ExFAT forensic images for timestamp testing
Description
These forensic images are created in Linux Ubuntu 20.04 (using the exFAT.fuse or the exFAT native driver), MacOS Monterey , and Windows 10. The images for experiment A we utilised 4 different timezones and creating 100 files in a directory for each. In experiment B we mounted and unmounted the images from experiment A on another OS or driver. In experiment C we opened files using a default text editor. In experiment D we overwrite files by appending content using bash or batch. In experiement E we overwrite files using the default text editor (Linux: Gedit, MacOS: TextEdit, Windows: Notepad). The first OS mentioned in the filename is from the base image, then we used the next OS (or driver) to performed the action.
Files
Steps to reproduce
By running the scripts you can reproduce most of the experiements. Instructions on how to run the scripts can be found inside the scripts, which may need to be adjusted based on your USB device. The scripts will wipe your device before creation, so please use with caution. Linux/MacOS ./exfatexperiment.sh [os] [diskdevice] [true|false] [create|write|open] The [os] can be lin or mac, the [diskdevice] is the path to the device that is your storage that should be used for the experiments, the [true|false] is wiping true or false. If true, the device will be wiped before the device is formatted with the exFAT file system. The script requires the libewf package. The [create|open|write] is the action we want to do. Create is Experiment A, open is Experiment C, and wite is Experiment D. Windows exfatexperiment.bat [create|open|write] Only the create (Experiment A) argument will format and wipe the storage device. The script must be changed to reflect the volume GUID, which can be found after attaching the device and running mountvol from an administrator cmd prompt. The open (Experiment C), and the write (Experiment D). Both When it comes to experiment B, no script is used, instead we just restore the OS base image to a USB storage, then we manually mount and unmount without performing actions on the files.. In In Experiment E we restore to the OS base image, and then we connect it to the other OS and open, change, save and close the file manually using the selected graphical application. Then we make a forensic image.