Please examine the file filesys1.

The tools that I would like you to use are:

• xxd -a → this will very quickly let you look at the raw contents of the filesystem in question.
• mount -o loop,ro → this will let you see this as a read-only filesystem via a loopback mount; from here, you can do the usual directory listings to see what is (and isn't) going on. You will have to be root to do this, and of course the ownership information displayed isn't accurate.
• tsk_loaddb → this will let you build a sqlite database of information about the filesystem. You can use sqlite3 to work with this sqlite database directly.
• tsk_recover → this will let you recover data from the filesystem.
• fls → this will let you list the files; this will be useful with -r and -m in building a timeline.
• mactime → this let you build a timeline of activity on this filesystem. (The webpage here is useful for understanding mactime output.)
• icat → this will let you print out the contents of deleted files by specifying their inodes.

These are the five levels of data extraction that I would like to see in your answer:

1. What kind of filesystem is this and what are its general characteristics?
2. What are the current contents of this filesystem, including filenames, directory names, and data in files?
3. Extract the deleted contents of this filesystem, including filenames, directory names, and any recoverable data in files. Use tsk_recover to do this in an automated fashion, and then use fls -r and icat to do this by hand.
4. Display a timeline of the events in this filesystem using fls -m and mactime. Raw output from mactime is fine, or you can enlarge on it if you like.
5. Build a sqlite database of the contents of the database using tsk_loaddb.

Your Work Product:

Please submit your work at the beginning of class on Tuesday, February 17.