If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.
Whenever you search in PBworks or on the Web, Dokkio Sidebar (from the makers of PBworks) will run the same search in your Drive, Dropbox, OneDrive, Gmail, Slack, and browsed web pages. Now you can find what you're looking for wherever it lives. Try Dokkio Sidebar for free.

Assignment 2

Page history last edited by Patrick 7 months, 2 weeks ago

CET4861

Advanced Digital Forensics
Assignment 2 - NTFS File System

For your second assignment, you will be analyzing a disk image containing an NTFS file system and answering questions about the content. You are only to use Sleuthkit command line utilities (e.g., fls, icat, fsstat, etc) to analyze the image. Make sure to read that again. If tools outside of this are used, you will not receive credit for those portions.

In Linux Mint, Sleuth Kit is super easy to install in Mint with the Aptitude package manager: sudo aptitude install sleuthkit

Download the Assignment Image Here

Deliverables

Your answers written either in a .doc or .pdf (preferred) format

For each question you are to:

Describe the procedures for addressing each question

Utility used, flags, etc.

Briefly explain what each tool does the first time it's mentioned
Show the command line you used,

Take a cropped screenshot if you prefer

The output of the command

Screenshot as well if going that route

Assignment Questions

1. What is the SHA1 hash of the image (you can use sha1sum to answer)?

2. What is the images file system?

3. What is the volume name of the image?

4. What OS created the file system?

5. What is the cluster size for the file system?

6. What is a cluster and how does it differ from a sector?

7. How many non-system files exist on the file system, not counting those with an ADS?

8. List the system files that have ADS streams.

9. Describe what an ADS named ‘Zone.Identifier, ‘ is and how it’s useful.

10. How many files have an ADS named ‘Zone Identifier?”

11. Recover the ‘Zone.Identfier.’ for each file and list the contents here (if they are the same, do it only once).

12. Which non-system file(s) have $DATA streams that are resident and what are the contents of those files?

13. What is the run list / cluster run for the photo of the SCUBA diver and the U.S. flag?

14. How many sectors does kajan.jpg occupy?

15. What is the file size for really.txt in bytes?

16. How large could james.jpg be before it would have to have an additional cluster allocated to it?

17. When was Spiegel-2556-S.jpg last accessed?

18. What is a $LOGFILE and what kind of information can you find there?

19. What information is visible in this images $LogFile?

Hint: Use icat to recover the journal and pipe to strings; there should be four or five lines of text. Use xxd piped to less on the image and search for that text. The important pieces are in unicode so you’ll need to research give me your opinion on what type of transaction was being written.

20. A few non-system files had alternate data streams; recover those alternate data streams ignoring those the ADS labeled ‘Zone.Identifier'. Briefly read through the recovered ADS'.

What were the topics being discussed and who was the author?

Why were the topics of the files+ADS ironic?

If I wanted a PDF of the files in the ADS, where could I find them?

21. In terms of the unnamed data stream $DATA, what is the difference between resident and non-resident data?

22. How many deleted files, if any, exist on the image?

If any were deleted, what were their names?

If any were deleted, recover them if possible and provide a brief description of their content including their file name, file size, and MD5 hash.