Security Project 2
Working with forensics disk images
Summary: We will be looking at
forensic disk images. You will compare files that are visible with a
standard disk mount with those that are visible using the photorec tool
Due: March 7th 2014 by 11:55pm
Details:
Get the disk Image (Check the moodle page for this project).
These images are in Encase expert witness format
- Those with first names starting with A-E Use Image1.e01
- Those with first names starting with H-M Use Image2.e01
- Those with first names from P-V use Image4.e01
- Use PhotoRec to get a directory tree of all of the files on the disk
image (deleted or not)
- Mount the disk image normally.
- Directions
for mac users (a bit complex)
- windows
users can get a 14 day trial for mountimage
- Here are some directions
for debian/ubuntu/linux mint
- note
that for linux you need to have the libewf library installed to
use directly on the .E01 file - otherwise you will have
to convert the E01 file to a .dd file.
- Write a python program to make a text file with all of the non-deleted
files from the disk.
- Use your python program on the directory created by photorec to get a
text file with the file list from the photorec run
- compare the two lists, either with a diff tool or with a second python
program.
- Write up a short paper with the following information
- what was the disk image name that you were assigned?
- Who does the disk appear to belong to?
- what is their email address?
- Has anyone else used this drive?
- what sort of file was most deleted (were there any deleted files)
- When was the disk lost/abandoned?
Submitting:
put your writeup, your python program, and its output text files into a
folder named <your name>Project2
zip up that folder and submit the file via moodle.