. Another benefit is the opportunity for multiple software vendors to test their tools against a public collection and provide comparable product comparisons.

    Thank you for this valuable resource!

    Rob Zirnstein
    Forensic Innovations

Leave a Reply to Umit K. Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.