Fundamentals of Security Technology
Learning Outcome 1: Analyse weaknesses in a digital storage system by identifying those hardware components of a computer system vulnerable to computer misuse
Learning Outcome 2: Evaluate the generic characteristics associated with digital evidence recovery from various hardware devices and perform a preliminary investigation for digital evidence.
Learning Outcome 3: Select and deploy appropriate low-level tools to navigate around the contents of digital storage media.
The objective of this coursework is to document the structure of a computer hard disk, showing how the computer uses the information on the disk to locate files on a file system. Using ext4, you will give an overview of how a filesystem works and what actions occur when a file is inserted into a deleted from a filesystem. You will also have to explain the difficulties and challenges that forensics analysts might face when investigating deleted files on an ext4 hard disk.
A USB memory stick, hard disk, or flash memory card with a capacity of at least 16GB
Operating system or application capable of creating ext4 disk partitions
Can use Linux from a virtual machine
Software capable of viewing low-level GPT information
Practical Methodology and Preparation
YOU DO NOT NEED TO DOCUMENT THIS PREPARATION PROCESS IN YOUR REPORT Create a GPT partition and format it with ext4
Name the partition with your full name
Use sector size of 16K
The size of the partitions must be the last three digits of your student ID in megabytes
E.g. if your student ID is w12345678 the size of the partitions must be 678 Megabytes
The fundamentals of ext4 and its operation.
Compare the ext4 concepts from 2 to your specific implementation (from the practical preparation), identifying the main ext4 data structures and location information.
Create a text file in the ext4 partition which contains your surname as the file name and your first name within the file contents and save it. Trace and identify the location of your file and its contents. Explain how it is reached using the file system information from the GPT and the MFT (Master File Table).
Delete the file and identify and explain the changes in the file system and the data structures that are affected by deleting the file.
Explain, with evidence from your practical scenario, what happens to the contents of your deleted file and the subsequent impact.
Document the challenges that forensic analysts can face when trying to recover deleted files.