Disk forensics deals with the process of examining a computer hard disk drive.  


While responding to incidents that involve examining a computer, the incident responders will seize the hard disk or create a disk image of the hard disk. This disk image is then provided to the analysts to locate and recover deleted files, and other artifacts of interest. These artifacts/files depend on the objective of the investigation. For example, in the case of internal financial fraud, the excel/word documents and emails will be important, whereas, in the case of a breach, the access logs and config changes to make access persistent will be important. 


What will you learn?


  • Creating a disk image from the provided evidence disk

  • Mounting a disk image for analysis

  • Carving files from provided disk images


References:


  1. The Sleuth kit  (https://www.sleuthkit.org/)

  2. Foremost (http://foremost.sourceforge.net/)

  3. Scalpel (https://github.com/sleuthkit/scalpel)

  4. EWF Tools (https://dfir.science/2017/11/EWF-Tools-working-with-Expert-Witness-Files-in-Linux.html


Labs Covered:


  • Forensics Basics

    Analyze a provided disk image and discover the files present on it using The Sleuth Kit.


  • Bulk File Extraction

    Extract all files present on a provided disk image using the Bulk Extractor tool and locate relevant information.


User Avatar

Forensics Basics

User Avatar

File Carving (Foremost)

User Avatar

File Carving (Scalpel)

User Avatar

Bulk File Extraction

User Avatar

Image Acquisition (DD Tools)

User Avatar

Image Acquisition (EWF Tools)

User Avatar

Image Acquisition (FTK Imager)

User Avatar

Mounting Image (Raw Mount)

User Avatar

Mounting Image (EWF Mount)

User Avatar

Mounting Disk Image (Raw mount)

User Avatar

Mounting Disk Image (Python)