Disk Forensics

Analysis

Disk forensics involves analyzing file systems to recover deleted files, examine artifacts, and reconstruct user activity. Understanding NTFS, ext4, and other file systems is essential.

File System Analysis

disk-forensics.sh

bash

# Autopsy / Sleuth Kit - Primary disk forensics tools
# List partitions
mmls disk.raw

# File system info
fsstat -o 2048 disk.raw

# List files and directories
fls -r -o 2048 disk.raw

# Extract file by inode
icat -o 2048 disk.raw 12345 > recovered_file.doc

# Timeline of file system activity
fls -r -m "/" -o 2048 disk.raw > bodyfile.txt
mactime -b bodyfile.txt > timeline.csv

# Deleted file recovery with Scalpel
scalpel -c /etc/scalpel/scalpel.conf -o /output disk.raw

# PhotoRec for file carving
photorec disk.raw

# Foremost data carving
foremost -t all -i disk.raw -o /carved_files

NTFS Artifacts

Artifact	Location	Evidence Value
$MFT	Root of NTFS	All file metadata, timestamps, deleted entries
$UsnJrnl	$Extend folder	File system change journal
$LogFile	Root of NTFS	Transaction log for recovery

Disk Forensics

File System Analysis

NTFS Artifacts

Related Topics

Evidence Acquisition

Windows Forensics