RSS

NETS1032 Digital Forensics

25 Mar
NETS1032 Digital Forensics
 

Lab 3

 

 

 

 

Objectives

 

  • Analyze a hard drive
  • Examine file system information
  • Collect disk information

 

OTHER

 

 

 

Procedure

 

 

PART A

           

  1. Acquire an image
    1. Using FTK acquire an image
    2. This can be ram or a physical drive or usb
    3. Save the image as ians_image
    4. Screenshot it

 

  1. Acquire an image with ProDisocver
    1. Do the same thing as you did in part 1
    2. Make sure you get an image of a hard drive or usb
    3. Hint: you can always add an additional virtual drive that is smaller
    4. Screenshot
    5. S don’t use capture ram for prodicsover

 

  1. Acquire an image of your kali hard drive
    1. Copy any partition to an image
    2. Use dd
    3. Example: dd if=/dev/sdb1 of=/mydisk/ians_other_image
    4. Call the image ians_other_image
    5. Screenshot

 

  1. Download a new image (jpg) to a new folder on Kali and get info on it
    1. Show inode info with ls –l and stat (sc)
    2. Use blkcat to show what is in one of the direct blocks
    3. Ex: Blkcat –h /dev/sdb1 25100 or blkcat /dev/sdb1 25100
    4. Also use icat on the inode to show the file (sc)
    5. Ex: icat /dev/sdb1 12
    6. Now delete the file and try to recover with both blkcat AND
    7. Try it with foremost (sc)
    8. Ex: foremost -t jpeg -i /dev/sda1

 

 

 

What is an inode?

 

What is a direct block?

 

What is an indirect block?

 

 

 

 

 

 
Leave a comment

Posted by on March 25, 2017 in academic writing, Academic Writing

 

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: