Scribd
Upload
34 views7 pages

The Forensic Acquisition of A Disk Image and The Subsequent Examination and Extraction of Partitions

The document discusses extracting partitions and files from a disk image. It details extracting the FAT16 and Linux partitions using dd and mmls. Files ending in .txt are extracted from the FAT16 partition and MD5 hashes are calculated to verify the extractions. Directory and file information is examined using xxd.

Uploaded by

Navneet Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
34 views7 pages

The Forensic Acquisition of A Disk Image and The Subsequent Examination and Extraction of Partitions

The document discusses extracting partitions and files from a disk image. It details extracting the FAT16 and Linux partitions using dd and mmls. Files ending in .txt are extracted from the FAT16 partition and MD5 hashes are calculated to verify the extractions. Directory and file information is examined using xxd.

Uploaded by

Navneet Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Digital Forensics

Image Acquisition and Partition Extraction

Abstract – The forensic acquisition of a disk image and the subsequent examination and extraction of partitions are
demonstrated in this assignment. This is accomplished in a Linux virtual lab environment designed to replicate a physical
environment. The tools employed to accomplish this exercise are: dd, echo, fdisk, mmls, sigfind, xxd, and hashing utilities.
(Abstract)

Keywords –, digital acquisition, analysis, chain of custody, dd, disk image, echo, extraction, fdisk, forensic, hash, md5sum,
mmls, partition, partition table, sigfind, xxd, (keywords)

I. INTRODUCTION
In this assignment first the extraction of a number of plain text files, extract various such files which all end with the suffix ‘txt’
on all file systems contained in the image, secondly calculate the crypto checksum for each extracted files. Therefore, as each step
is described and an explanation of the tools employed is included where such explanation is deemed necessary.

II. PARTITION EXTRACTION


First step of assignment two is to copy the assignment2.dd image to a lab2 subdirectory and examine the image partition table.
The partition table is intact and from this it is determined that there are a fat16 partition and a linux partition to extract. These
findings are reflected in the commands and results displayed below.
skang1@ubuntu:~$ mkdir lab2 ////Create the directory
skang1@ubuntu:~$ cd lab2/ ////Changed the current directory

jsthomps@ubuntu:~/forensic-lab2$ cp /home/images/assignment2.dd . ## used to copy the disk image to the working directory.
skang1@ubuntu:~$ ls //// List all files in the directory

jsthomps@ubuntu:~/forensic-lab2$ mmls assignment2.dd


DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description


00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000000002 0000000003 Unallocated
02: 00:00 0000000003 0000010242 0000010240 DOS FAT16 (0x04)
03: ----- 0000010243 0000010249 0000000007 Unallocated
04: 00:03 0000010250 0000020479 0000010230 Linux (0x83)

jsthomps@ubuntu:~/forensic-lab2$ dd if=assignment2.dd skip=3 count=10240 of=fat16.dd


This command extracts 10240 sectors from the image skipping the first 3 sectors and outputs the file to an image file named
fat16.dd
Kang & Thompson

jsthomps@ubuntu:~/forensic-lab2$ dd if=assignment2.dd skip=3 count=10240 | md5sum


This command hashes the data to be extracted and results in 13674ec691cc780c429c273c2bcfd73c. The md5sum command is then
run against the fat16.dd file and produces the same results: 13674ec691cc780c429c273c2bcfd73c. From this it is determined that
the extracted file is identical to the data in the assignment2.dd
Next the linux partition is extracted.
jsthomps@ubuntu:~/forensic-lab2$ dd if=assignment2.dd skip=10250 count=10230 of=linux.dd
This command extracts 10230 sectors from the image skipping the first 10250 sectors and outputs the file to an image file named
linux.dd. The checksum is run against the data in the assignment2.dd image, and the extracted linux.dd file resulting in a matching
hash of b80647ce218782521e8496785c3cc988.
This completes the extraction of the file system partitions phase. Next the fat16.dd is examined for text files which will be
extracted.

III. FAT16 PARTITION EXAMINATION AND TEXT FILE EXTRACTION


The first step in examining the fat16.dd image is to run the fsstat command on the file. This command outputs the needed
information of the fat table in a condensed format.
skang1@ubuntu:~/lab2$ fsstat fat.dd

File System Type Label: FAT16

Sectors before file system: 3SS

File System Layout (in sectors)


Total Range: 0 - 10239
* Reserved: 0 - 0
** Boot Sector: 0
* FAT 0: 1 - 20
* Data Area: 21 - 10239
** Root Directory: 21 - 52
** Cluster Area: 53 - 10238
** Non-clustered: 10239 - 10239

METADATA INFORMATION
--------------------------------------------
Range: 2 - 163510
Root Directory: 2

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 1024
Total Cluster Range: 2 - 5094

FAT CONTENTS (in sectors)


--------------------------------------------
595-596 (2) -> EOF
2685-2686 (2) -> EOF
2701-2720 (20) -> EOF
7831-7832 (2) -> EOF
8239-8242 (4) -> EOF

From this information the file system type is confirmed and the staring sector of the data is identified as 21 which holds the root
directory and the starting area of the clusters is 53. The table also identifies the number of root directories and the sector and
clusters sizes that will be needed later. Next the dd command is used to extract the header information for the root directory at
sector 21.
Kang & Thompson

skang1@ubuntu:~/lab2$ dd if=fat.dd skip=21 | xxd | head //// /- This command is used to extract the first part or first 10
lines (by using ‘head’) of the fat.dd image after skipping FAT area, we used xxd to create a hex dump of the image file
(fat.dd).
0000000: 5355 4244 4952 2020 2020 2010 1850 339d SUBDIR ..P3.
0000010: 5d48 5d48 0000 339d 5d48 1101 0000 0000 ]H]H..3.]H......
0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................

The hex 48=H therefore the cluster 1101 points to the data in the root.
jsthomps@ubuntu:~/forensic-lab2$ echo $((0x0111)) results in 273

jsthomps@ubuntu:~/forensic-lab2$ dd if=fat16.dd skip=$((53+(273-2)*2)) 2>/dev/null | xxd | head. This command looks at the
data starting from sector 53 where the cluster area begins and 273 (the output from 1101, 0x011 in little endian) is the number of
clusters (less 0 and 1 so – 2 which don’t exist) into the cluster area where the data is stored. We multiple it by 2 because each
1024 byte cluster consists of 2 512 byte sectors. This out puts the following results:

0000000: 2e20 2020 2020 2020 2020 2010 1850 339d . ..P3.
0000010: 5d48 5d48 0000 339d 5d48 1101 0000 0000 ]H]H..3.]H......
0000020: 2e2e 2020 2020 2020 2020 2010 1850 339d .. ..P3.
0000030: 5d48 5d48 0000 339d 5d48 0000 0000 0000 ]H]H..3.]H......
0000040: 5355 4244 4952 2020 2020 2010 18c2 389d SUBDIR ...8.
0000050: 5d48 5d48 0000 389d 5d48 330f 0000 0000 ]H]H..8.]H3.....
0000060: 5355 4244 4952 3120 2020 2010 1852 3d9d SUBDIR1 ..R=.
0000070: 5d48 5d48 0000 3d9d 5d48 2605 0000 0000 ]H]H..=.]H&.....
0000080: 4649 4c45 3220 2020 5458 5420 184e c89d FILE2 TXT .N..
0000090: 5d48 5d48 0000 c89d 5d48 2e05 f524 0000 ]H]H....]H...$..

Locating the FILE2 TXT the first character in the file name is identified as 46 at byte 0. Counting forward from there to byte 26-
27 the low two bytes of the first cluster 2e05 which converts to 052e in little endian or 1326. Bytes 28-31 is the size f524 which
equals 9461 bytes. This is divided by the 512 bytes per sector =. Using this information the file.txt is extracted.
jsthomps@ubuntu:~/forensic-lab2$ dd if=fat16.dd skip=$((53+1324*2)) count=18 of=file2.txt
18+0 records in
18+0 records out
9216 bytes (9.2 kB) copied, 0.00104148 s, 8.8 MB/s

This extracts the majority of the file but is missing the last 245 bytes. To extract the last part the first part of the file must now be
skipped by adjust the size by adding 9 clusters (18 sectors) extracted to the 1324 making the skip=((53+1333*2) sectors and then
counting the next 2 sectors to acquire the last cluster which is then limited to a byte size of 1 and counts out the last 245 bytes
which are then appended to the file2.txt

jsthomps@ubuntu:~/forensic-lab2$ dd if=fat16.dd skip=$((53+1333*2)) count=2 | dd bs=1 count=$((9461-9216)) >>file2.txt


2+0 records in
2+0 records out
1024 bytes (1.0 kB) copied, 0.000719839 s, 1.4 MB/s
245+0 records in
245+0 records out
245 bytes (245 B) copied, 0.00150926 s, 162 kB/s
Kang & Thompson

Now we return to the directory entries at 595 and identify the directories to search for the other text file. SUBDIR1’s first
character is at 53 and the 2 bytes of the first cluster are 2605 (0526 little endian) and bytes 28-31 are zeroes indication this is
indeed a directory. The contents of the directory are examined.
jsthomps@ubuntu:~/forensic-lab2$ dd if=fat16.dd skip=$((53+(1318-2)*2)) 2>/dev/null | xxd | head

0000000: 2e20 2020 2020 2020 2020 2010 1852 3d9d . ..R=.
0000010: 5d48 5d48 0000 3d9d 5d48 2605 0000 0000 ]H]H..=.]H&.....
0000020: 2e2e 2020 2020 2020 2020 2010 1852 3d9d .. ..R=.
0000030: 5d48 5d48 0000 3d9d 5d48 1101 0000 0000 ]H]H..=.]H......

There is no text file in this directory so we return the entries at 595 and look at SUBDIR’s entiries at 330F (little endian 0F33).

jsthomps@ubuntu:~/forensic-lab2$ dd if=fat16.dd skip=$((53+(3891-2)*2)) 2>/dev/null | xxd | head


0000000: 2e20 2020 2020 2020 2020 2010 18c2 389d . ...8.
0000010: 5d48 5d48 0000 389d 5d48 330f 0000 0000 ]H]H..8.]H3.....
0000020: 2e2e 2020 2020 2020 2020 2010 18c2 389d .. ...8.
0000030: 5d48 5d48 0000 389d 5d48 1101 0000 0000 ]H]H..8.]H......
0000040: 4649 4c45 3120 2020 5458 5420 18c3 649d FILE1 TXT ..d.
0000050: 5d48 5d48 0000 649d 5d48 ff0f a406 0000 ]H]H..d.]H......
0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................

This directory holds the file1.txt that begins at ff0f (little endian 0FFF) or 4095 and whose 1700 bytes must be extracted.

jsthomps@ubuntu:~/forensic-lab2$ dd if=fat16.dd skip=$((53+4093*2)) count=3 of=file1.txt


jsthomps@ubuntu:~/forensic-lab2$ dd if=fat16.dd skip=$((53+4093*2)) count=2 of=file1.txt
2+0 records in
2+0 records out
1024 bytes (1.0 kB) copied, 0.000920235 s, 1.1 MB/s

The first 1024 bytes have been acquired now the remaining 676 bytes of the file must be acquired.

jsthomps@ubuntu:~/forensic-lab2$ dd if=fat16.dd skip=$((53+4094*2)) count=2 | dd bs=1 count=$((1700-1024)) >>file1.txt


2+0 records in
2+0 records out
1024 bytes (1.0 kB) copied, 0.000476322 s, 2.1 MB/s
676+0 records in
676+0 records out
676 bytes (676 B) copied, 0.00625102 s, 108 kB/s

File1.txt contains the instructions for assignment1 of digital forensics and file2.txt contains the FAT FS parsing with DD notes.

IV. LINUX PARTITION EXAMINATION AND TEXT FILE EXTRACTIONS

The Linux examination begins in the same manner as the FAT16 did with FSSTAT:

jsthomps@ubuntu:~/forensic-lab2$ fsstat linux.dd


FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext2
Volume Name:
Volume ID: 601294007529e080b34c5acfceab7d9b

Last Written at: Mon Feb 29 12:51:21 2016


Last Checked at: Mon Feb 29 12:40:47 2016
Kang & Thompson
Last Mounted at: emptyUnmounted properly
Last mounted on:

Source OS: Linux


Static Structure

METADATA INFORMATION
--------------------------------------------
Inode Range: 1 - 1281
Root Directory: 2
Free Inodes: 1265

CONTENT INFORMATION
--------------------------------------------
Block Range: 0 - 5114
Block Size: 1024
Reserved Blocks Before Block Groups: 1
Free Blocks: 4897

BLOCK GROUP INFORMATION


--------------------------------------------
Number of Block Groups: 1
Inodes per group: 1280
Blocks per group: 8192

Group: 0:
Inode Range: 1 - 1280
Block Range: 1 - 5114
Layout:
Super Block: 1 - 1
Group Descriptor Table: 2 - 2
Data bitmap: 3 - 3
Inode bitmap: 4 - 4
Inode Table: 5 - 164
Data Blocks: 165 - 5114
Free Inodes: 1265 (126500%)
Free Blocks: 4897 (95%)
Total Directories: 4
This is followed with the use if istat on inode 2 to learn the Direct Blocks: 177 to traverse to the root directory location

skang1@ubuntu:~/lab2$ istat linux.dd 2


inode: 2
Allocated
Group: 0
Generation Id: 3485296308
uid / gid: 0 / 0
mode: drwxr-xr-x
size: 1024
num of links: 4

Inode Times:
Accessed: Mon Feb 29 12:51:11 2016
File Modified: Mon Feb 29 12:48:28 2016
Inode Modified: Mon Feb 29 12:48:28 2016
Kang & Thompson

Direct Blocks:
177

jsthomps@ubuntu:~/forensic-lab2$ dd if=linux.dd bs=1024 skip=177 | xxd | head


0000000: 0200 0000 0c00 0100 2e00 0000 0200 0000 ................
0000010: 0c00 0200 2e2e 0000 0b00 0000 1400 0a00 ................
0000020: 6c6f 7374 2b66 6f75 6e64 0000 0c00 0000 lost+found......
0000030: d403 0500 6e6f 7465 7300 0000 0000 0000 ....notes.......
0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................

Counting back from the start of the first character of the name in byte 8 we count backwards to byte 0-3 to find the value for the
inode: 0c00 or 12. Now use istat 12 to discover the direct blocks that leads into the notes directory which is 185.

jsthomps@ubuntu:~/forensic-lab2$ dd if=linux.dd bs=1024 skip=185 | xxd | head 0000000: 0c00 0000 0c00 0100 2e00 0000
0200 0000 ................
0000010: 0c00 0200 2e2e 0000 0d00 0000 1400 0900 ................
0000020: 6e6f 7465 732e 7478 7400 b932 0e00 0000 notes.txt..2....
0000030: d403 0700 2e73 6563 7265 7400 0000 0000 .....secret.....

In block 185 we see notes.txt and secret in asci. Tracing back to byte 0-3 we find the inode value 13 for notes.txt. Using istat
linux.dd 13 we see the direct blocks and indirect blocks that hold the data in the file notes.txt.

Direct Blocks:
193 194 195 196 197 198 199 200
201 202 203 204 206 207 208 209
210 211 212 213 214 215 216 217
218

Indirect Blocks:
205
First the continuous blocks from 193-204 are extracted:

jsthomps@ubuntu:~/forensic-lab2$ dd if=linux.dd bs=1024 skip=193 count=12 of=notes.txt


12+0 records in
12+0 records out
12288 bytes (12 kB) copied, 0.000530349 s, 23.2 MB/s

The file size to be extracted is 25121 from which 12288 bytes have now been extracted. This leaves 12833 bytes to extract from
blocks 206-218 which indirect block 205 points to.

jsthomps@ubuntu:~/forensic-lab2$ dd if=linux.dd bs=1024 skip=206 count=13 | dd bs=1 count=12833 >>notes.txt


13+0 records in
13+0 records out
13312 bytes (13 kB) copied, 0.00927847 s, 1.4 MB/s
12833+0 records in
12833+0 records out
12833 bytes (13 kB) copied, 0.0668145 s, 192 kB/s

We know that the directory “secret” is located at inode value 000e or 14. From an istat of inode 14 we learn the directory occupies
block 225 that produces the following results
jsthomps@ubuntu:~/forensic-lab2$ dd if=linux.dd bs=1024 skip=225 |xxd | head
0000000: 0e00 0000 0c00 0100 2e00 0000 0c00 0000 ................
0000010: 0c00 0200 2e2e 0000 0f00 0000 e803 1100 ................
Kang & Thompson

0000020: 2e73 6563 7265 742d 6e6f 7465 732e 7478 .secret-notes.tx
0000030: 7400 1981 0000 0000 0000 0000 0000 0000 t...............

The results from block 225 shows that the secret-notes.txt is located at 000f or 15.
skang1@ubuntu:~/lab2$ echo $((0xf))
15
jsthomps@ubuntu:~/forensic-lab2$ istat linux.dd 15
inode: 15
Allocated
Group: 0
Generation Id: 1456775465
uid / gid: 0 / 0
mode: rrw-r--r--
size: 11449
num of links: 1

Inode Times:
Accessed: Mon Feb 29 12:51:05 2016
File Modified: Mon Feb 29 12:51:05 2016
Inode Modified: Mon Feb 29 12:51:05 2016

Direct Blocks:
233 234 235 236 237 238 239 240
241 242 243 244

Here we have 12 continuous blocks to extract 11449 bytes from.

jsthomps@ubuntu:~/forensic-lab2$ dd if=linux.dd bs=1024 skip=233 count=13 | dd bs=1 count=11449 of=secretnotes.txt


13+0 records in
13+0 records out
13312 bytes (13 kB) copied, 0.000167952 s, 79.3 MB/s
11449+0 records in
11449+0 records out
11449 bytes (11 kB) copied, 0.0518753 s, 221 kB/s

The contents of the secretnotes.txt are the FAT File System Notes and the contents of notes.txt are the EXT file system notes for
lectures.

You might also like