The most important task of a forensics investigator is to analyze disk partitions. A forensics investigator analyzes the disk partition to extract files that are present on the system. The reason why we use a partition is so that the actual data is not tampered with and the analysis holds good in the court room.
Extracting a file and documents from the disk partition is the first step. Some of the information that we need to look out for is images, PDFs or other document formats.
In this module we are analyzing 2 raw disk partitions. We are searching for images and PDFs (both present and deleted). Once we have found them we are saving all the files in two folders (Deleted, Overt)
Install before running:
1. Install pytsk3
2. Install sqllite3
3. Install logilab.common.compat
After installing the following packages run the code
1. Choose the disk to analyze
2. The analysis will be performed on that raw disk
3. The images will be stored in the images folder
4. The PDFs will be stored in the PDF folder
5. The deleted images and deleted PDF and the images and PDFs that are present on the raw disk will be stored in different folders
6. The program also created 2 log files that stores all the files that it found in the raw disk S
For the sample challenge, there are 2 sample files for which the code has been written, D1 and D2 raw disk (attached). The python code (attached) can be run on the 2 raw disks and we can retrieve images and pdf that are present on the disks.
|d1.001(40.63 MB)||meghancaiazzo, Jun 4 2013, 12:24 AM|
|d2.001(123.00 MB)||meghancaiazzo, Jun 4 2013, 12:34 AM|
|mainScan.py(5.51 KB)||meghancaiazzo, Jun 4 2013, 12:35 AM|
You must Sign-In to post a comment.