Home‎ > ‎CIS 77‎ > ‎

Linux Forensics: Triage

In this lab you'll build on the skills you acquired last time. You'll use Kali or another Linux forensic tool to do triage on a Windows partition.


Taking forensic images can be very time consuming and somtimes uncecessary if you can find the information you're looking for. In this lab you'll learn how to do offiline image acquisition using Linux. Then you'll use Kali on your own machine to see where how the data on your own disk is arranged.

NetLab+ Lab 04: Forensic Acquisition using Linux Tools

Do Lab 04 in NetLab+. In the lab you'll create forensic images using CAINE. Do all parts. When you're done with parts 2 and 3 take a screenshot of the output of the ls -l command. Submit the screenshots with this assignment.

Examine Disk Usage 

Boot into the Linux forensic tool of your choice. You can use the same one that you used for the last lab or pick a different one. Just like in the previous lab use Linux to mount your hard drive. Be sure to mount it read only! If you get an error about the filesystem being in a bad state it's because Windows is hibernating. You can bypass the error by mounting read only. 

Find the path of your Windows or OSX partition using the command: 


Once you've identified the path where Windows or OSX is mounted run the following command:

baobab /path/to/your_os/here 

The command will open a program that will analyze where your files are. It may take a long time to finish. When it does take a screenshot of the output. 

Turn In
  1. A screenshot of part 2 of the NetLab+ lab
  2. A screenshot of part 3 of the NetLab+ lab
  3. A screenshot showing where space on your computer is used. 
Submit your homework on canvas.


  • 10 points for the NetLab+ screenshots
  • 10 points for the output of baobab