1. OPERATING SYSTEMS Frans Sanen

2.  Use some tools capable of analyzing several file systems to understand their functioning  The Sleuth Kit (TSK)  http://www.sleuthkit.org 2

3.  To check the contents of a file system e.g. fls –f fat fat12.img  Inode number can be passed as an extra argument  Option –r tells fls to list the contents recursively  Option –l gives further information such as access times and file size 3

4.  To check the contents of a file E.g. icat –f fat fat12.img 229 > /tmp/vbje.jpg  Shell’s command redirection possibilites can be used to save binary data  Pipes also can be used  Option –r tries to recover a deleted file  Option –s will read the last block of the file entirely (contents of slack space become visible) 4

5.  To check the meta-data from a particular inode E.g. istat –f fat fat12.img 229 5

6.  ifind retrieves in which meta-data structure a certain block is allocated (cluster number gives us the inode) E.g. ifind –f fat –d 147 fat12.img  ffind searches for the filename of the file which belongs to a certain node E.g. ffind –f fat –d fat12.img 229

7.  Use the image practical.floppy.dd and  Verify the MD5 sum  2f4791784e2af37cf196e6a72cc79d99  Create a list of all files (only files!) on the filesystem  Which sectors are occupied by the file matrixs3.jpg?  In fat12.img, a secret message is hidden  What is it and where is it hidden?  Tip: it contains the word “plezier”.  How can you display it using TSK? 7

8.  Sorts files in a file system by category  Perl script using fls and icat tools E.g. sorter –f fat –d tmp/sorter/ fat12.img E.g. cat tmp/sorter/unknown.txt  Text file per recognized file type is created  Option –s creates a directory besides every text file in which all categorized files are copied into 8

9.  In the example in the task description, sorter gives an extension mismatch: explain shortly.  Use sorter to export all files from the image pratical.floppy.dd.  Extra: Use sorter to only export the pictures out of the same image, but without extension mismatch check. 9

10.  Simple web interface build upon TSK tools  Normally not included in Knoppix  apt-get update  apt-get install foremost autopsy  Server can be started with command ‘autopsy’  Surf to http://localhost:9999/autopsy 10

11.  sigfind looks for hexadecimal patterns (examples are included in task description)  Similar to grep for ASCII patterns  foremost supports filecarving for different file types like jpg, gif, pdf, doc, etc.  E.g. foremost –t jpg –o tmp/jpgs fat12.img 11

12.  Suppose you are looking for jpg files. Why should you use both a tool like sorter and a tool like foremost?  Describe a situation in which sorter skips or not correctly finds a certain jpg when the jpg physically exists on disk.  Validate your thoughts on image 8 from http://dftt.sourceforge.net 12