4-1 Основи цифрової криміналістики / лб 2 ntfs / Методичка NTFS
.docx1. Format the flash drive with the NTFS file system. Choose the cluster size yourself.
2. Write to a flash file (for example, with a jpg extension) of about 100 kb.
3. Open the flash using the Active@ File Recovery and its built-in application Hex – viewer.
4.Perform a boot sector analysis.
Learn how to read hexadecimal information.
We can find the cluster size:
512 (sector size) * 8 (sectors per claster) = 4096 byte.
5. Analyze the MFT, attributes
For
example, $ Bitmap analysis
In the attribute DATE (identifier 80) we find information about the run.
31 3C C2 FF 0B
decipher
First Nibble
3 - The number of bytes used to indicate starting cluster - C2 FF 0B (Please note that the entry in the file system is written in reverse)
Second Nibble
1 - The number of bytes used to indicate the number of contiguous clusters in stream - 3C
Number of contiguous clusters in stream:
3Chex = 60 dec (see first VCN, Last VCN is confirmed)
This is 60 * 4096 = 245 760 bytes
Offset – when there is only one data run this value is the starting Logical Cluster Number
0B FF C2hex = 786370dec
This is 3220971520 Offset in bytes of $Bitmap
We see which clusters are occupied and which are free.
6. We find the MFT record of our file, analyze the attributes
Think what we need for forensic analysis
In the attribute DATE (identifier 80) we find information about the run.
31 1A BD EC 0B
decipher
First Nibble
3 - The number of bytes used to indicate starting cluster - BD EC 0B (Please note that the entry in the file system is written in reverse)
Second Nibble
1 - The number of bytes used to indicate the number of contiguous clusters in stream - 3C
Number of contiguous clusters in stream:
1A hex = 26 dec (see first VCN, Last VCN is confirmed)
This is 26 * 4096 = 106 496 bytes
Offset – when there is only one data run this value is the starting Logical Cluster Number
0B EC BDhex = 781501dec
This is 3201028096 Offset in bytes of our file.
7. We pass to the analysis of the DATE area.
This is the first byte of our file - offset 3201028096.
The last byte of our file is offset 3201028096 + 106 496 = 3201134592.
Mark the first byte of our file
Go to the last byte of our file and mark it.
copy our file
Open the hex editor and insert our file. Save with extension jpg
Our file is saved.
Next, we carry out all the previous steps for: 1. The file is deleted and analyzed. 2. We carry out fast formatting Flash. We repeat the analysis, see what happened, draw conclusions. 3. We carry out deep flash formatting. We repeat the analysis, see what happened, draw conclusions.