pza0045-szc0239-DF-report-2

Page | 1 Fall 2023 COMP-6350 (Digital Forensics) By: Prof. Farah Kandah Done by: Pavan Kalyan Annadevara (pza0045) Satya Sai Teja Charla (szc0239) Date: September 20 th , 2023

Page | 2 Executive Summary A disk image has been provided by the instructor for the analysis of FAT16 and NTFS partitions and how to recover data from each properly by implementing various Digital Forensics technique that we’ve learned during course period. With the addition of SWIFT workstation and Active@ Disk Editor, We’ve manually recovered all files from each disk image. The disk image consists of three partitions of two FAT16 & one NTFS file systems. The type of files that can be found in these partitions are: # File System Contents Partition 1 FAT16 Documents -Email.docx, PDFs - Necklace.pdf & Gems.pdf, Image - Dash.jpg Partition 2 NTFS Files – Mystery.zip & Survile2.zip PDFs – Encoding.pdf Images – Surveil1.jpg Partition 3 FAT16 Files – Plan.gpg, Goal.gpg & Surveil.gpg Some files have also been removed such as Email.docx, Dash.jpg, Mystery.zip, Survile2.zip, Plan.gpg & Goal.gpg. Some security methods i.e., Password protection was implemented for zip file in the NTFS (from above table) and gpg files in partition 3. GPG files have been encrypted by using some encryption tools in Partition 3. Email.docx from partition 1 contains password for the two deleted zip files in the NTFS. Mystery.zip contains a text file which consists of hex-encoded string. When decoded it has passwords for gaining access to those gpg files.

Page | 4 Table of Contents: Summary………………………………………………………………………………………………………………………………………… 2 Collaboration Summary………………………………………………………………………………………………………………….. 3 List of Figures………………………………………………………………………………………………………………………………… 5 List of Tables…………………………………………………………………………………………………………………………………… 6 Introduction: • Partition 1 FAT16………………………………………………………………………………………………………………… • Partition 2 NTFS…………………………………………………………………………………………………………………. • Partition 3 FAT16………………………………………………………………………………………………………………… 7 8 12 16 Problem Statement………………………………………………………………………………………………………………………… 20 Methodology ………………………………………………………………………………………………………………………………… 20 Results & Discussion……………………………………………………………………………………………………………………… 21 Conclusion & Recommendations…………………………………………………………………………………………………… 22

Page | 5 List of Figures: Content Page no Figure i: Disk Information 6 Figure ii: Reserved area 7 Figure iii: Root Directory 7 Figure iv: Partition 1 – FAT16 8 Figure v: Email.docx recovery code 8 Figure vi: Necklace.pdf recovery code 8 Figure vii: Necklace.pdf file 9 Figure viii: Dash.jpg recovery code 9 Figure ix: Dash.jpg file 9 Figure x: Gems.pdf recovery code 10 Figure xi: Gems.pdf file 10 Figure xii: NTFS hexdump command 11 Figure xiii: MFT 11 Figure xiv: User generated file 12 Figure xv: Recovery of NTFS files 13 Figure xvi: Mystery.txt 13 Figure xvii: gpg files password 14 Figure xviii: Surveil.jpg 14 Figure xix: Partition 3 15 Figure xx: Partition 3 root directory 15 Figure xxi: Par3 FAT Recovery 16 Figure xxiii: Plan File 17 Figure xxiv: Goal.jpg 17 Figure xxv: email.docx 18

Page | 7 Project #1 INTRODUCTION : A file allocation table lists data clusters that hold file contents • The FAT only provides data cluster information and does not contain filenames, extensions, • or file sizes, those are provided in the root directory • The clusters in a FAT will provide consecutive values until an end of file (EOF) marker is • found (0xFFFF) • The FAT file system has a redundant FAT for integrity purposes NTFS, the primary file system for recent versions of Windows and Windows Server, provides a full set of features including security descriptors, encryption, disk quotas, and rich metadata. It can be used with Cluster Shared Volumes (CSV) to provide continuously available volumes that can be accessed simultaneously from multiple nodes of a failover cluster. After downloading the provided Disk image, we used the ‘ unzip’ command in the terminal and renamed it to ‘proj1.dd’ for our convenience. Command used: $ unzip Project1.zip $ mv Project1.dd proj1.dd #renaming the file to proj1 By using the fdisk command we can get the basic information related to the files, file system used…etc Figure i: Disk Information From the above image, we can see that • Each 1 sector is equal to 512 bytes • the partition 1 starts at 2048 meaning that the size disk header in the 1 st FAT16 is 2048 (from 0 to 2047). • We can also see that the sectors size is 512000 which actually is FAT area size. Now, we can skip ahead 2048 bytes to get to the reserved area of the partition to know more about the file. We can do that by using ‘ hexdump -C <file_name.dd> -s $((2048*512)) -n $((1*512)) ’ Where, hexdump gives us the contents of binary files in hexadecimal code -C to display the output, -s is a starting offset & -n is number of bytes/records Note: We are multiplying with 512 because we are finding the files in terms of sectors not bytes.

Page | 8 Partition 1: FAT16 Figure ii: Reserved area Therefore, we can extract the relevant information from the hexdump and skip to root directory to see if there are any files in the first partition. Again, we are using hexdump to skip to root directory by looking at the information that we got from above hexdump . Figure iii: Root directory File Extension Status Max File Size (Bytes) Count Max File Size (sectors) Cluster Sector Email docx Deleted 0x2db4 = 11700 11700 512 = 23 ⌈ 23 8 ⌉ ∗ 8 = 24 0x03 = 3 24 Necklace pdf Active 0x15131 = 8631 8631 512 = 169 ⌈ 169 8 ⌉ ∗ 8 = 176 0x06 = 6 48 Dash jpg Deleted 0xb656 = 46678 46678 512 = 92 ⌈ 92 8 ⌉ ∗ 8 = 96 0x1c = 28 224 Gems pdf Active 0xdc037 = 901175 901175 512 = 1761 ⌈ 1761 8 ⌉ ∗ 8 = 1768 0x28 = 40 320

Page | 10 Figure vii: Necklace.pdf file Figure viii: Dash.jpg recovery code Figure ix: Dash.jpg file

Page | 11 Figure x: Gems.pdf recovery code Figure xi: Gems.pdf file

Page | 13 Figure xiv: User generated file File Extension Attribute Status Bytes offset File size Recovery code Mystery .zip $DATA Deleted 263274496 to 263274754 258 sudo dd if=proj1.dd of=Mystery.zip bs=1 skip=263274864 count=258 Surveil1 .jpg (inside txt) $DATA Normal 329170944 to 335111168 11602 sudo dd if=proj1.dd of=Surveil1.jpg bs=512 skip=642912 count = 11602 Surveil2 .zip (inside jpg) $DATA Deleted 345931776 to 351655424 11179 sudo dd if=proj1.dd of=Mystery.zip bs=512 skip=263274864 count=11179 Encoding .pdf $DATA Normal 362708992 to 362813952 104632 sudo dd if=proj1.dd of=Mystery.zip bs=512 skip=708416 count=205 Table 3: Partition 2(i) Attributes Mystery Surveil1 Surveil2 Encoding 0x10 ✔ ✔` ✔ ✔ 0x30 ✔ ✔ ✔ ✔

Page | 14 0x50 ✔ ✔ ✔ ✔ 0x80 ✔ ✔ ✔ ✔ Table 4: Partition 2(ii) Recovery: Figure xv: Recovery of NTFS files Figure xvi: Mystery.txt

Page | 16 Partition 3 – FAT16 • The third partition is a FAT16 File which start from sector 1538048. Using hexdump command we obtained the FAT16 File and by using Boot sector table we made appropriate calculations: a) Bytes/Sectors = 512 b) Sectors/Cluster = 32 c) Reserved Area = 32 d) FAT’s = 2 e) Sectors/FAT = 192 Figure xix: Partition 3 • By skipping Reserved Area(32) + Two FATs (192+ 192) + Root Directory (32) we obtain Root Directory, and by using hexdump command we obtained .GPG files a) PLAN.gpg b) History.gpg c) Goal.gpg d) Surveil.gpg Figure xx: Partition 3 root directory

Page | 17 File Extension Status Max File Size (Bytes) Count Max File Size (sectors) Cluster Sector PLAN .gpg Deleted 0x1da0 = 7584 7584 512 = 15 ⌈ 15 32 ⌉ ∗ 32 = 16 0x03 = 3 96 History .gpg Normal 0x18d75a = 1627994 1627994 512 = 3180 ⌈ 3180 32 ⌉ ∗ 32 = 3200 0x04 = 4 128 Goal .gpg Deleted 0xbe14 = 48660 48660 512 = 96 ⌈ 96 32 ⌉ ∗ 32 = 96 0x0068 = 104 3328 Surveil .gpg Normal 0x1646 = 5702 5702 512 = 12 ⌈ 12 32 ⌉ ∗ 32 = 13 0x06b = 107 3424 Table 5: Partition 3(i) Files Attribute Time Date Plan.docx Archive 23:58:57 08-31-2020 History.pdf Archive 23:58:57 08-31-2020 Goal.jpg Archive 23:58:57 08-31-2020 Surveil.pdf Archive 23:58:57 08-31-2020 Table 6: Partition 3(ii) Recovery: Now that we have knowledge about where the files are residing, we can recover them by using dd command as follows, ‘ dd if=<file_name.dd> of=<extracted_file> bs=512 skip=num count=num ‘ Of = offset, bs= block size, skip = no.of sectors to be skipped & count = file size Figure xxi: Par3 FAT Recovery After recovering the files, when we tried to open up . gpg files it asked us to enter the passphrase in order to see what’s in the file.

Page | 19 Figure xxiv: Goal.jpg

Page | 20 Figure xxv: email.docx PROBLEM STATEMENT Our team was assigned the challenging task of extracting data from a provided disk image suspected to hold evidence related to potential criminal activities. Our mission involved the recovery of files from the disk, with an equal split between deleted files and those encrypted, or password protected. Our goal was to scrutinize the contents of these files, establish whether any incriminating evidence existed, and subsequently present our findings to either implicate or exonerate the individuals under investigation. METHODOLOGY After gathering essential information from the Linux Terminal (as shown in Figure i ), our team observed that the disk image comprised three distinct partitions: one formatted as FAT16, another as NTFS, and a third as FAT16. The initial FAT16 partition's root directory commenced at sector 2,568, and its contents are detailed in Table . Within this root directory, we managed to extract details such as file names (Email, Necklace, Dash, Gems), file extensions (.docx, .pdf, jpg, .pdf), with timestamps (00:20:25, 00:02:03, 00:12:34, 00:12:34) respectively on date (09/02/2020).