Lab Exam First Half
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Download test image is a 'raw' disk image (i.e., 'dd'). The disk is 150MB and is compressed to 160KB. Choose a tool to show all six FAT16 partitions. Each partition contains a file whose name corresponds to the partition. Each file has zero size. Complete the table:
Sl No Table Entry Start End Length Description
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Download the test image is a 'raw' partition image (i.e. 'dd') of an EXT3FS file system. The file system is 5MB and is compressed to 4MB. The MD5 of the image is 30e7f792cc853e34e17335b243605d3a.
Search Terms
These should all be performed case-sensitively and not as regular expressions
1. Search string: first
How many hits:
For each hit:
Sector or Fragment and Offset:
File Name:
2. Search String: second
How many hits:
For each hit:
Sector or Fragment and Offset:
File Name:
3. Search String: third
How many hits:
For each hit:
Sector or Fragment and Offset:
File Name:
4. Search String: slacker
How many hits:
For each hit:
Sector or Fragment and Offset:
File Name:
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Download the test image is a 'raw' partition image (i.e. 'dd') of an FAT12 file system. The MD5 of the image is 9fb582f3361ba0bc5a3b0f7c17a082cb. The contents of each file contains the time that it was created.
Name Created Date
winter.txt _______________
summer.txt _______________
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Question 5
This test image is a 6MB FAT file system with six deleted files and two deleted directories. The files range from single-cluster files to multiple fragments. No data structures were modified in this process to thwart recovery. They were created in Windows XP, deleted in XP, and imaged in Linux.
Download the test image is a 'raw' partition image (i.e., 'dd') of a FAT file system. The MD5 of the image is 4aeb06ecd361777242ab78735d51ace6.
Answer the questions:
1. Can you recover the mult1.dat file? Does it have the correct MD5?
2. Can you recover the dir1\mult2.dat file? Does it have the correct MD5?
3. Can you recover the frag1.dat file? Does it have the correct MD5?
4. Can you recover the frag2.dat file? Does it have the correct MD5?
5. Can you recover the dir1\dir2\frag3.dat file? Does it have the correct MD5?
-----------------------------------------------------------------------------------------------------------
This test image is a 6MB NTFS file system with eight deleted files, two deleted directories, and a deleted alternate data stream. The files range from resident files, single cluster files, and multiple fragments. No data structures were modified in this process to thwart recovery. They were created in Windows XP, deleted in XP, and imaged in Linux.
Download the test image is a 'raw' partition image (i.e. 'dd') of a NTFS file system. The file system is 6MB and is compressed to 186 KB (lots of zeros). The MD5 of the image is e7dbb96759d9cd62b729463ebfe61dab.
Answer the questions:
1. Can you recover the mult1.dat:ADS file? Does it have the correct MD5?
2. Can you recover the dir1\mult2.dat file? Does it have the correct MD5?
3. Can you recover the frag1.dat file? Does it have the correct MD5?
4. Can you recover the frag2.dat file? Does it have the correct MD5?
5. Can you recover the dir1\dir2\frag3.dat file? Does it have the correct MD5?
------------------------------------------------------------------------------------------------------------------------------------------------------------
This test image is an NTFS file system with 10 JPEG pictures in it. The pictures include files with incorrect extensions, pictures embedded in zip and Word files, and alternate data streams. The goal of this test image is to test the capabilities of automated tools that search for JPEG images.
Download the test image is a 'raw' partition image (i.e. 'dd') of a NTFS file system. The file system is 10MB and is compressed to 2 MB. The MD5 of the image is 9bdb9c76b80e90d155806a1fc7846db5.
Answer the following Questions:
1. What search procedure(s) were used to obtain the following results?
The following apply to the results from running an automated search tool for JPEG pictures. If more than one procedure was used to find the images, please note the procedure that was used to find each. Note that this was not designed to test data carving tools.
2. Did the search results include the invalid\file5.rtf file?
3. Did the search results include the deleted picture in MFT entry #32 (del1/file6.jpg)? If not, then is it documented that only allocated JPEGs will be found?
4. Did the search results include the deleted picture in MFT entry #31 (del2/file7.hmm)? If this file was not found, but the file in step #7 was found, then is it documented that only JPEGs with a proper extension will be found?
5. Did the search results include the picture inside of archive\file8.zip? If not, then is it documented that JPEG files will be found and that JPEG images that are embedded inside other file types will not?
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Download the test image is a 'raw' partition image (i.e. 'dd') of a FAT file system. The file system is 10MB and is compressed to 120 KB. The MD5 of the image is aa834dca822918de45792f4e115516b9.
Answer the following Questions:
1. Does the analysis tool display the volume label for the image? If so, what label does it give?
2. Does the tool has some form of consistency checking feature? If so, does it identify that the volume labels have clusters allocated to them or that there are multiple directory entries with the volume label attribute set?
3. In the file browsing mode of the tool, is the "LABEL2" entry shown? Can you view its contents? What is its MD5?
---------------------------------------------------------------------------------------------------------------------------------------------------------------
This test image is a FAT32 file system and is intended to test data carving tools and their ability to extract various file formats. The image contains several allocated and deleted files and the header one JPEG file was modified.
Download the test image is a 'raw' partition image (i.e. 'dd') of a FAT32 file system. The file system is 62MB and is compressed to 11MB. The MD5 of the image is 0069813c892a462f88dc6d376624f7d9.
Curve out any 10 files with details.
---------------------------------------------------------------------------------------------------------------------------------------------------------------
This file system image contains several allocated and deleted files, none of which have been modified. This image was created from a USB thumb drive that was wiped clean and formatted using the mkfs.ext2 program. The super block has been corrupted so that the image cannot be mounted, and therefore data carving methods must be used to extract the files.
Download the test image, which is a 'raw' partition image (i.e. 'dd') of an EXT2 file system. The file system is 124MB and is compressed to 1.1MB. The MD5 of the image is 6cbd2c5248fa7030d699eb6cde051623.
The sectors marked as "(IND)" and "(DIND)" represent the indirect and double indirect block pointer locations. Carve out any 5 files.
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Open “Wireshark”, then use the “File” menu and the “Open” command to open the file “Exercise One.pcap”. You should see 26 packets listed.
This set of packets describes a ‘conversation’ between a user’s client and a central server. This entire conversation happens automatically, after a user types something and hits enter. Look at the packets to answer the following questions in relation to this conversation.
In answering the following questions, use brief descriptions. For example, “In frame X, the client requests a web page, and in frame Y, the server delivers the content of the page.”
a) What is the IP address of the client that initiates the conversation?
a) Use the first two packets to identify the server that is going to be contacted. List the common name, and three IP addresses that can be used for the server.
b) What is happening in frames 3, 4, and 5?
c) What is happening in frames 6 and 7?
d) Ignore frame eight. However, for your information, frame eight is used to manage flow control.
e) What is happening in frames nine and ten? How are these two frames related?
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Open “Wireshark”, then use the “File” menu and the “Open” command to open the file “Exercise Three.pcap”. You should see 22 packets listed.
These packets represent two different requests for web pages. Packets 1-7 involve the request for the web page www.yahoo.com. Packets 8-22 involve the request for the web page my.usf.edu.
a) Compare the destination port in the TCP packet in frame 3 with the destination port in the TCP packet in frame 12. What difference do you see? What does this tell you about the difference in the two requests?
b) Explain what is happening in row “iii” above. Why are there no frames listed for yahoo in row “iii"?
c) Look at the “Info” column on frame 6. It says: “GET / HTTP / 1.1. What is the corresponding Info field for the my.usf.com web request (frame 21)? Why doesn’t it read the same as in frame 6?
------------------------------------------------------------------------------------------------------------------------------------------------------------