NETS1032 Digital Forensics

25 Mar
NETS1032 Digital Forensics

Lab 3







  • Analyze a hard drive
  • Examine file system information
  • Collect disk information











  1. Acquire an image
    1. Using FTK acquire an image
    2. This can be ram or a physical drive or usb
    3. Save the image as ians_image
    4. Screenshot it


  1. Acquire an image with ProDisocver
    1. Do the same thing as you did in part 1
    2. Make sure you get an image of a hard drive or usb
    3. Hint: you can always add an additional virtual drive that is smaller
    4. Screenshot
    5. S don’t use capture ram for prodicsover


  1. Acquire an image of your kali hard drive
    1. Copy any partition to an image
    2. Use dd
    3. Example: dd if=/dev/sdb1 of=/mydisk/ians_other_image
    4. Call the image ians_other_image
    5. Screenshot


  1. Download a new image (jpg) to a new folder on Kali and get info on it
    1. Show inode info with ls –l and stat (sc)
    2. Use blkcat to show what is in one of the direct blocks
    3. Ex: Blkcat –h /dev/sdb1 25100 or blkcat /dev/sdb1 25100
    4. Also use icat on the inode to show the file (sc)
    5. Ex: icat /dev/sdb1 12
    6. Now delete the file and try to recover with both blkcat AND
    7. Try it with foremost (sc)
    8. Ex: foremost -t jpeg -i /dev/sda1




What is an inode?


What is a direct block?


What is an indirect block?






Leave a comment

Posted by on March 25, 2017 in academic writing, Academic Writing



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: