nour taher huwio - section 1 - 20200619

File System Identification entails identifying and classifying the file system type and arrangement
on a storage device. This process facilitates efficient and secure data access by recognizing the
specific file system format, such as FAT, NTFS, exFAT, HFS, among others. It involves understanding
the structure, metadata, and organization of files and directories on the storage medium. File
System Identification is vital for tasks like data recovery, forensics, and overall data management,
ensuring software and users can interact with storage devices effectively and compatibly.

The Sleuth Kit was downloaded, and its decompressed folder was saved to the desktop.
Additionally, the compressed files "Forensic_Image.zip" were obtained from eLearning and also
saved to the desktop. These steps ensured that the necessary tools and resources were readily
available for further analysis and examination in the forensic investigation process.

The command prompt was utilized to execute essential tasks in the forensic investigation process.
Initially, a command was input to navigate to the "bin" folder within The Sleuth Kit directory:
cd C:\Users\TCC\OneDrive\Desktop\Lab03_sleuthkit-4.12.0-win32\sleuthkit-4.12.0-win32\bin.

Subsequently, another command was entered

(C:\Users\TCC\OneDrive\Desktop\Lab03_sleuthkit-4.12.0-win32\sleuthkit-4.12.0-win32\bin>fsstat
-i ewf C:\Users\TCC\OneDrive\Desktop\Forensic_Image\drive1.E01)
to analyze the partition table within the forensic image named drive1.E01: fsstat -i ewf
C:\Users\TCC\OneDrive\Desktop\Forensic_Image\drive1.E01. Following the execution of this
command, detailed information regarding the file system was displayed, aiding in further analysis
and understanding of the data within the forensic image.
File System Information

What is the file system of the media captured in drive1.E01?

The captured file system is FAT32.

7With which operating system is this file system likely used?

The file system label "MSDOS5.0" suggested that this file system was likely used with a version of
MS-DOS, which was a popular operating system in the early days of personal computing.
File System Information

7-What is the volume ID or serial number of the media captured in drive1.E01?

The volume ID or serial number is listed as "0x1881387d."

8-What is the volume label or name of the media captured in drive1.E01?

The volume label (Boot Sector) is "NO NAME" The volume label for the root directory is not
provided.

9-What is the sector or Inode size of the media captured in drive1.E01?

The sector size is mentioned as "Sector Size: 512"

10-How large is the cluster or block size of the media captured in drive1.E01?
The cluster size is listed as "Cluster Size: 4096"
Additional Assignment

For drive2.E01, what is?

The file system?
The file system for drive2.E01 is Ext4.

With which operating system is this file system likely used?

The file system is likely used with a Linux operating system. The "Source OS" information in the
data provided is "Linux," which indicates that this file system is commonly used on Linux.

The volume ID or serial number?

The volume ID for this file system is "e018ba1739a539b4a941a806e678b8a2"

The volume label or name?

The provided data does not contain information about the volume label or name.
The field for "Volume Name" is empty.

The sector or inode size?

The inode size is 256 bytes.

The cluster or block size?

The block size is 4096 bytes.