Answer the question using terminal from the file provided.

P a g e | 1

Total Points: 100

Answer the following questions, using TSK. Make sure to justify your answers and include the commands you used and the output you got from those commands.

Given 1.E01:

1. What is the type of the file system?

2. What is the volume label?

3. What is the sector size?

4. What is the cluster size?

5. List the first four undeleted files that are stored in the image file. Make sure to indicate the following information: file name, file size, starting sector, ending sector, and whether the file is fragmented or not.

6. What is the command that extracts all the unallocated blocks and saves it in a file called unallocated.dd?

7. List all the allocated metadata (inode) entries using the default tsk layout.

8. List all the unallocated metadata entries using the mactime tsk layout.

9. Using fls command list all the files that were deleted in the image file.

10. Using fls command list all the directories that are undeleted in the image file.

11. Recover the first four deleted files. The first two using fcat, and the other two using icat. Make sure to display the contents of each recovered file and whether it is recovered properly or not.

What to hand in

Submit your project electronically through D2L. Please hand in the following:

• Your answers (report) in Word or PDF format.