Scribd
Upload
14 views

02 - Collecting Disk - Exercise Answers

The document discusses analyzing a disk image file from an exercise. It provides instructions to use tools like mmls, md5sum, and kpartx to view partition details, verify checksums, and mount partitions in the image. Information like the username of the last logged in user is obtained from browsing the mounted partitions.

Uploaded by

jpatinosanchez
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
14 views

02 - Collecting Disk - Exercise Answers

The document discusses analyzing a disk image file from an exercise. It provides instructions to use tools like mmls, md5sum, and kpartx to view partition details, verify checksums, and mount partitions in the image. Information like the username of the last logged in user is obtained from browsing the mounted partitions.

Uploaded by

jpatinosanchez
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Collecting Disk – Exercise Answers

Introduction
The purpose of this exercise is to verify that a victim disk previous captured is able to be
analyzed at a later time. The file used for this exercise is located at:
/mnt/hgfs/Forensics/malware_analysis_disk_ex3
Complete the following tasks.

Tasks
1. Use the mmls and/or disktype programs to list the number of partitions, the partition
size, and the file system types from the image. Record your findings below:
Partition Number Size File System Type Comments
1 2048 No file system Unallocated
2 83881984 NTFS or exFAT
3 2048 No file system Unallocated

2. Answer these questions:


a. What is the size of the image file? 40GB
b. What is the size of image when mounted (hint: xmount)? 40GB
3. Verify the MD5 checksum reported in the .txt file located in the same directory as the
image (hint: md5sum): Verified d924e5aa5d96f6429141623e8f9478c6
4. Use kpartx to create loop devices for each partition. Answer these questions:
a. How many loop devices disk kpartx create? 1
b. What is the offset into the expanded (DD) image for the 1th loop device? 2048
5. Mount all of the partitions (hint: mount) and answer these questions:
a. Were all of the partitions mountable? Yes or No. Yes
b. Which if any partitions were not able to be mounted? ________________
6. Answer these questions based on the mounted file systems:
a. What kind of system do you think this is? Windows 7 or beyond
b. From the information in the standard location where user files are located, what
is the username of the last user to have logged in? user
7. Which of these is the correct sequence to gracefully undoing all of the activities you’ve
done in this exercise short of rebooting?
a. Unmount file systems; unmount image; remove loop devices.
b. Unmount image; unmount file systems; remove loop devices.
c. Remove loop devices; unmount file systems; unmount image.
d. Unmount file systems; remove loop devices; unmount image.
e. There is no graceful way – a reboot is always required

Your answer: Option D

Page 1 of 1

You might also like