Lorenzo La Corte, S4784539

Digital Forensics Exam, 2022-23

General Notes

This report describes the steps of the analysis of the three given images.

It's important to remark that:

• the steps may have been re-ordered a-posteriori.

• is possible that some Linux terminal outputs are cut or highlighted in a particular way, in order to show only relevant information.

• to better visualize the document, is also available a HTML version:

  File-System Assignment Report

Console

<aside> 🎯 Something fishy is going on (seeming or likely to be wrong or suspicious).

Someone gave us this image of an unpartitioned FAT filesystem containing a JPEG picture.

However, this volume seems to have just been (re)formatted to hide something.

Can you reconstruct the original partition scheme and recover the content of the original partition?

</aside>

SHA Check

Firstly, I report the check of the sha of the downloaded image:

sha256sum --check console.dd.sha256
console.dd: OK

Analyzing the image in an abstract manner, I can try different commands and:

• gather information about the image,
• check if there are mismatches among commands.

General Information

Let's start with some basic commands:

**img_stat console.dd**
IMAGE FILE INFORMATION
--------------------------------------------
Image Type: raw

Size in bytes: 4194304
Sector size:	512

**sudo fdisk -l console.dd**
Disk console.dd: 4 MiB, 4194304 bytes, 8192 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000

**fsstat console.dd**
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT12

OEM Name: mkfs.fat
Volume ID: 0xb9e28db
Volume Label (Boot Sector): NO NAME    
Volume Label (Root Directory):
File System Type Label: FAT12   

Sectors before file system: 0

File System Layout (in sectors)
Total Range: 0 - 8191
* Reserved: 0 - 0
** Boot Sector: 0
* FAT 0: 1 - 6
* FAT 1: 7 - 12
* Data Area: 13 - 8191
** Root Directory: 13 - 44
** Cluster Area: 45 - 8188
** Non-clustered: 8189 - 8191

METADATA INFORMATION
--------------------------------------------
Range: 2 - 130870
Root Directory: 2

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 2048
Total Cluster Range: 2 - 2037

FAT CONTENTS (in sectors)
--------------------------------------------
49-76 (28) -> EOF

There are 8192 sectors of 512 bytes.