This lesson provides some conceptual and practical information on processes, tools, and considerations for analyzing evidence obtained from Filesystem or Storage Device Images.
For your lab work, ensure you have access to both a Linux desktop environment with root, and a Windows desktop with Administrator. You will be showing your work to the professor throughout the semester, so you will need to be able to share your lab system screen, and the lab system you use will need to be clearly identified as your own (you should use your own name for the login, or at least something unique to you). No marks will be given for showing work on a lab system which is not your own.
At the end of this lesson, students will:
These objectives are in support of Learning Outcomes 2, 3, 4, and 6 in the Course Outline.
Watch the videos from the presentation, as well as the videos listed under additional resources. The UCF videos are not required to watch in full, but you should watch at least the first 5-10 minutes of each to see what kinds of things they cover. The videos covering truths that turn out to be wrong should be watched in full, as well as the report writing video featuring Dr. Mark Pollitt. Briefly review the materials available at the other websites listed under Additional Resources, primarily check the comparison charts in the white paper comparing Encase, FTK, and Autopsy. Instead of creating a simulated scenario to investigate, we will be using one we can get online. Do the CIRCL Sample Investigation listed as cyberday.lu 2022 according to the instructions in the presentation slides provided their website. For this lab, we are focusing on the process of recovering a drive which has had its MBR deleted or damaged maliciously. When you have recreated the investigation, try creating a forensic report in the same format as described in the video from Dr. Mark Pollitt. If you are unsure whether you have completed these activities correctly, ask the professor to review your work. This activity is not graded.
This activity is not graded. There is nothing to submit on blackboard for this activity.
The quiz is found on Blackboard under Assignments and Tests.
There is no separate test for this topic. The quiz will count for your testing mark in this topic.
In this module, you have been introduced to analyzing filesystems images. You should now be:
Completing the quiz will provide you with a measure of your knowledge in these areas.