cet4861 – Advanced Digital Forensicslog

cet4861 – Advanced Digital Forensicslog inhelpGet a free wiki | Try our free business product
WikiPages & Files
Search this workspace
If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.


Assignment 3
Page historylast edited by Patrick 7 months ago
HFS+ and EXT3 File System Analysis

Assignment 3


Analyze two images with different types of file systems, and answer the following questions. The objectives of the exercise are to assist you in familiarizing yourself with the HFS+ and EXT3 file systems and allow you to practice more with Sleuthkit. Unzip the compressed images under the VM in which Sleuthkit is installed; the images are approximately 10MB each unzipped.


Answers to the questions below for each image. When the question asks for an explanation, provide a detailed explanation rather than simply a sentence. Show your work. I want to see the commands you ran and the output; it doesn’t have to be the entire results of a command, but make sure to include a few lines for context or you may provide cropped screen captures of the results. If you go the screen capture route, they should be with their appropriate answers not as an appendix at the end of the document.

You are to use Sleuthkit to answer these questions.


  1. What is the SHA-1 hash of the image?
  2. What type of file system is on the image?
  3. What is the block size?

a. How many blocks are required to store a file that is 9999 bytes?

  1. What is an inode (explain)? How is an inode different or the same than the way files are represented in NTFS (explain)?

a. How many inodes are located on the image?

b. How many free inodes are available?

  1. What is a superblock (explain)?

a. How many superblocks are located on the image?

  1. How many non deleted directories are located on the image?
  2. How many non deleted files are located on the image?

a. List their names, file type, metadata, and SHA1 hash.

  1. How many deleted files are located on the image according to Sleuthkit?

a. Try to recover the deleted file using Sleuthkit (icat). What happened?

b. Hint: The deleted file had the word ‘delete’ in it. Look at the man page for the ‘blkls’ command which carves out the unallocated space from the image. Use that along with two other Linux commands to find the contents of the file (Further Hint: run ‘blkls’, find all human readable strings, search for the keyword)

  1. What is a group descriptor (explain)? How many are located on the image? How many blocks are in each group?


  1. What is the SHA-1 hash of the image?
  2. What type of file system is on the image?
  3. What is the volume name? What is a volume identifier (explain)? What is the volume identifier of the image?
  4. How many times has the volume been mounted? What does it mean to ‘mount’ a file system?
  5. How many files are on the image?
  6. How many folders are on the image?
  7. What is the block size?
  8. When was the image created?
  9. How many deleted files on the image? How many deleted folders, if any? This is tricky, because if you run ‘fls -d …’, it will return nothing. Run ‘fls’ both with and without the ‘-d’.
  10. Using Sleuthkit recover the deleted file whose extension is ‘.txt’. Calculate the SHA-1 hash of the file.
  11. List the contents of the file from step 10 above here:
  12. Based on your review of the image using Sleuthkit (fls), how is the way the Mac handles deleting a file similar to the way Windows handles it?

Assignment Files:

All Course Lectures

You now
Someone else 1 min ago
Someone else 3 mins ago
Someone else 4 mins ago
Someone else 6 mins ago
Someone else 12 mins ago
Someone else 49 mins ago
Someone else 51 mins ago
Someone else 55 mins ago
Someone else 1 hr ago
Comments (0)
You don’t have permission to comment on this page.

Printable version
PBworks / Help
Terms of use / Privacy policy / GDPR

About this workspace
Contact the owner / This workspace is public

Leave a Reply

Your email address will not be published. Required fields are marked *