File System Forensic Analysis Assignment – 3 1. You will need the "raidtab" files in the

File System Forensic Analysis Assignment – 3
1. You will need the "raidtab" files in the archive on Blackboard to answer this question. Parse the given /etc/raidtab files and describe their RAID setup, partitions and configurations. Identify a couple of bootable “live” forensic Linux distributions and list which RAID controller drivers are supported in these distributions. Assuming you were setting up a SQL server or other relational database server, which RAID level would you choose? In particular, would RAID level 10 or Level 5 better suit your needs and why?
2. What is a cluster and why is a cluster, as opposed to a sector, currently being used as the smallest data unit for storing files on a hard disk. Let's say we have a fictitious file system on a storage device with 512 byte sectors. This file system allocates 8 sectors per cluster. Therefore the size of a cluster is bytes. Suppose a file that is 5100 bytes long is saved on this device. There are bytes of slack which can be broken down into bytes of
RAM slack and
bytes of file slack or
sectors. In general, the
maximum size of RAM Slack is
bytes and the maximum size of file
slack, assuming a cluster size of 8 sectors, is therefore
sectors or
bytes. Using any tool of your choice, try hiding data in the slack space of a file on your file system, document your process. Estimate (roughly) the slack space on your Windows host machine. In short, I am asking you to estimate the storage space that is being wasted due to slack. (I am assuming that your virtual machines are shiny new and therefore may not have had much activity and consequently not much wasted slack space) and that your host machines are Windows based. If not, adapt the question to your setting.
3. Design a few experiments which authoritatively assert or refute these statements/questions.
1. Does file slack accompany a file when it is emailed?
2. Does file slack accompany a file when it is renamed?
3. Does file slack accompany a file when it is copied from your hard drive to your USB "flash" drive?
4. Does file slack accompany a file when it is copied to a different location on the same file system?
5. As you read in the book, earlier versions of Windows dumped random chunks of RAM content into a particular slack area of a file creating what we now call "RAM" Slack, albeit abusing the terminology a bit. Find out since which incarnation of Windows did this behavior change?
4. Most operating systems do not "wipe" the contents of a file's data units when the file is being unallocated. Consequently, there exist some "secure delete" tools that accomplish this task for the user. It turns out that SDelete is a very popular secure delete tool on Windows. It is a part of the Windows SysInternals advanced Systems Utilities/Tool Suite by Mark Russinovich: http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx. Use this tool to securely delete a file on your USB device. Interestingly enough, the manner in which SDelete operates, it leaves a characteristic "signature" on the disk. I'd like you to identify this characteristic which may prove that a suspect has in fact used SDelete or similar wiping tool. Many disk wiping utilities offer multiple-passes as they securely delete the contents of a drive. I would assume overwriting the contents of a drive with random data or zeroes merely once would suffice. This begs the question why are there multiple passes? How many wipes would suffice? Lastly, “delete” a file and use meta-data based analysis or application-based analysis to recover the file - use any tool to do this and explain how it accomplishes its task.