Lab8

docx

School

Florida Atlantic University *

*We aren’t endorsed by this school

Course

4324

Subject

Industrial Engineering

Date

Dec 6, 2023

Type

docx

Pages

7

Uploaded by JudgeLeopardMaster963

Report
ISM 4324 Computer Forensics Lab 8 Project 8-1 Calculating Data Runs Non-resident attributes are stored in intervals of clusters called runs. Data run is represented by its starting cluster and its length. The starting cluster of a run is coded as an offset to the starting cluster of the previous run. Hex Attribute Description 0x10 STANDARD_INFORMATION Timestamps, owner, file type 0x20 $ATTRIBUTE-LIST Locations of all attribute records that do not fit in this MFT 0x30 $FILE_NAME File name 0x40 $OBJECT_ID (not common) 0x50 $SECURITY_DESCRIPTOR Who owns the file and who can access it 0x80 $DATA Contains file data 1. Download the image file from the Canvas and mount that file with FTK imager. And open the mounted drive with WinHex, using the run as administrator option. 2. In this project we will browse MFT, and find out cluster information to carve the file in the next project. To find the attribute 0x80 field and its data run, first locate the starting and ending positions of attributes of 0x10 and 0x30. The next attribute after attribute 0x30 is attribute 0x80. 3. In WinHex, Search Find Text. Follow the picture below. Copyright © 2023 May not be copied, scanned, or posted, in whole or in part, except for use with the written permission.
4. Multiple search results indicate that the file was written to disk more than one time. Take a screenshot of the result and paste it here. 5. Check each result and find one (e.g., offset 360CF2. Offset can differ.) that has the FILE0 header. The first 4 bytes for all MFT records are FILE. Check one in $MFT. 6. Briefly explain what attribute 0x10, 0x30 and 0x80 are in MFT of NTFS. 7. To find the starting position of attribute 0x10, go down 38 hexadecimal bytes. Check right bottom, size. It will tell you the size of the bytes. (Check whether the box of hexadecimal offset is on. Options General Hexadecimal offsets) Copyright © 2023 May not be copied, scanned, or posted, in whole or in part, except for use with the written permission.
8. Go down 60 hex bytes Attribute 0x30 starts next. 9. Go down 78 hex bytes. Attribute 0x80 starts next. From the starting position of attribute 0x80, count 40 hexadecimal bytes to the beginning of the first data run at offset (e.g., 000BD50). Now that you have found the data run’s starting position, the next task is to calculate the starting and ending cluster position of each data run fragment. Copyright © 2023 May not be copied, scanned, or posted, in whole or in part, except for use with the written permission.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
10. Click view Show Data Interpreter, check the box. 11. Option Data Interpreter, follow the picture below. Copyright © 2023 May not be copied, scanned, or posted, in whole or in part, except for use with the written permission.
12. In the picture above, hex 0B: number of cluster in data run. 13. In the picture above, hex B3 00: starting logical cluster address. 14. How many clusters are used for this file? Use the 8bit data interpreter. 15. What is the starting logical cluster address? Use the 16bit data interpreter. Project 8-2 Carving Data Run Clusters Manually 1. We are using the same setting of the previous project. 2. Click Navigation Go to sector. 3. In the Cluster text box, type 179. 4. In the hexadecimal pane, right click the first byte at the offset 00733184. Offset number can differ. Copyright © 2023 May not be copied, scanned, or posted, in whole or in part, except for use with the written permission.
5. Click beginning of block to mark the data run’s starting position. 6. Click Navigation Go to Sector form the menu. In the Cluster text box, type 189, then click OK. 7. Note: 1 cluster = 8 sectors. In WinHex this is one sector, from the top line to the next line. Copyright © 2023 May not be copied, scanned, or posted, in whole or in part, except for use with the written permission.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
8. To mark the ending position for this data run, you need to include all the data in cluster 189. To do this scroll down seven more sector. And click End of block to mark the data run’s ending position 9. Click Edit Copy Block Into New File. 10. Take a screenshot of the carved picture and paste it here. Project 8-3 Manual File Carving #2 1. Search Kayak4 again and check the information on offset 3614F2 (i.e., the other one in $MFT) this time. 2. Carve the file by using the technique above (Project 7-2). 3. Data are fragmented into three locations in this case. 4. First data run 05: number of cluster, F8 09: Cluster location (2552 2556) 5. Second data run 05: number of cluster, BC: Cluster location (2484 2489) 6. Third data run 01: number of cluster, 4A: Cluster location (2558) 7. Using Copy Block, make three data pieces. 8. Tools File Tools Concatenate 9. Paste the carved image here. The picture can appear as a broken shape. Copyright © 2023 May not be copied, scanned, or posted, in whole or in part, except for use with the written permission.

Related Documents

Additional information final t.docx
IMG_0015 2023-12-03 04_51_27.PNG
Flow Rate_Practice Quiz.pdf
Modeling Project 4 GeoGebra.docx
The traveling salesman problem with release dates and.pptx
Motor Control Lab 3_SPSC 1164.docx
Homework 2.docx
Practice Questions - Process Analysis with Key Metrics.pdf
Homework #7.docx
Homework #6.docx
Homework 3.docx
Unit 6, Ch.13 & 14 Homework.docx