FILE SYSTEM FORENSICS ASSIGNMENT 1
20067817 DANNY O’LEARY
Contents Introduction .......................................................................................................................................... 1 Steps taken ........................................................................................................................................... 1 Making a copy of the file................................................................................................................... 1 Looking at the layout of the file system ............................................................................................ 2 Layout of the file system - Maps ....................................................................................................... 3 Finding the files on the USB stick ...................................................................................................... 4 Checking the information contained in the journal .......................................................................... 6 Information contained in the PDFs ....................................................................................................... 7 Patent ID: D537759 ........................................................................................................................... 7 Patent ID: 6745949 ........................................................................................................................... 8 Patent ID: 7156436 ........................................................................................................................... 8 Patent ID: 7195269 ........................................................................................................................... 8 Patent ID: 7866013 ........................................................................................................................... 8 Patent ID: 7913713 ........................................................................................................................... 8 Patent ID: 7957830 ........................................................................................................................... 8 Patent ID: 8066186 ........................................................................................................................... 8 Patent ID: 9105034 ........................................................................................................................... 9
Introduction The aim of this report is to clearly identify what I have found on Anne O’Brien’s USB stick, and to document the steps that I took to arrive at this in chronological order while also maintaining the integrity of the original file. Didn’t include the original dd image or the copy image since they were 1GB in size.
Steps taken Making a copy of the file I started off by taking the file and running the md5sum command on it to ensure the integrity of the file, making sure that nothing changes on the file. If something was to change, it would display a different value when the md5sum command is run.
After getting the md5sum of the file, I decided to make a copy of the file to another file called “copyfsf2.dd”. This is to make sure nothing ever changes on the original file, and if anything goes wrong, it will only be on the copy.
To make sure that the file was copied correctly, I made sure to check the md5sum of the copy to check if it was the same as the original.
Looking at the layout of the file system The next thing that I done was ran the fsstat command which gives a lot of information about the type of file system that is being run. In this example the File System Type is Ext 3. From this command we also find out where information is being stored on the file system. To make it clearer how the information was laid out, I drew out the information on maps that are provided in the zip file. This shows the data for each data block in the file system.
Layout of the file system - Maps
SuperBlock
Group Descriptor Table
Group 0
Data Bitmap
Group 1
INode Bitmap
INode Table
Free INodes
Free Blocks
Group 2
Group 3
SuperBlock: N/A
SuperBlock: 98304 - 98304
SuperBlock: 0
SuperBlock: 32768
Group Descriptor Table: 1-1
Group Descriptor Table:
Data Bitmap: 62 - 62
Data Bitmap: 32830 - 32830
Data Bitmap: 65536 - 65536
Data Bitmap: 98366
INode Bitmap: 63 - 63
INode Bitmap: 32831 - 32831
INodeBitmap: 65537 - 65537
INode Bitmap: 98367 - 98367
INode Table: 64 - 545
INode Table: 32832 - 33313
INode Table: 65538 - 66019
INode Table: 98368 - 98849
Free INodes: 7692
Free INodes: 7707
Free INodes: 7712
Free INodes: 7712
Free Blocks: 31304
Free Blocks: 33314 - 0
Free Blocks: 28132
Free Blocks: 32222
Group 6
Group 7
SuperBlock: N/A
SuperBlock: 229376 - 229376
Group 4
32769 - 32769
Group 5
Group Descriptor Table: N/A
Group Descriptor Table: 98305- 98305
SuperBlock: N/A
SuperBlock: 163840 - 163840
Group Descriptor Table: N/A
Group Descriptor Table:
Data Bitmap: 131072 - 131072
Data Bitmap: 163902 - 163902
Data Bitmap: 196608 - 196608
Data Bitmap: 229438 - 229438
INode Bitmap: 131073 131073
INode Bitmap: 163903 - 163903
INodeBitmap: 196609 - 196609
INode Bitmap: 229439 - 229439
INode Table: 131074 - 131555
INode Table: 169304 - 164385
INode Table: 196610 - 197091
INode Table: 229440 - 229440
Free INodes: 7712
Free INodes: 7712
Free INodes: 7712
Free INodes: 7712
Free Blocks: 32284
Free Blocks: 32222
Free Blocks: 32284
Free Blocks: 16606
163841 - 163841
Group Descriptor Table: N/A
Group Descriptor Table: 229377 - 229377
Finding the files on the USB stick I used the FLS command to display the files that were on the USB stick, and it gave the information about two files being deleted at iNode number 13, and 15. All the files here were PDFs that contained the following formatted title “United States Patent? Numberhere.pdf�.
There was also a directory that was called lost+found that was located at inode number 11. I again used the fls command to see what files were contained inside, but this time it gave back no results.
There was a directory called .Trash-0 on the USB stick too. I used the FLS command with the inode number 7713 to display the contents of the directory. Inside this directory were 2 more directories info, and files.
When FLS was used on the directory located at inode number 7715, it gave back the two files that appeared to be deleted originally at inode number 13 and 15 respectively.
I then used the icat command to obtain the file at inode number 13 to see what it contained.
I done the same with the file at inode number 15 to see what the pdf contained.
I then used icat on the remaining files that were seen after running the FLS command
Checking the information contained in the journal I used the jls command to copy the journal information to a text file to see if anything was happening in that. From this we can see the allocated files and where they were allocated to.
Checking the times created and the accessed times To do this I used the istat command on each of the patents inodes to see the information about the times that are contained on the files. They are presented in a table below:
File 7156436
File 6745949
File 7195269
File 8066186
Accessed: 2012-04-17 21:18:44
Accessed: 2012-04-17 21:18:58
Accessed: 2012-04-17 21:19:22
Accessed: 2012-04-17 21:19:28
File Modified: 2012-04-17
File Modifieid: 2012-04-17
09:05:56
09:07:26
File Modified: 2012-04-17 09:05:26
File Modified: 2012-04-17 09:09:28
File 7866013
File 7913713
File 7957830
File 8105034
Accessed: 2012-04-17 21:19:42
Accessed: 2012-04-17 21:19:45
Accessed: 2012-04-17 21:19:47
Accessed: 2012-04-17 21:19:49
File Modified: 2012-04-17
File Modifieid: 2012-04-17
09:06:54
09:06:36
File Modified: 2012-04-17 09:08:36
File Modified: 2012-04-17 09:05:38
File D537759 Accessed: 2012-04-17 21:19:51 File Modified: 2012-04-17 09:05:28 Information contained in the PDFs Patent ID: D537759 This patent contains information about the bridge portion of hitches. This patent is for an ornamental design on the bridge portion of a hitch. Since it is suggested that Anne O’Brien has left the company, and is planning to join a rival engineering company that also develop hitches this may be a patent that she is stealing from the company to bring to the new company.
Patent ID: 6745949 This patent contains information about a drinking straw that has valve function. This patent may be part of the companies’ medical devices section, but since Anne O’Brien is leaving the company for a rival engineering company. This suggests that the patent may be of no use to the rival company.
Patent ID: 7156436 This patent contains information about a clamping device that has a carriage which is capable of moving a movable jaw to a stationary jaw. Since Anne O’Brien is leaving the company for a rival engineering company, this may be of value to the new company. This means it may be possible that Anne O’Brien is stealing the patents.
Patent ID: 7195269 This patent contains information about a hitch. Again since Anne O’Brien is leaving the company for a rival engineering company, this patent would be of use for her new company. This means that it may be possible for Anne O’Brien to be stealing these patents for her new company.
Patent ID: 7866013 This patent contains information about an urn and also a method that allows for forming a body that comprises powdery mortal remains. Since Anne O’Brien is leaving the company for a rival engineering company, this patent doesn’t seem really of use to an engineering company so I don’t see it having any value to her new company.
Patent ID: 7913713 This patent contains information about a combination wet kit. A combination wet kit includes a mounting bracket supporting an end dump/return manifold and a walking floor/side dump/low boy manifold, as well as a supporting bracket for the hydraulic fluid filter. Since Anne O’Brien is leaving the company for a rival engineering company, this patent seems like it could be useful to an engineering company.
Patent ID: 7957830 This patent contains information about CNC instructions for solidification fixturing of parts. Since Anne O’Brien is leaving the company for a rival engineering company, this patent seems like it could be useful to an engineering company.
Patent ID: 8066186 This patent contains information about a confidentiality packaging system. Since Anne O’Brien is leaving the company for a rival engineering company, it might be somewhat useful to the company, but it isn’t anything that they specialize in.
Patent ID: 9105034 This patent contains information about a vertical-axis wind turbine and method for the production thereof. Since Anne O’Brien is leaving the company for a rival engineering company, this patent seems like it could be useful to that company.
Conclusion In this investigation, the integrity of the files has remained. All of the steps I carried out have been included in the order that I carried them out on the USB stick. The aim of the investigation was to present evidence that was found on the USB stick, and I feel that I have done that in finding the numerous patent files that were contained on the USB. A number of the patents have to do with engineering which makes it suspicious considering Anne O’Brien joined a rival engineering company, but some of the patents found on the USB stick had nothing to do with engineering and more medical supplies. Also the USB stick was found on Anne O’Brien’s desk without her knowing by another employee at KDM, there’s also a chance that she was framed. One thing that would support this claim is the accessed and modified times of the files. Since they are so close to each other it seems like they were created together, and maybe someone just put the files on her USB stick. In conclusion from doing this report, it seems very suspicious that Anne O’Brien has all of these patent files from KDM on her USB stick, but it is also possible that she was framed.