CET4861

Advanced Digital Forensics
Assignment 2 - NTFS File System

For your second assignment, you will be analyzing a disk image containing an NTFS file system and answering questions about the content. You are only to use Sleuthkit command line utilities (e.g., fls, icat, fsstat, etc) to analyze the image. Make sure to read that again. If tools outside of this are used, you will not receive credit for those portions.

In Linux Mint, Sleuth Kit is super easy to install in Mint with the Aptitude package manager: sudo aptitude install sleuthkit

Download the Assignment Image Here

Deliverables

Your answers written either in a .doc or .pdf (preferred) format

For each question you are to:

Describe the procedures for addressing each question

Utility used, flags, etc.

Briefly explain what each tool does the first time it's mentioned
Show the command line you used,

Take a cropped screenshot if you prefer

The output of the command

Screenshot as well if going that route

Assignment Questions

Note: The term "image" is used often in these questions. This has sometimes led to confusion because you will encounter picture files during this analysis. In the context of digital forensics and these assignments, "image" is meant as "forensic image". This is the .dd file you provided which is a forensic copy (forensic image) of a partition.

For questions that ask how many there are of something like question 7, for example, do not just provide a screenshot with no context. With only a screenshot, there is no indication to me, the person grading, what you are stating to be the files in question. The safest option is to provide a list a names with your screenshot.

1. What is the SHA1 hash of the image (you can use sha1sum to answer)?

2. What is the images file system?

3. What is the volume name of the image?

4. What OS created the file system?

5. What is the cluster size for the file system?

6. What is a cluster and how does it differ from a sector?

7. How many non-system files exist on the file system, not counting those with an ADS?

Provide a number as part of the answer and for best results, I suggest specifically naming the files even if you provide a screenshot.

8. List the system files that have ADS streams.

Provide a number as part of the answer and for best results, I suggest specifically naming the files even if you provide a screenshot.

9. Describe what an ADS named ‘Zone.Identifier, ‘ is and how the information contained within Zone.Identifier can be useful during a forensic analysis.

10. How many files have an ADS named ‘Zone Identifier?”

Provide a number as part of the answer and for best results, I suggest specifically naming the files even if you provide a screenshot.

11. Recover the ‘Zone.Identifier’ ADS for each file and list the contents here (if they are the same, do it only once).

12. In terms of the unnamed data stream $DATA, what is the difference between resident and non-resident data?

13. Which non-system file(s) have $DATA streams that are resident and what are the contents of those files?

14. What is the run list (cluster list) for the photo of the SCUBA diver and the U.S. flag?

15. How many sectors does kajan.jpg occupy?

16. What is the file size for really.txt in bytes?

17. How large could james.jpg be before it would have to have an additional cluster allocated to it?

18. When was Spiegel-2556-S.jpg last accessed?

19. What is a $LOGFILE and what kind of information can you find there?

20. What information is visible in this images $LogFile?

Hint: Use icat to recover the journal and pipe to strings; there should be a few lines of human readable text. Not words, but groupings of recognizable letters. You’ll need to do a little bit of research on NTFS the $LogFile and those characters then give me your opinion on what type of transaction was being written. Note that I am not looking for an in-depth analysis. This file was not meant to be interpreted by humans and so you are not going to be able to determine an in-depth review of exactly what was happening during these transactions. Instead, what I'm asking from you is to research and identify the types of transactions and what those transactions are/do in general.

21. A few non-system files have alternate data streams. Recover those alternate data streams (ignoring the ADS labeled ‘Zone.Identifier'). Briefly read through the recovered ADS'.

What were the topics being discussed and who was the author?

Why were the topics of the files+ADS ironic? This is meant to be a fun opinion question so . . . have fun with it!

If I wanted a copy of the files in the ADS, where could I find them? Note that I do not mean within this image. To be clear, there are no instances of these files hiding elsewhere in the image. Use your Google-Fu and just provide a link to where you find each file from somewhere else.

22. How many deleted files, if any, exist on the image?

If any were deleted, what were their names? If there are no deleted files, you can state that as your answer.

If any were deleted, recover them if possible and provide a brief description of their content including their file name, file size, and MD5 hash. If there are no deleted files, you can state that as your answer.