Digital File Systems
Case Study 2
Following the case from Client A (in Case Study 1), there is a new evidence found. The suspect was using a non-Windows Operating System when security guards confiscated ONE thumb drive. The security guards saw the computer screen displayed a “file deleted” message. The security guards also remembered seeing the Linux OS logo on the computer screen.
DFS International requests that you examine the given information to gather any related information. Currently, the seized 160MB thumb drive is located at the digital storage facility of DFS International and imaging of the thumb drive is completed.
Presently law enforcement isnot involved with this case but you must treat the evidence with same care and due diligence as a criminal investigator because the results of your investigation might be turned over to law enforcement if the Client A decides to pursue criminal prosecution of the suspects.
- Using the image of the seized evidence, answer the following questions:
- Given the file system, explain in detail on how the volume boot record (superblock, Group Descriptor Table, Block Bitmap, Inode Bitmap, Inode Table and etc.) works and how a file is located in the file system.
- Is there any file related to installation log deleted by the suspect?
- Recover the content of the deleted file.
- When is the file deleted?
- Supposing that you have found all the artifacts required to solve this case, discuss how and why you would utilise a timeline to present your findings. List and document any key considerations you have taken. (You may create a sample timeline for demonstration and presentation purposes).
- The primary forensic tools to be used in the report should be Hex editor and dd – our favorite friend. Using of automated forensic applications such as Encase / FTK and file recovery tools to derive the results in part 2 in your report will result in ZERO However, you must use either EnCase or FTK to verify your results and show your verification in the final report – as this a good practice in any forensic investigation.
The report should comprise the following sections:
- Declaration of Copyright
- Table of Contents
- Main Sections of the report
- Appendices (optional)
- All submissions should be typed on white A4-sized paper, with 1.5 line spacing after each line.
- Use Arial or Times New Roman Font at size 12.
- The text should be justified with a one-inch margin surrounding.
- Provide headings and sub-headings for each section. The sections should be consistently numbered with clear headings and sub-headings for each section. Use slightly bigger and bold font to make your headings stand out well.
- Deliverable 1: Group Report
Your report should be in the form of a formal paper, with a title, content and appendices and others (minimum words of 200 excluding appendices and your names). Where information is lacking, students are expected to make and state their assumptions. This is not an exercise in fiction writing. While students should exercise their creativity, everything must be backed by reason(s) and sound knowledge of technology.
Your completed assignment should be submitted in hardcopy by the deadline.
- Deliverable 2: Group Presentation (15 minutes)
Your group presentation should include:
- Question 1a ( 1-2 slides)
- Question 1b (1 – 2 slides)
- Question 1c( 1- 2 slides)
- Question 1d(1 – 2 slide)
- Question 2 (3-4 slides)
- Questions and Answers
- ALL students will have to know ALL parts of the physical implementation. You will be awarded ZERO marks if you only do report writing OR do the talking OR printing of report.
- Do not increase the number of slides for presentation. (marks will be affected)
- You may be required to present some / all parts of your physicalimplementation OR whatever you write in your report.
- And, of course, dress appropriately.
The assessment criteria would include:
- Material is accurate and appears to be well understood
- Technical language is appropriately used
In general, marks are awarded when student demonstrate understanding.