Run The Sleuth Kit with Autopsy browser for more in-depth analysis of the filesystem of main partitionĪccording to the values given by mmls, we can extract partitions with dd.Run foremost or scalpel to quickly extract any interesting files, and have a look at them.
![oxygen forensics unallocated space oxygen forensics unallocated space](https://linuxhint.com/wp-content/uploads/2020/07/7-9.png)
![oxygen forensics unallocated space oxygen forensics unallocated space](https://www.thomsonreuters.com/en-us/posts/wp-content/uploads/sites/20/2015/05/Data-numbers.jpg)
![oxygen forensics unallocated space oxygen forensics unallocated space](https://image.slidesharecdn.com/sqliteforensics-freelistswalunallocatedspacecarving-150911100940-lva1-app6891/95/sqlite-forensics-free-lists-unallocated-space-carving-27-638.jpg)
Forensics 100 was simple forensics but still with some traps.ĭescription: find the key, and they gave us the following file which revealed to be a gzipped raw disk image.Īfter extracting, use the file command to recognize a raw disk image:į100_6db079ca91c4860f.bin: x86 boot sector partition 1: ID=0x7, starthead 0,