Digital Forensics
Assignment #3
Due by start of class, Monday April 23
Extracting data from filesystem images
Please examine the files img2-stamp0, img2-stamp1, and
img2-stamp2. These are three sequential snapshots of the same filesystem, "img2".
The sha256sums for these files are:
ac33d4fc4c705dd2ff5a0c44740ea679b4555460591a3115e5b3685b2190b64b img2-stamp0
36945489e523c533b6b8a2143688a49c0bacb99aed6ff8d3268a4b901ed748ec img2-stamp1
5fb8b695808e2b725bb62f49e66cbc1572ef0bda6a2e8f52d4f6076aafe70626 img2-stamp2
The tools that I would like you to use are:
- xxd -a → this will very quickly let you look at the raw contents
of the filesystem snapsnots in question.
- tsk_loaddb → this will let you build a sqlite database of information about the filesystem snapshots. You can use sqlite3 to work with this sqlite database directly. Use a separate database file for each snapshot.
- tsk_recover → this will let you recover data from the filesystem snapshots; you should use separate recovery directories.
- fls → this will let you list the files in each snapshot; this will be useful with -r and -m in building a timeline.
- mactime → this let you build a timeline of activity on this filesystem. (The webpage here is useful for understanding mactime output.)
- icat → this will let you print out the contents of deleted files by
specifying their inodes.
Please feel free to use other tools as you like to augment your answers.
These are the five levels of data extraction that I would like to see in your answer:
- What kind of filesystem is this and what are its general characteristics?
- What are the current contents of each snapshot, including filenames, directory names, and data in files?
- Extract any deleted contents from each snapshot, including filenames, directory names, and any recoverable data in files. Use tsk_recover to do this in an automated fashion, and then use fls -r and icat to do this by hand.
- Display a timeline of the events of the three snapshots using fls -m and mactime. Raw output from mactime is fine, or you can enlarge on it if you like.
- Build sqlite databases for each snapshot using tsk_loaddb.
Your Work Product:
Please email your work to me at the beginning of class on Monday, April 23. Please everything in a tar file, including your sqlite databases. Please include a file named "README" which explains what the different items are in your tar file. Please don't include the images.
I am offering 4 points of extra credit on this assignment (not on your final grade for the class) if you email this tar file to me by midnight on Friday, April 20, and 2 points of extra credit if you email it to me by midnight on Sunday.