π¦ Thanatology part 4: Filesystem Forensics with the Exhume ToolKit.
Β· 15 min read
This blog post is part of the Thanatology blog post series. If you havenβt checked it out, I recommend reading the following first:
- Thanatology part 1: Introduction to the Thanatology project
- Thanatology part 2: Multiple disk images formats handling using the Exhume ToolKit
- Thanatology part 3: MBR and GPT forensics with the Exhume ToolKit.
In the previous part, we discovered how to perform partition discovery for the MBR and GPT layouts. The next step in our digital forensics examination process of a disk image is to identify the type of Filesystem present on a given partition and extract relevant data. In this blog post, we will first dive into the concept of file systems in general. Next, we will explore how the Exhume toolkit is designed to propose a way to understand multiple kinds of file systems and introduce an abstraction module. Finally, some updates on the Thanatology project will be proposed.