Computer Science Homework Help

Required textbook: Carrier, Brian, File System Forensic Analysis, Addison-Wesley, 2005, pgs 569. (ISBN 0- 32-126817-2)

HW 04 NTFS Hands-on

Purpose: The purpose of this assignment is to better understand NTFS file system concepts by seeing and interpreting on-disk data, specifically an MFT entry. This assignment will also give you additional experience with recognizing, interpreting, and following data structures in general.

Turn in: Electronically submit answers to questions via Blackboard. Please just number/list your answers. Do not recreate/include the questions in your answers. Just list your numbered answers… no questions.

Instructions:

Location: This lab can be completed elsewhere with a sufficiently functioning hex editor. The lab was built with WinHex and the lab workstations in mind. You will do all of this within your Forensics virtual machine.

Required Materials: A small thumb drive, since you will be reformatting the thumb drive for this lab. You will also need your course textbook to reference data structure tables therein.

Media Preparation:

vWipe thumb drive via WinHex.

ØInsert thumb drive into VM

ØStart WinHex

ØTools à Start Center à Open Disk à select the thumb drive under physical media (NOT logical drives) Make sure you select the correct media, else you wipe the wrong thing!

ØOptions à Edit Mode à In-Place Edit Mode

ØEdit à Select All

ØEdit à Fill Block … Fill with x00, 1 pass only

vReformat the thumb drive with NTFS

ØReturn Edit Mode to “Read-Only” and close WinHex

ØFormat the drive with NTFS

ØDefault allocation size

ØVolume label à enter your last name

ØSelect quick format

Use MyFragmenter (part of the MyDefrag command line utility, located on \CondorPubic ShareForensics (Beebe)MyDefrag) to create a 22KB file containing random data, named random.txt

-You must create a 2-fragment file [-p 2].

Note, if you run MyFragmenter as Administrator, the CMD box will persist, allowing you to take a screen print of the process output, as directed below.

“c:Program FilesMyDefrag v4.3.1MyFragmenter.exe” -s 22 –p <<X>> f:random.txt (of course replacing paths and drive letters as appropriate).

Note, you are advised against cutting/pasting the command, which has been known to cause problems with CMD recognizing the command text properly.)

Note, an alternative tool you may use is: http://www.passmark.com/products/fragger.htm

Locate that file’s MFT entry in the thumbdrive’s $MFT. Have WinHex traverse the file system and then you can right-click on the file, select Navigate and then Go To FILE Record.

Take a screen shot of the command line results from running MyFragmenter. You MUST turn this in (and in a readable size) with your answers.

Take a screen shot of the first sector of the MFT record for random.txt. You MUST turn this in (and in a readable size) with your answers.

Now, analyze your MFT record answering the following questions. Use Ch. 13 data structure tables. If any are not applicable, explain why.

Table 13.1

1.What is the four-byte signature for the MFT entry in hex and ASCII?

2.Is this MFT entry allocated or unallocated? How do you know

3.Does the MFT entry pertain to a file or a directory? How do you know? File;

4.How many bytes long is the MFT entry header? How do you know?

Tables 13.2 & 11.2

5.What is the TYPE of the first attribute? Give the formal attribute name, properly written, the hex number for that type, and the decimal number for that type.

Table 13.2

6.How long is the first attribute (in bytes)?

7.Is this attribute’s data resident or non-resident? How do you know?

Use Table 13.3 or 13.4, as appropriate

8.How many bytes (decimal) from the start of the attribute header to the attribute content?

Use Tables 13.5 and 13.6, as appropriate

9.When was this file created? (provide string and converted value)

10.When was this file last modified? (provide string and converted value)

11.When was this file last accessed? (provide string and converted value)

12.When was this file’s MFT entry last modified? (provide string and converted value)

13.Is this file a READ-ONLY file? How do you know?

14.Is this file a SYSTEM file? How do you know?

15.Is this file being indexed (for faster searches)? How do you know?

Tables 13.2, 11.2, & 13.7

16.What is the TYPE of the second attribute?

17.How long is the second attribute (in bytes)?

18.Briefly compare/contrast the date/time stamps found in the first and second attribute. Which ones are likely more accurate?

19.What is the name of the file this MFT entry pertains to?

Tables 13.2, 11.2, 13.3, and 13.4, as appropriate

20.What attribute is the $DATA attribute (1st, 2nd, 3rd, etc.)?

21.How long is the $DATA attribute (in bytes)?

22.Is the $DATA attribute’s data resident or non-resident?

Table 13.4

23.How many bytes from the start of the $DATA attribute is this file’s runlist located (“offset to the runlist)?

24.What is the runlist as a data structure (exact on-disk data string)?

25.What are the starting cluster(s) for this file’s fragment(s) (in hex and decimal)?

26.How long (in clusters (decimal)) is/are this file’s fragment(s)?

27.How many end of entry markers does it have? How do you know?

28.How could an MFT entry have more than one end of entry marker?

Go to the fragment location(s) on disk that you obtained from parsing the runlist. Verify the data is there.

Annotate the physical sector address of your MFT entry and THEN delete the file from your thumb drive.

29. Return to that physical location and identify what data has and has not changed in the MFT entry

30. Now go to fragment locations on disk you previously identified. Is the data still there? Why or why not?