Forensic Investigation of a disk image

Not sure how many people on here would have experience with this sort of thing, but here goes!

So my latest assignment for college involves investigating a .dd image of a USB drive. First thing I done was hash the file and make sure that nothing had changed, using MD5, SHA1, and SHA256. Next I used some command line tools of TheSleuthKit (icat & fsstat) to examine the drive and map out the file structure and FAT directories.

I’ve run the file through Autopsy, carved it with scalpel, investigated the hex of the image to see if anything was hidden, and even followed the cluster chain but I feel as though i’m missing something. I was able to recover 3 text files, (1 deleted), and 1 image file, but I think that there might be more hidden that i’m just missing.

If anyone knows what might be the right course of action to take I’d really appreciate some input, I can link the file too if anyone wants to take a look themselves.

^^ copy of the file structure map I made earlier.

Anyway thanks for reading over this, im kinda stumped at this point but I still want to do well in the assignment!



1 Like

That looks like an awesome thing to be involved in and to learn. But I haven’t got a scooby that would be any help, other than saying that if this is a teaching assignment, then it’d be pretty common for your tutor to put something in that either really ‘outside the box’ or ‘glaringly obvious’ to try and catch you out.

I remember a tale of someone I know doing a CCNP and on one of the practical assessments, the tutor damaged a CAT5 cable just subtly enough to cause issue… They spent ages checking the routers and configuration being really focused on the complex stuff, whilst the actually issue was a simple as a cable swap out.