DIGITAL FORENSICS

ASSIGNEMENT - 2

EXPERIMENT -1 2
FORENSIC ANALYSIS USING THE SLUETH KIT 2
EXPERIMENT -2 8
FILE SYSTEM ANALYSIS OF A IMAGE FILE USING AU-
TOPSY 8
EXPERIMENT -3 11
RECOVERING DELETED FILES FROM HARD DISK USING
WINHEX 11

N.AVINASH CHOWDARY 1
VU22CSEN0400164
 DIGITAL FORENSICS
ASSIGNEMENT - 2

EXPERIMENT -1

FORENSIC ANALYSIS USING THE SLUETH KIT

AIM:-

To analyze the file system of a forensic disk image using The Sleuth
Kit (TSK) and extract critical information such as partition details, file
system type, metadata, and recover lost or deleted files.

COMMANDS USED:-

1. View Partition Table

mmls “evidence_file_path”

• Displays partition layout of the forensic image.

2. Identify File System Type

fsstat “evidence_file_path”

• Provides details on file system type (e.g., NTFS).

3. Retrieve Image Metadata

img_stat “evidence_file_path”

• Displays general information about the forensic image.

4. Analyze File Metadata Using MFT Entries

istat -f ntfs “evidence_file_path” 0

• Shows Master File Table (MFT) entry details.

istat -f ntfs “evidence_file_path” 7

• Displays information about the Boot file.

istat -f ntfs “evidence_file_path“ 8

• Shows details of bad clusters in the file system.

5. List Files and Directories

fls -f ntfs “evidence_file_path”

• Lists files and directories found in the forensic image.

N.AVINASH CHOWDARY 2
VU22CSEN0400164
 DIGITAL FORENSICS
ASSIGNEMENT - 2

6. Recover Deleted or Lost Files

tsk_recover -i raw -e “evidence_file_path” “recovery_path"

• Recovers all available files (allocated and unallocated)

from the forensic image.

CONCLUSION:-

Through this lab, we successfully analyzed the forensic disk image us -

ing The Sleuth Kit (TSK). We examined the partition structure, identi -
fied the file system type as NTFS, and extracted metadata such as the

Master File Table (MFT) and boot sector details. Additionally, we listed
directory contents and successfully recovered files, demonstrating the
effectiveness of TSK for forensic investigations.

N.AVINASH CHOWDARY 3
VU22CSEN0400164
 DIGITAL FORENSICS
ASSIGNEMENT - 2

N.AVINASH CHOWDARY 4
VU22CSEN0400164
 DIGITAL FORENSICS
ASSIGNEMENT - 2

N.AVINASH CHOWDARY 5
VU22CSEN0400164
 DIGITAL FORENSICS
ASSIGNEMENT - 2

N.AVINASH CHOWDARY 6
VU22CSEN0400164
 DIGITAL FORENSICS
ASSIGNEMENT - 2

N.AVINASH CHOWDARY 7
VU22CSEN0400164
 DIGITAL FORENSICS
ASSIGNEMENT - 2
EXPERIMENT -2

FILE SYSTEM ANALYSIS OF A IMAGE FILE USING AU-

TOPSY

AIM

To analyze the file system of a Linux forensic disk image using Au -

topsy, identify important metadata, extract file system details, and
examine key evidence that may help in a forensic investigation.

STEPS

1. Installing and Launching Autopsy

• Navigate to evidence_path_file.

• Run autopsy-4.14.0-64bit.msi and complete the instal-

lation.

• Launch Autopsy by double-clicking its shortcut.

2. Creating a New Case in Autopsy

• Click New Case in the welcome window.

• Enter Case Name: Linux_Analysis.

• Create a folder on the Desktop named Image File Analysis

and set it as the base directory.

• Enter Examiner Name: Jonathan, and Case Number: 1001-

125.

3. Adding the Forensic Disk Image

• Select Disk Image or VM File as the data source.

• Browse to evidence_path_file and select

• Configure necessary ingest modules and proceed with

analysis.

4. Examining the File System

• Expand Data Sources → Click on Linux_Evidence_001.img.

• Autopsy displays file system structure, including directo-

ries like /etc, /home, etc.

N.AVINASH CHOWDARY 8
VU22CSEN0400164
 DIGITAL FORENSICS
ASSIGNEMENT - 2
5. Viewing the passwd File (User Account Details)

• Navigate to /etc folder.

• Select passwd file and open the Text tab.

• View user account information under the Strings tab.

6. Extracting Metadata and Hash Verification

• Navigate to /home/roger/Documents.

• Select SeatPlan.xls.

• View metadata details (created, modified, and accessed

times).

• Compute MD5 hash for integrity verification.

CONCLUSION

Through this analysis, we successfully examined the file system struc -

ture of a Linux forensic image using Autopsy. We identified key meta -
data, inspected system files for evidence, and computed file hashes
for integrity validation. This process is essential in digital forensic in -
vestigations, allowing experts to uncover crucial clues related to cy -
bercrime or criminal cases.

N.AVINASH CHOWDARY 9
VU22CSEN0400164
 DIGITAL FORENSICS
ASSIGNEMENT - 2
EXPERIMENT -3

RECOVERING DELETED FILES FROM HARD DISK USING

WINHEX

AIM

To understand the process of recovering deleted files from a forensic

disk image using the WinHex tool.

STEPS TO RECOVER DATA USING WINHEX

1. Launch WinHex

• Navigate to evidence_path_file.

• Double-click winhex.exe to open the application.

2. Adding an Evidence File

• Click on File → Open.

• Navigate to evidence_path_file.

• Select Linux_Evidence_001.img and click Open.

• A WinHex evaluation pop-up may appear; click OK to con-

tinue.

3. Recovering Deleted Files

• Go to Tools → Disk Tools → File Recovery by Type…

• A pop-up will appear; click OK.

• In the File Header Search window, select file types to re-

cover

• Click OK and choose a destination folder

• Click OK to start the recovery process.

• Once completed, navigate to the Retrieved Files folder to

view recovered files.

N.AVINASH CHOWDARY 10
VU22CSEN0400164
 DIGITAL FORENSICS
ASSIGNEMENT - 2

LAB ANALYSIS

After the recovery process, review the retrieved files for forensic anal -
ysis. This process helps investigators identify crucial evidence that
was intentionally deleted.

N.AVINASH CHOWDARY 11
VU22CSEN0400164