1. Use the mmls command to display the partition table of the DD image provided.

2. What is the starting sector number for the NTFS partitions?

3. Display the partition contents of both NTFS partitions using the DD image provided.

4. Use the fsstat tool to show us information about both of the NTFS partition.

5. Use the ils command to list the inode numbers of all deleted files in each partition.

6. Use the istat command to parse the master file table and show us information about the master file table for each partition: such as creation time, file modification time, MFT modification time, and Accessed time.

7. Use icat to view the contents of the $MFT with inode0 on each partition

8. Use the iFind command to search for the pagefile.sys on each partition. Note the inode number that is returned.

9. Now use istat to find information about the pagefile.sys

10. Use the fls command to get a list of the files under each partition.

11. Use the fls command to browse the Users directory on the second partition.

12. find the metadata address for the ntdll.dll file using the ils tool and grep.

13. Use istat to find the allocated data units to the ntdll.dll.

14. Now use blkcat to view the contents of the data unit in hex.

15. Use blkls to display the unallocated cluster blkls in the 2nd NTFS partition.