Digital Forensics
Assignment #3
Due by start of class, Monday April 23

Extracting data from filesystem images

Please examine the files img2-stamp0, img2-stamp1, and img2-stamp2. These are three sequential snapshots of the same filesystem, "img2".

The sha256sums for these files are:

   ac33d4fc4c705dd2ff5a0c44740ea679b4555460591a3115e5b3685b2190b64b  img2-stamp0
   36945489e523c533b6b8a2143688a49c0bacb99aed6ff8d3268a4b901ed748ec  img2-stamp1
   5fb8b695808e2b725bb62f49e66cbc1572ef0bda6a2e8f52d4f6076aafe70626  img2-stamp2

The tools that I would like you to use are:

Please feel free to use other tools as you like to augment your answers.

These are the five levels of data extraction that I would like to see in your answer:

  1. What kind of filesystem is this and what are its general characteristics?
  2. What are the current contents of each snapshot, including filenames, directory names, and data in files?
  3. Extract any deleted contents from each snapshot, including filenames, directory names, and any recoverable data in files. Use tsk_recover to do this in an automated fashion, and then use fls -r and icat to do this by hand.
  4. Display a timeline of the events of the three snapshots using fls -m and mactime. Raw output from mactime is fine, or you can enlarge on it if you like.
  5. Build sqlite databases for each snapshot using tsk_loaddb.

Your Work Product:

Please email your work to me at the beginning of class on Monday, April 23. Please everything in a tar file, including your sqlite databases. Please include a file named "README" which explains what the different items are in your tar file. Please don't include the images.

I am offering 4 points of extra credit on this assignment (not on your final grade for the class) if you email this tar file to me by midnight on Friday, April 20, and 2 points of extra credit if you email it to me by midnight on Sunday.