File System Forensics forms the root of any digital investigation process. Developing your skills in this area is sure to boost your confidence and propel you to navigate any investigation with ease. This course will make the esoteric nature of this topic coherent to a novice.
18 hours (18 CPE points)
When I began exploring ext4 forensics, it piqued my curiosity. So much intricacy has gone into the development of the file system, leading to a number of forensic impacts. I conjured use cases and observed some interesting behaviour of the file system, which I would love to share with you. A lot of time is spent on processing information in bytes – which is definitely a drive down the road of patience! People usually shy away from data that is not intelligible to the average human. I will help you traverse through the world of bits and bytes in an enjoyable way. (Maybe we can communicate with aliens soon!)
Linux operating System is a ubiquitous one today. From servers, to desktops, to laptops, to tablets, to smartphones – Linux is everywhere. Underlying all that intelligent engineering is a file system that facilitates the handling of files on those devices. A file system is the container in any data storage device that handles file arrangement meaningfully. It is analogous to a well stacked, alphabetically sorted bookshelf. File System Forensics is the study about the existential behaviour of files on a storage device – which may undergo addition, modification or removal. One can think of it as a psychological study of the data storage container. This course primarily deals with forensics on the Fourth Extended File System (ext4), that is commonly used in Linux machines all over the globe. Ext4 file system is also found in a lot of IoT devices and in smart home devices. In the untoward occurrence of a forensic incident involving any such devices, the skills you get from this course would help you process them looking for evidence. File System Forensics is a sought-after skill in many investigative agencies. Here is your chance to become a “Forensics Yoda”!
I can hear you thinking already – should I invest my valuable time to learn file system forensics? Let me break it down for you. At present, in the realm of state-of-the-art technology, fancy entities like Internet of Things, smart homes, self-driving cars, etc., are sprouting like weeds. Despite that, for every “this is a new smart device”, there is a “cyber-attack launched on smart device by anonymous hackers!” As much as a business mollycoddles their customers, there is a perpetual demand for adroit professionals who can ferret out the unfavourable work transacted by hackers. A cyber criminal always thinks he is one step ahead. They are usually skilled people who have spent a long time studying the technology on the attack surface. What if a forensic investigator is two steps ahead? Such a forensic investigator has a myriad of skills and I am offering you a chance to earn one. A new feather to your forensics cap!
- An in-depth understanding of the layout and inner-working of ext4 file system
- How to approach data handling at a byte level
- Various features of the ext4 file system
At the end of the course:
- You will target specific bytes of data in the ext4 file system and interpret them to gain meaningful information
- You will possess the finesse to tackle bytes (zeros and ones) fearlessly
- You will add another badge to your skillset. File System Forensics is a must-know topic for every skilled digital forensic investigator
- The Sleuth Kit Tool Suite
- Linux command line tools like dd, dcfldd, colordiff, hexdump
- wxHex Editor
- A computer with Ubuntu 16.04 LTS installed in it (It is possible to use a VM, but in this course we will be using Ubuntu 16.04 LTS installed directly on the host machine – it would be a better option for the learning process.)
- Good internet connection to download tools on the fly
Your Instructor: Divya Lakshmanan
Divya Lakshmanan is a graduate in Digital Forensics who has been exploring the field for the past three years. She is an independent researcher who enjoys drifting through the intricate realm of bits and bytes. She has made various contributions to journals and blogs. She enjoys teaching and revels in sharing her findings with fellow curious comrades. During her free time, she wonders about the mystique of the universe.
MODULE 1: Understanding the Fourth Extended File System
Only with a deep insight of the conventional behaviour can forensics be done to identify abnormal behaviour. This module progresses into the internals of the Fourth Extended File System, thereby setting the tone to begin forensic procedures.
- Introduction to File Systems
- Versions of the Extended File System
- Layout of the Fourth Extended File System
- Interpreting the data structures
- Super Block
- Group Descriptor Table
- Block Bitmap
- Inode Bitmap
- Inode Table
- Data Area
- Introduction to the tools used in this course
- How to step into the forensic process on ext4
Exercise 1: Given a file system image, you will locate the different data structures.
MODULE 2: Locating files and directories using forensic procedures
We are habituated to looking at files and directories on our storage devices through a file manager on the Linux machine. In this module, we will see how to extract a small file, a large file, a directory – from a storage device, in a forensic manner. This will kickstart your journey into the magical world of bits and bytes. We will also cover extraction of deleted files and directories.
- Locate small file
- Locate directory
- How to extract a deleted small file
- How to extract a deleted directory
- Locate large file – understanding extents
- How to extract a deleted large file
- A primer to file carving
Exercise 2: Given a file system image, you will identify whether a file exists or if it has been deleted. If it has been deleted, is there a way to extract the file?
MODULE 3: Forensically interpreting features of the ext4 file system
Description: Every file system has some unique features incorporated into its storage procedures. In this module, we will see the forensic impact of some features specific to ext4. We will observe these features as they would normally exist and in scenarios when the files/directories using these features undergo deletion.
- Soft links and Hard links
- Extended Attributes
- Large extended attributes
- Access Control Lists
- A Quick Perusal
Exercises 3: Given the file system image, you will interpret information from the features seen in this module.
MODULE 4: Wrapping up forensics on ext4
Journaling is an important feature that was added to ext4 to aid in file recovery. We will see its impact on forensics. This module also teaches about how to use the information seen in this course in a forensic investigation.
- Encrypted File System
- Features of ext4, which may or may not have a forensic impact
- How can the file system forensics aspect of an investigation be approached? – on USB drives, on desktops, on servers, on RAID machines, on corrupted machines
Exercise 4: This exercise will focus on interpreting the journal on the given file system image.
FINAL EXAM: The final exam will be a multiple-choice test, to complement the modules’ practical exercises. However, the exam would be child’s play only if the candidate practices the exercises judiciously.
- The course is self-paced – you can visit the training whenever you want and your content will be there.
- Once you’re in, you keep access forever, even when you finish the course.
- There are no deadlines, except for the ones you set for yourself.
- We designed the course so that a diligent student will need about 18 hours of work to complete the training.
- The course contains video and text materials, accompanied by practical labs and exercises.
Questions? Contact our course coordinator Marta at [email protected]