|
||||
|
||||
Objectives
- Analyze a hard drive
- Examine file system information
- Collect disk information
OTHER
Procedure
PART A
- Acquire an image
- Using FTK acquire an image
- This can be ram or a physical drive or usb
- Save the image as ians_image
- Screenshot it
- Acquire an image with ProDisocver
- Do the same thing as you did in part 1
- Make sure you get an image of a hard drive or usb
- Hint: you can always add an additional virtual drive that is smaller
- Screenshot
- S don’t use capture ram for prodicsover
- Acquire an image of your kali hard drive
- Copy any partition to an image
- Use dd
- Example: dd if=/dev/sdb1 of=/mydisk/ians_other_image
- Call the image ians_other_image
- Screenshot
- Download a new image (jpg) to a new folder on Kali and get info on it
- Show inode info with ls –l and stat (sc)
- Use blkcat to show what is in one of the direct blocks
- Ex: Blkcat –h /dev/sdb1 25100 or blkcat /dev/sdb1 25100
- Also use icat on the inode to show the file (sc)
- Ex: icat /dev/sdb1 12
- Now delete the file and try to recover with both blkcat AND
- Try it with foremost (sc)
- Ex: foremost -t jpeg -i /dev/sda1
What is an inode?
What is a direct block?
What is an indirect block?
