HFS+ and EXT3 File System Analysis
Assignment 3
Overview:
Analyze two images with different types of file systems, and answer the following questions. The objectives of the exercise are to assist you in familiarizing yourself with the HFS+ and EXT3 file systems and allow you to practice more with Sleuthkit. Unzip the compressed images under the VM in which Sleuthkit is installed; the images are approximately 10MB each unzipped.
Deliverable:
Your answers written either in a .doc or .pdf (preferred) format
As with the previous assignment, for each question you are to:
- Describe the procedures for addressing each question
- Utility used, flags, etc.
- Briefly explain what each tool does the first time it's mentioned
- Show the command line you used,
- Take a cropped screenshot if you prefer
- The output of the command
- Screenshot as well if going that route
Answers to the questions below for each image. When the question asks for an explanation, provide a detailed explanation rather than simply a sentence. Show your work. I want to see the commands you ran and the output; it doesn't have to be the entire results of a command, but make sure to include a few lines for context or you may provide cropped screen captures of the results. If you go the screen capture route, they should be with their appropriate answers not as an appendix at the end of the document.
You are to use Sleuthkit to answer these questions.
Image-1:
1. What is the SHA-1 hash of the image?
2. What type of file system is on the image?
3. What is the block size?
a. How many blocks are required to store a file that is 9999 bytes?
4. What is an inode (explain)? How is an inode different or the same than the way files are represented in NTFS (explain)?
a. How many inodes are located on the image?
b. How many free inodes are available?
5. What is a superblock (explain)?
a. How many superblocks are located on the image?
6. How many non deleted directories are located on the image?
7. How many non deleted files are located on the image?
a. List their names, file type, file size, and SHA1 hash.
8. How many deleted files are located on the image according to Sleuthkit?
a. Try to recover the deleted file using Sleuthkit (icat). What happened?
b. Hint: The deleted file had the word 'delete' in it. Look at the man page for the 'blkls' command which carves out the unallocated space from the image. Use that along with two other Linux commands to find the contents of the file (Further Hint: run 'blkls', find all human readable strings, search for the keyword)
9. What is a group descriptor (explain)? How many are located on the image? How many blocks are in each group?
Image-2:
1. What is the SHA-1 hash of the image?
2. What type of file system is on the image?
3. What is the volume name? What is a volume identifier (explain)? What is the volume identifier of the image?
4. How many times has the volume been mounted? What does it mean to 'mount' a file system?
5. How many files are on the image?
6. How many folders are on the image?
7. What is the block size?
8. When was the image created?
9. How many deleted files on the image? How many deleted folders, if any? This is tricky, because if you run 'fls -d ...', it will return nothing. Run 'fls' both with and without the '-d'.
10. Using Sleuthkit recover the deleted file whose extension is '.txt'. Calculate the SHA-1 hash of the file.
11. List the contents of the file from step 10 above here:
12. Based on your review of the image using Sleuthkit (fls), how is the way the Mac handles deleting a file similar to the way Windows handles it?
Assignment Files:
Comments (0)
You don't have permission to comment on this page.