USB INVESTIGATION

This paper involves a file system exercise in which a 1GB, 2 Partition USB drive was investigated. In order to
carry out this investigation, Linux terminal, WinHex and The Sleuth kit were used. The Sleuth kit was first
downloaded, but as we did not have the necessary add-on files to run the sleuth kit, we had to install buildessential which provided us with files such as g++ which is needed to run the sleuth kit.

Download and Installation of the SleuthKit.
mishy@mishy-laptop:~$ sudo apt-get install build-essential
mishy@mishy-laptop:~$ sudo tar –xvzf sleuthkit-3.0.0.tar.gz
mishy@mishy-laptop:~/cd sleuthkit-3.0.0/
mishy@mishy-laptop:~/sleuthkit-3.0.0$ ./configure
mishy@mishy-laptop:~/sleuthkit-3.0.0$ sudo make
mishy@mishy-laptop:~/sleuthkit-3.0.0$ sudo make install

FAT Boot Sector

2048. 24-25 Number of sectors per track (12) 26-27 Number of heads (2. Microsoft recommends "MSWIN4.4 MB floppy. 19-20 Total number of sectors in the filesystem (2880) (in case the partition is not FAT32 and smaller than 32 MB) 21 Media descriptor type (f0: 1. One finds either eb xx 90. 512 is recommended for FAT16. 8. with some extensions: 11-27 28-31 32-35 (as before) Number of hidden sectors (0) Total number of sectors in the filesystem (in case the total was not given in bytes 19-20) 36 Logical Drive Number (for use with INT 13. bit 1: need surface scan 38 Extended signature (0x29) Indicates that the three following fields are present. the track containing the Boot Record) Used by Windows NT: bit 0: need disk check. "IBM 3.d.g. "FAT16 ".) 62-509 Bootstrap 510-511 Signature 55 aa FAT32 . n. 2. "FAT12 ". Sometimes just garbage.0". FAT32 uses 32. 64. or all zero. see below) 22-23 Number of sectors per FAT (9) 0 for FAT32.g.Common structure used by all FAT versions [UTECH.]: Bytes 0-2 Content Jump to bootstrap (E.g. 4096. 14-15 Number of reserved sectors (1) FAT12 and FAT16 use 1. eb 3c 90.1". 1024.) 3-10 OEM name/version (E. A cluster should have at most 32768 bytes.”MSWIN4. 32.0". 4. 16 Number of FAT copies (2) 17-18 Number of root directory entries (224) 0 for FAT32. "IBM 20.3". "MSDOS5.g. e. The position of the bootstrap varies. In rare cases 65536 is OK. on i86: JMP 003E NOP. 13 Number of sectors per cluster (1) Must be one of 1. 16. 39-42 Serial number of partition 43-53 Volume label or "NO NAME " 54-61 Filesystem type (E. 128. 0 or 0x80) 37 Reserved (Earlier: Current Head. "FAT ".) /* BIOS Parameter Block starts here */ 11-12 Number of bytes per sector (512) Must be one of 512. or e9 xx xx. Windows NT recognizes either 0x28 or 0x29. for a double-sided diskette) 28-29 Number of hidden sectors (0) Hidden sectors are sectors preceding the partition.0” Various format utilities leave their own name. /* BIOS Parameter Block ends here */ 30-509 Bootstrap 510-511 Signature 55 aa FAT16 FAT16 uses the above BIOS Parameter Block. like "CH-FOR18". f8: hard disk.

used to be Current Head (used by Windows NT) Extended signature (0x29) Indicates that the three following fields are present.FAT32 uses an extended BIOS Parameter Block: 11-27 28-31 32-35 36-39 40-41 42-43 44-47 48-49 50-51 52-63 64 65 66 67-70 71-81 82-89 (as before) Number of hidden sectors (0) Total number of sectors in the filesystem Sectors per FAT Mirror flags Bits 0-3: number of active FAT (if bit 7 is 1) Bits 4-6: reserved Bit 7: one: single active FAT. 0 or 0x80) Reserved .g. zero: all FATs are updated at runtime Bits 8-15: reserved Filesystem version First cluster of root directory (usually 2) Filesystem information sector number in FAT32 reserved area (usually 1) Backup boot sector location or 0 or 0xffff if none (usually 6) Reserved Logical Drive Number (for use with INT 13. e. Serial number of partition Volume label Filesystem type ("FAT32 ") Image 1 MASTER BOOT RECORD .

Image 2 . The starting LBA address of partition 1 starts at Hex address 1D6 to 1D9 which is BE320F00. This will produce the Hex value 000F133E which converts into decimal 987966 sectors in size. The starting LBA address of partition 1 starts at Hex address 1C6 to 1C9 which is 801F0000. The size of the USB device is the (reserve sectors + size of Partition 1 + size of Partition 2) * 512 = (34 + 987966 + 961857) * 512 = 998326784 bytes (974929 Kbytes or 952MBytes). As this is a Little Endian we need to write them in the lease significant bit first.Address in Hex Boot Code From here we can see two MBR Signature Image 1 shows the structure of the master boot record of the USB drive. This will produce the Hex value 000EAD41 which converts into 961857 sectors in size. So the starting address of partition 1 is at address 8064. From here we can see that this USB device has two partitions. least significant bit first is 000F32BE that converts in 996030 decimal. The size of the first partition is at Hex address 1CA to 1CD which is 3E130F00. The size of the second partition is at Hex address 1DA to 1DD which is 41AD0E00. So the starting address of partition 2 is at address 996030. least significant bit first is 00001F80 that converts in 8064 decimal.

this is why we skipped those sectors to get to the first partition.....+..N.. f`f.)`oXnPart1.. .f... File ouput 1 shows the first sector /Fat structure of the first partition.. We can see the OEM Name as being MSDOS5.t. B.Re move disks or ot her media..........*f3.. .. ....... ...t....Press any key to resta rt....|..........U .~....T.0..s.. As mentioned earlier..}.. NTLDR ...... ....}.......V@..~ *.. .....U...H.......... ...f..f.....Af...~.... .... From this output we can view important information about the partition..fa .....f. ....F.. .f............. V@......... A. ..........f@I...... FIRST PARTITION File Output1 mishy@mishy-laptop:~$dd if=dev/sdb count=1 skip=8064 | xxd > First_Partition 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: 0000060: 0000070: 0000080: 0000090: 00000a0: 00000b0: 00000c0: 00000d0: 00000e0: 00000f0: 0000100: 0000110: 0000120: 0000130: 0000140: 0000150: 0000160: 0000170: 0000180: 0000190: 00001a0: 00001b0: 00001c0: 00001d0: 00001e0: 00001f0: eb58 0200 3e13 0100 8000 0000 7b8e cd13 b6d1 c966 2a00 0100 84c0 eea0 6660 5366 41bb aa0f 428a 6658 c28a 5640 0f82 4e54 0000 0000 0000 6d6f 6865 6b20 616e 7274 904d 0000 0f00 0600 2960 4641 c18e 7305 80e2 f7e1 7732 e82b 7417 fb7d 663b 6810 aa55 8514 5640 eb2a ca66 8ae8 54ff 4c44 0000 0000 0000 7665 7220 6572 7920 0d0a 5344 00f8 c303 0000 6f58 5433 d9bd b9ff 3ff7 6689 668b 00e9 3cff ebe5 46f8 0001 8a56 00f6 8bf4 6633 8bd0 c0e4 81c3 5220 0000 0000 0000 2064 6d65 726f 6b65 0000 4f53 0000 0000 0000 6e50 3220 007c ff8a e286 46f8 461c 4803 7409 a0f9 0f82 0080 40cd c101 cd13 d266 66c1 060a 0002 2020 0000 0000 0000 6973 6469 72ff 7920 0000 352e 3f00 0000 0000 6172 2020 884e f166 cdc0 837e 6683 a0fa b40e 7deb 4a00 7e02 130f 0f84 b0f9 0fb7 ea10 ccb8 6640 2020 0000 0000 0000 6b73 612e 0d0a 746f 00ac 3000 ff00 0000 0000 7431 33c9 028a 0fb6 ed06 1600 c00c 7db4 bb07 e098 666a 000f 821c 0d00 6658 4e18 f776 0102 490f 2000 0000 0000 0000 206f ff0d 5072 2072 cbd8 0208 801f ed00 0000 0000 8ed1 5640 c640 4166 7538 bb00 7d8b 00cd cd16 0066 8520 0081 fe46 6658 66f7 1a86 cd13 8571 0000 0000 0000 0d0a 7220 0a44 6573 6573 0000 2200 0000 0000 0000 0000 bcf4 b408 660f 0fb7 837e 80b9 f0ac 10eb cd19 5006 00b4 fb55 02b4 6658 f1fe d68a 6661 ffc3 0000 0000 0000 5265 6f74 6973 7320 7461 55aa ..Image 2 showing that the USB drive does in fact have two partitions on a Linux ubuntu system................N.}.."..J..MSDOS5..X...fXfXfX fX.......u8.q..f..F.w2f.. {... The important information from the partition are the following: BytesPerSector = 512 RootCluster = 237 SectorsPerCluster = 8 FSInfo = 1 ReservedSectorCount = 34 CopyBootSector = 6 NumberofFAT = 2 VolumeLabel = Part1 NumberOfRootDirectories is 0 for FAT32 FATType = FAT32 SectorsPerFAT = 963 BootSignature = 55AA File output 2 .........?......... .V@.@f... >.....Dis k error.F. the LBA of the first partition starts at sector 8064...0.....V@....v....fj...U.f... ......?......f..... .. Sfh.... ....FAT32 3....<..}........fP.F.

V@.....~.....J... This copy is located just after the First FAT + reserved sectors........v...f. A.....U ..fj....fa ..............Dis k error.F. V@......f.........)`oXnUSBDRIVE FAT32 3.....q... The first copy of the FAT is located just after the reserved sector count.. Highlighted section shows the reserved section of the FAT..fP.}.......MSDOS5.. ..fXfXfX fX................F.........V@.... . ........................... NTLDR .U.}.}.... ......... .... ............................ followed by cluster 2. . ...T...............~ *...... ... ..f@I.. ... File Output 4 mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=997 | xxd > SecondFAT 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: f8ff 0500 0900 ffff 0000 0000 ff0f 0000 0000 ff0f 0000 0000 ffff 0600 ffff ffff 0000 0000 ffff 0000 ff0f ff0f 0000 0000 0300 0700 0000 ffff 0000 0000 0000 0000 0000 ff0f 0000 0000 0400 0800 ffff ffff 0000 0000 0000 0000 ff0f ff0f 0000 0000 .. ...?.......~..... ... .. f`f.w2f...t..................mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=6 | xxd > BackUpBoot 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: 0000060: 0000070: 0000080: 0000090: 00000a0: 00000b0: 00000c0: 00000d0: 00000e0: 00000f0: 0000100: 0000110: 0000120: 0000130: 0000140: 0000150: 0000160: 0000170: 0000180: 0000190: 00001a0: 00001b0: 00001c0: 00001d0: 00001e0: 00001f0: eb58 0200 3e13 0100 8000 2020 7b8e cd13 b6d1 c966 2a00 0100 84c0 eea0 6660 5366 41bb aa0f 428a 6658 c28a 5640 0f82 4e54 0000 0000 0000 6d6f 6865 6b20 616e 7274 904d 0000 0f00 0600 2960 4641 c18e 7305 80e2 f7e1 7732 e82b 7417 fb7d 663b 6810 aa55 8514 5640 eb2a ca66 8ae8 54ff 4c44 0000 0000 0000 7665 7220 6572 7920 0d0a 5344 00f8 c303 0000 6f58 5433 d9bd b9ff 3ff7 6689 668b 00e9 3cff ebe5 46f8 0001 8a56 00f6 8bf4 6633 8bd0 c0e4 81c3 5220 0000 0000 0000 2064 6d65 726f 6b65 0000 4f53 0000 0000 0000 6e55 3220 007c ff8a e286 46f8 461c 4803 7409 a0f9 0f82 0080 40cd c101 cd13 d266 66c1 060a 0002 2020 0000 0000 0000 6973 6469 72ff 7920 0000 352e 3f00 0000 0000 5342 2020 884e f166 cdc0 837e 6683 a0fa b40e 7deb 4a00 7e02 130f 0f84 b0f9 0fb7 ea10 ccb8 6640 2020 0000 0000 0000 6b73 612e 0d0a 746f 00ac 3000 ff00 0000 0000 4452 33c9 028a 0fb6 ed06 1600 c00c 7db4 bb07 e098 666a 000f 821c 0d00 6658 4e18 f776 0102 490f 2000 0000 0000 0000 206f ff0d 5072 2072 cbd8 0208 801f ed00 0000 4956 8ed1 5640 c640 4166 7538 bb00 7d8b 00cd cd16 0066 8520 0081 fe46 6658 66f7 1a86 cd13 8571 0000 0000 0000 0d0a 7220 0a44 6573 6573 0000 2200 0000 0000 0000 4520 bcf4 b408 660f 0fb7 837e 80b9 f0ac 10eb cd19 5006 00b4 fb55 02b4 6658 f1fe d68a 6661 ffc3 0000 0000 0000 5265 6f74 6973 7320 7461 55aa ...". .. ....s.. .....t. Sfh... From above we can see that the size of the first FAT is 963 + 34 reserve sectors.........*f3....<....?.Af. .X.................. this is located at sector 6........+...... [Removed] File output 3 shows a segment of the first copy of the FAT in Partition 1... ..H.............................Re move disks or ot her media...|....... File Output 3 mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=34 | xxd > FirstFAT 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: f8ff 0500 0900 ffff 0000 0000 ff0f 0000 0000 ff0f 0000 0000 ffff 0600 ffff ffff 0000 0000 ffff 0000 ff0f ff0f 0000 0000 0300 0700 0000 ffff 0000 0000 0000 0000 0000 ff0f 0000 0000 0400 0800 ffff ffff 0000 0000 0000 0000 ff0f ff0f 0000 0000 . . {... .f.}.f....... .... >...f.. File Output 5 .. B.@f....V@..... which is 997 where the second FAT is located....N....f.........0.............. .N......... File output 2 shows the backup copy of the boot sector.....u8.......... ...U.............f......Press any key to resta rt.. [Removed] File output 4 shows a segment of the second copy of the FAT in Partition 1.f..F......F.....

From investigation using WinHex the size of this file was . along with other information. how the file system has been layed out.1959 * Data Area: 1960 . it also shows us where file sectors start and end and also the location of the Root Directory.123251 FAT CONTENTS (in sectors) -------------------------------------------1960-2023 (64) -> EOF 2032-2039 (8) -> EOF 2040-2047 (8) -> EOF 2048-2055 (8) -> EOF 2056-2063 (8) -> EOF 2064-2071 (8) -> EOF 3840-3847 (8) -> EOF 3856-4407 (552) -> EOF 4408-4639 (232) -> EOF 4640-5199 (560) -> EOF 5200-5287 (88) -> EOF 5288-12031 (6744) -> EOF 12032-12039 (8) -> EOF 12040-27247 (15208) -> EOF 27248-27623 (376) -> EOF The first Data Segment is located after the reserved sector and 2 FATs which would mean that it is located at (34 + 963 + 963 = 1960) sector 1960 cluster 2.987959 *** Root Directory: 3840 .33 ** Boot Sector: 0 ** FS Info Sector: 1 ** Backup Boot Sector: 6 * FAT 0: 34 . mishy@mishy-laptop:~$ sudo fsstat -f fat FullFirstPartition.987965 ** Cluster Area: 1960 .15776102 Root Directory: 2 CONTENT INFORMATION -------------------------------------------Sector Size: 512 Cluster Size: 4096 Total Cluster Range: 2 .dd FILE SYSTEM INFORMATION -------------------------------------------File System Type: FAT32 OEM Name: MSDOS5. It shows us OEM name.0 Volume ID: 0x6e586f60 Volume Label (Boot Sector): Part1 Volume Label (Root Directory): Part1 File System Type Label: FAT32 Next Free Sector (FS Info): 2064 Free Sector Count (FS Info): 962120 Sectors before file system: 8064 File System Layout (in sectors) Total Range: 0 .987965 METADATA INFORMATION -------------------------------------------Range: 2 .996 * FAT 1: 997 .987965 * Reserved: 0 .3847 ** Non-clustered: 987960 .The following output provided all the content of the FAT structure for the first partition of the USB drive. Volume Information.

.pdf and BIRD...9... The size of this folder is 4KB which is the size of one cluster.a... TRASH-~1 . WINHEX~1PDF ..... l.mo#9.E....R.h. From this image we can see another directories..2..We...9.. NEWFOL~1 ..D.|94.a..9....W.x... From the boot sector we found out the RootDirectory is located at cluster 237. File output 6 shows the root directory in Partition 1(Part 1 file attribute 08 means volume label)...d. r..o.OD XLS .9...... D.v..X....a. From the disk level these files cannot be seen and one would think they have actually been deleted...A..J.. entries with file attribute 10 means that it is a directory and entries with file attribute 20 means that it is archived. files and deleted files.........9... . . . AN.. ..]. Highlighted E5 values show files that have been deleted... Chapter9_FAT.v..r.f.t......d. Because there are 4096 Bytes (512 BytesPerSector * 8 SectorsPerCluster ) per cluster it was calculated that this file took up 8 clusters so the next file would be at cluster 11..W...9.xls...9..n.r...n.9.l......d....T..a..E.... ..n.X .p.[.t.._. .e... ...d..M... A.... n.z..E...ppt... ..i. .F... .pdf would occupy the . From the Fat Table we could see that cluster 238 was free and the next file started at 239.9....d... winhexManual.. ...O. CHAPTE~1PPT .e.L. When files are deleted in windows they are sent to the trash folder.u..e......l.9..D. These files are: DriveInvestigation.s. Other files in the root directory in order of clusters include: Chapter9FATExample[1].. p.x.|.. . .0.a...t. From cluster 16 to 236 are free from the FAT table....4.d}.0......f...pdf and EOD.. s.p....1..NTITL~1 .9.....|9..... .. . The size of this file was 275KB and took up 68 clusters so the next file would be located at cluster 308 and so on..a.... 0F entries means that the file is long entries (filename).. Files in the root directory appear in the order in which they are clustered i....9.s..m._...O.C.9......I.p..i.. .!.e.9..jpg. The location of this directory was found in the information provided by FileOutput 1. File Output 6 mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=3840 | xxd >Root_Dir 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: 0000060: 0000070: 0000080: 0000090: 00000a0: 00000b0: 00000c0: 00000d0: 00000e0: 00000f0: 0000100: 0000110: 0000120: 0000130: 0000140: 0000150: 0000160: 0000170: 0000180: 0000190: 00001a0: 00001b0: 00001c0: 00001d0: 00001e0: 00001f0: 0000200: 0000210: 0000220: 0000230: 0000240: 0000250: 5061 0000 4370 ffff 025f 6c00 0143 7200 4348 9e39 e561 7000 e544 6e00 e552 9e39 422e ffff 0157 2000 5749 9e39 e545 7300 e54f 9e39 4249 9e39 412e 2d00 5452 9f39 e54e 9e39 414e 4400 4e45 9e39 7274 0000 0074 ffff 0045 6500 0068 5f00 4150 9e39 0074 6400 0072 7600 4956 9e39 0070 ffff 0069 4d00 4e48 9e39 004f 0000 4420 9e39 5244 9e39 0054 3100 4153 9f39 5449 9e39 0045 4500 5746 9e39 3100 0000 0000 ffff 0078 5b00 0061 3900 5445 0000 0069 6600 0069 6500 4549 0000 0064 ffff 006e 6100 4558 0000 0044 ffff 2020 0000 2020 0000 0072 3000 482d 0000 544c 0000 0057 5200 4f4c 0000 0000 0000 00ff ffff 0061 3100 0070 5f00 7e31 217f 006f 0000 0076 7300 7e31 8581 0066 ffff 0068 6e00 7e31 da82 002e ffff 2020 1367 2020 6d6f 0061 3000 7e31 f758 7e31 d79e 0046 3200 7e31 e49e 0000 2100 ffff ffff 006d 5d00 0074 4600 5050 7c39 006e ffff 0065 7400 5044 7c39 0000 ffff 0065 7500 5044 7c39 0078 ffff 584c 4639 4a50 2339 0073 3000 2020 9f39 2020 9e39 004f 0000 2020 9e39 0008 0000 ff0f 0000 000f 0000 000f 0000 5420 ef00 000f 0000 000f 0000 4620 3401 000f 0000 000f 0000 4620 5101 000f 0000 5320 9701 4720 a201 000f 0000 2010 0b00 2010 ed04 000f 0000 2010 ed04 0000 0000 0057 ffff 0057 2e00 0057 4100 0000 004a 0007 ffff 0007 6900 0000 11c5 00a3 ffff 00a3 6100 0064 b550 00f2 ffff 0064 00a2 0064 0da0 00e4 0000 0064 0000 0000 0000 00dd ffff 0000 0000 0000 0000 ffff ffff 7000 7000 6500 5400 7a9e 0400 2e00 ffff 4900 6700 7c9e 0100 ffff ffff 7800 6c00 7d9e 0400 6c00 ffff 9c9e 0000 bb9e 3400 6800 ffff f758 0000 d79e 0000 4c00 ffff e49e 0000 Part1.. BIRD JPG .. -. .F.....x.RIVEI~1PDF .e.W..T...i.9. ......gF9...9..E.g..9.9. .0......1.h.8KB which is 30515 Bytes.. deleted files are not deleted from the drive but only mark with an E5 signature. Even though the files have been deleted they can still be accessed from this folder when using special software.....29. Cp._.ppt starts at cluster 239 and takes up 68 clusters so drive investigation...9. ...9.... From the Fat Table the file was located and turned out to be the trash folder with deleted files.Wp...!..P.. Highlighted entries in yellow are the attributes of the various files.h... B.|9Q.i....t..

but is retrievable as we can see... Values highlighted in blue represent the size of each of those files. From the root directory we saw that this was the first file in the directory followed by the deleted file DriveInvestigation. ... ...... so the first cluster for that file is cluster 239..pdf is 2550 44 46.pdf files... Image 4 mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=4640 | xxd >Third_File Image 4 shows the output of the third file of the root directory......... DriveInvestigation. So the size of Chapter9_FAT..... .......ppt file is D0CF 11E0.e....... 0X00044A00 which is 281088bytes which takes up 68 clusters..... From the root directory we could see that this file was actually deleted.... For example the first cluster for Chapter9_FAT... The file signature of a . ............!.clusters after Chapter9_FAT......"........ppt.....pdf.. The file signature of a ... We can see that the file signature of image 3 and 4 are the same as they are both .pdf.. . .e.. 0X00EF = 239.There is also a directory called NEWFOLDER2 and a deleted Directory called NTITL........... File Output 7 mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=3856 | xxd >First_File 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: 0000060: 0000070: 0000080: 0000090: d0cf 0000 0600 2002 0100 1a02 ffff ffff ffff ffff 11e0 0000 0000 0000 0000 0000 ffff ffff ffff ffff a1b1 0000 0000 0000 feff 1b02 ffff ffff ffff ffff 1ae1 0000 0000 0000 ffff 0000 ffff ffff ffff ffff 0000 3e00 0000 0010 0000 1c02 ffff ffff ffff ffff 0000 0300 0000 0000 0000 0000 ffff ffff ffff ffff 0000 feff 0500 2202 1902 2102 ffff ffff ffff ffff 0000 0900 0000 0000 0000 0000 ffff ffff ffff ffff ..... Image 3 mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=4408 | xxd >Second_File Image 3 shows the output of the second file of the root directory..>........ ... winhexManual.. Chapter9FATExample..ppt is EF00 i...ppt...ppt would be 004A 0400 i... ....pdf......... .... ................ Highlighted entries in green are the start clusters of each of the files.. File output 7 shows the output of cluster 239 which is the file after the root directory... Image 5 mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=5200 | xxd >Fourth_File ...

....$..Image 5 shows the output of the fifth file of the root directory..Exif.xls. The file signature for an . File Output 8 mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=5288 | xxd >Fifth_File 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: 0000060: ffd8 0060 2a00 f200 1201 0100 3401 ffe0 0000 0800 0000 0300 0000 0000 0010 ffe1 0000 1001 0100 2c01 2801 4a46 49b8 1300 0200 0000 0000 0300 4946 4578 0f01 2400 0100 1b01 0100 0001 6966 0200 0000 4f4c 0500 0000 0101 0000 1600 0801 1a01 0100 0200 0060 4949 0000 0000 0500 0000 2321 ..I.........JFIF..(.... The ..... ... This folder holds the files that have been deleted from the drive... From the root directory we could see that this file also had been deleted but is still viewable with low level programs. .. Image 7 mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=2032 | xxd >Trash Image 7 shows the trash folder of partition one.` .. ... BIRD.II *............... EOD..xls file is D0CF 11E0.....#! File output 8shows the output of the fifth file in the root directory..................trash-1000 folder is created when a USB or external hard drive is attached to a Linux based system. This file’s extension was changed to a .....`....txt at disk level but when analysed using winhex the file header did not change and came back as JFIF as we can see.. FFD8 FFE0. File Output 8 .JPG.OL.. We could prove that this was an image file from the file signature.. 4.

.f...m9...d..........\. file sizes and file start clusters.....9. ReportAid.d...p.... ...dd r/r 30087: Chapter_9_FAT_Example[1]...i... a..i.... ..9....pdf r/r 30093: Winhex Manual...T...9. .. . ..c.s..a...o..9..v.....JPG d/d 30098: ..r.c...... CFPROF~1PDF .. .i.t... .. ... a. mishy@mishy-laptop:~$ sudo fls -f fat FullFirstPartition.File output 8 we can see the output of the fls command which shows the long file names in the root directory....pdf and scarylaser.. ....CARYL~1GIF .. ..ppt r/r * 30090: DriveInvestigation.. REPORT~1PDF ..9..t..9.r...e...r.. .s. ..T.s..........f. . ........ Bp...m9[.a.C...9...9.P. as also seen in file output 6.V....9....xls r/r 30096: BIRD.F.s..........gif is the first file in the entire root directory as it starts at cluster 2 (0X0200).\.pdf...9...d.9. Ar..f.....r... ...Trash-1000 d/d * 30099: _NTITL~1 d/d 30101: NEWFOLDER2 v/v 15776099: $MBR v/v 15776100: $FAT1 v/v 15776101: $FAT2 d/d 15776102: $OrphanFiles File Output 9 mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=12032 | xxd >NEWFOLDER 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: 0000060: 0000070: 0000080: 0000090: 00000a0: 00000b0: 00000c0: 00000d0: 00000e0: 00000f0: 0000100: 0000110: 0000120: 0000130: 0000140: 0000150: 0000160: 0000170: 0000180: 0000190: 00001a0: 00001b0: 00001c0: 2e20 9e39 2e2e 9e39 4270 ffff 0143 6500 4346 9e39 4172 4100 5245 9e39 e566 ffff e573 6100 e543 9e39 4266 ffff 0173 6100 5343 9e39 0000 0000 0000 2020 9e39 2020 9e39 0064 ffff 0046 7300 5052 9e39 0065 6900 504f 9e39 0000 ffff 0063 7300 4152 9e39 0000 ffff 0063 7300 4152 9e39 0000 0000 0000 2020 0000 2020 0000 0066 ffff 0050 7300 4f46 0000 0070 6400 5254 0000 00ff ffff 0061 6500 594c 0000 00ff ffff 0061 6500 594c 0000 0000 0000 0000 2020 d79e 2020 d79e 0000 ffff 0072 6900 7e31 a0a2 006f 2e00 7e31 8aa2 ffff ffff 0072 7200 7e31 0da0 ffff ffff 0072 7200 7e31 749f 0000 0000 0000 2020 9e39 2020 9e39 00ff ffff 006f 6f00 5044 6d39 0072 7000 5044 6d39 ffff ffff 0079 2e00 4749 9e39 ffff ffff 0079 2e00 4749 9e39 0000 0000 0000 2010 ed04 2010 0000 ff0f 0000 000f 0000 4620 ee04 000f 0000 4620 5b0c ff0f 0000 000f 0000 4620 0000 ff0f 0000 000f 0000 4620 0200 0000 0000 0000 0000 0000 0000 0000 00bd ffff 00bd 6e00 0000 aacc 0092 6400 0000 56ee 0054 ffff 0054 6700 005c 0000 0054 ffff 0054 6700 005c 4877 0000 0000 0000 d79e 0000 d79e 0000 ffff ffff 6600 2e00 e19e 7600 7400 6600 e49e 0200 ffff ffff 6c00 6900 0ca0 0000 ffff ffff 6c00 6900 0ca0 0000 0000 0000 0000 ... We can see that scarylaser.. Bf..pdf r/r * 30095: EOD. Outputs with an asterisk mean that the file has been deleted as can also be seen in file output 6 with E5 hex values..gif..f..r..9...9.Hw....g.e. ..Tl.....9....s.n. Highlighted sections are file attributes.....y...... e......p. NEWFOLDER2 contains: CFProfession..Tl..y. ...s...9.. File output 9 shows the contents of the directory NEWFOLDER2 in the root directory.. .o..... A..g.. .. SCARYL~1GIF ......9.......... ..e.r...... ...i.o..

.. ....GG.X ...... ...=.. ..........u.}........... SECOND PARTITION File Output 10 mishy@mishy-laptop:~$dd if=dev/sdb count=1 skip=996030 | xxd > Second_Partition 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: 0000060: 0000070: 0000080: 0000090: 00000a0: 00000b0: 00000c0: 00000d0: 00000e0: 00000f0: 0000100: 0000110: 0000120: 0000130: 0000140: 0000150: 0000160: 0000170: 0000180: 0000190: 00001a0: 00001b0: 00001c0: 00001d0: 00001e0: 00001f0: eb58 0200 41ad 0000 0000 0000 7bfb 7505 e2ed 33c0 7100 e81c cd13 5351 f10a 736b 0a0d 6b65 616e 0000 0000 0000 0000 0000 0000 6c65 7465 4631 0d0a 2e20 3937 0000 9050 0200 0e00 0000 0000 0000 8ed8 af75 813e cd16 f3a5 0033 72e3 ac3c 0d4e 206f 496e 7474 7920 0000 0000 0000 0000 0000 0000 2062 6374 3e20 5057 2843 2d31 0000 4152 00f8 8000 0000 0000 0000 8ec0 04e2 0201 3d00 e900 c0cd 813e 0075 6f6e 7220 7365 6520 6b65 0000 0000 0000 0000 0000 0000 6f6f 6564 746f 2f44 2920 3939 0000 4147 eb00 29d5 4641 0000 0000 fcbf f847 00c0 3b75 02bb 16b8 fe7d 0459 2d73 6469 7274 616e 7920 0000 0000 0000 0000 0000 0000 7420 210a 2063 4220 5061 3900 0000 4f4e 3f00 1cd5 5431 0000 0000 2000 4781 730f f7be 007c 0102 55aa 5b58 7973 736b 2044 6420 2e2e 0000 0000 0000 0000 0000 0a0d 5649 0d50 6f6e 6279 7261 0000 0000 2300 ff00 1c50 3620 0000 8cc8 33c0 7dfe be88 a77c b901 33d2 75db c3b4 7465 2065 4f53 7072 2e0a 0000 0000 0000 0000 0000 506f 5255 7265 7469 204b 676f 0000 0000 0210 be32 6172 2020 0000 8ed0 b915 00c0 7de8 bfa7 00be 50cd e931 0ecd 6d20 7272 2064 6573 0d00 0000 0000 0000 0000 0000 7373 5320 7373 6e75 4952 6e20 0000 0000 0100 0f00 7432 0000 0000 bcff 00af 720a 3f00 7eb9 e17e 1358 fd50 10eb 6469 6f72 6973 7320 0000 0000 0000 0000 0000 0000 6962 6465 203c 6500 2056 3139 0000 55aa ...Insert DOS dis kette and press any key .... From this image we can view important information about the partition.....2... ... File output 10 shows the first sector of the second partition..... ..............>..r.FAT16 .?.... ..............u.. This was the program used to create the second partition.... We can see the OEM Name as being PARAGON.......}U..r..... ...........Possib le boot VIRUS de tected!...>.3.1.... .... .... (C) Paragon 19 97-1999....... q.... We also noticed that we had a backup boot sector for the first partition but none for the second partition ... u..... .|. A...... The important information from the partition are the following: BytesPerSector = 512 TotalSectors = 961857 SectorsPerCluster = 16 ExtendedBootSig = 29 ReservedSectorCount = 1 VolumeLabel = Part2 NumberofFAT = 2 FATType = FAT16 NumberOfRootDirectories = 512 BootSignature – 55aa SectorsPerFAT = 235 We can see that this is a FAT16 partition so information is retrieved differently from the first partition. 3............ ..|..~. We can see that the default cluster size of the first partition was 4KB while the default cluster size for FAT16 is 8KB..................P SQ...3......3....?... .....s.<.....Non-system di sk or disk error ..u...P......The same investigation was done on the second partition.......}.Y[X..... {.Press < F1> to continue....PW/DB by KIR V ...X... .u...U... this shows that FAT16 wastes more space than FAT32......~ . .Part2 .........PARAGON#....).

..N....z.. 9..0.0 ** Boot Sector: 0 * FAT 0: 1 .8... 9.]..c. I... q..L.b.m......w..:..k....=.]....+.F..7.`..3.\.. .g...b.X. File Output 13 mishy@mishy-laptop:~$ sudo fsstat -f fat FullSecondPartition.d. ).u... Y.$.....}.......s...v...(.235 * FAT 1: 236 .. .........p.n..>.u.5...C..v.t.~.W.k.N.E...j.File Output 11 mishy@mishy-laptop:~$sudo dd if=Seond_Partition count=1skip=1 | xxd > FAT1 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: 0000060: 0000070: 0000080: 0000090: 00000a0: 00000b0: 00000c0: 00000d0: 00000e0: 00000f0: 0000100: f8ff 0900 1100 1900 2100 2900 3100 3900 4100 4900 5100 5900 6100 6900 7100 7900 8100 ffff 0a00 1200 1a00 2200 2a00 3200 3a00 4200 4a00 5200 5a00 6200 6a00 7200 7a00 8200 0000 0b00 1300 1b00 2300 2b00 3300 3b00 4300 4b00 5300 5b00 6300 6b00 7300 7b00 8300 0400 0c00 1400 1c00 2400 2c00 3400 3c00 4400 4c00 5400 5c00 6400 6c00 7400 7c00 8400 0500 0d00 1500 1d00 2500 2d00 3500 3d00 4500 4d00 5500 5d00 6500 6d00 7500 7d00 8500 ffff 0e00 1600 1e00 2600 2e00 3600 3e00 4600 4e00 5600 5e00 6600 6e00 7600 7e00 8600 ffff 0f00 1700 1f00 2700 2f00 3700 3f00 4700 4f00 5700 5f00 6700 6f00 7700 7f00 8700 0800 1000 1800 2000 2800 3000 3800 4000 4800 5000 5800 6000 6800 7000 7800 8000 8800 .*.O.h./.|._..>.#..\. . ).X.e.(.6.. A.K.3.<.U...~. 1.-..w. a..@...2..L..U.961856 * Reserved: 0 ..H.Z...7..8.@.*.^. 1...{.h...=.o.. The first FAT is located after the reserved sector count.......T...B. y.'..0. .V.?.. .e...G.n....C.`./.$. q...2..o..S.. A.{.j...r...".K....."....p..f.. . File Output 12 mishy@mishy-laptop:~$sudo dd if=Seond_Partition count=1skip=236 | xxd > FAT2 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: 0000060: 0000070: 0000080: 0000090: 00000a0: 00000b0: 00000c0: 00000d0: 00000e0: 00000f0: 0000100: f8ff 0900 1100 1900 2100 2900 3100 3900 4100 4900 5100 5900 6100 6900 7100 7900 8100 ffff 0a00 1200 1a00 2200 2a00 3200 3a00 4200 4a00 5200 5a00 6200 6a00 7200 7a00 8200 0000 0b00 1300 1b00 2300 2b00 3300 3b00 4300 4b00 5300 5b00 6300 6b00 7300 7b00 8300 0400 0c00 1400 1c00 2400 2c00 3400 3c00 4400 4c00 5400 5c00 6400 6c00 7400 7c00 8400 0500 0d00 1500 1d00 2500 2d00 3500 3d00 4500 4d00 5500 5d00 6500 6d00 7500 7d00 8500 ffff 0e00 1600 1e00 2600 2e00 3600 3e00 4600 4e00 5600 5e00 6600 6e00 7600 7e00 8600 ffff 0f00 1700 1f00 2700 2f00 3700 3f00 4700 4f00 5700 5f00 6700 6f00 7700 7f00 8700 0800 1000 1800 2000 2800 3000 3800 4000 4800 5000 5800 6000 6800 7000 7800 8000 8800 ....#.P..E.. .d.. File Output 11 shows the First FAT of partition 2. a.dd FILE SYSTEM INFORMATION -------------------------------------------File System Type: FAT16 OEM Name: PARAGON# Volume ID: 0x1cd51cd5 Volume Label (Boot Sector): Part2 Volume Label (Root Directory): Part2 File System Type Label: FAT16 Sectors before file system: 996030 File System Layout (in sectors) Total Range: 0 .....-.4.J.l.F. Q.%. Y... i..T. Q.g...c.4. !.J..H.......W...M.^.r.?.%..[...x.S.t....m.Z.. i....O._.z.M. y.x...R...B.V.f. .&..470 . ..D..D.+..|.6.l.. I.G...[.:.}....s.. !.<.P.5.R.&..'. .. File output 12 shows the second FAT of partition 2 which is located after the reserved sector and first FAT.

jpg has been deleted along with directory NTITL..... File Output 14 mishy@mishy-laptop:~$sudo dd if=Seond_Partition count=1skip=471 | xxd > RootDir 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: 0000060: 0000070: 0000080: 0000090: 00000a0: 00000b0: 00000c0: 00000d0: 00000e0: 00000f0: 0000100: 0000110: 0000120: 5061 0000 4274 ffff 0154 6c00 5445 9e39 e56d 6100 e549 9e39 e54e 9e39 414e 4400 4e45 9e39 4464 7274 0000 0000 ffff 0065 6f00 4348 9e39 0069 6300 5348 9e39 5449 9e39 0045 4500 5746 9e39 006f 3200 0000 00ff ffff 0063 6700 4e4f 0000 0073 6b00 5f42 0000 544c 0000 0057 5200 4f4c 0000 0063 0000 0000 ffff ffff 0068 7900 7e31 ebb3 0068 2e00 7e31 ef5b 7e31 4c9e 0046 0000 7e31 4c9e 0000 0000 2100 ffff ffff 006e 2e00 4f44 7e39 005f 4a00 4a50 4d39 2020 9e39 004f ffff 2020 9e39 00ff 0008 0000 ff0f 0000 000f 0000 5420 0300 000f 0000 4720 0700 2010 0600 000f 0000 2010 0600 ff0f 0000 0000 0042 ffff 0042 6f00 0000 fe44 0035 5000 0000 64bb 0000 0000 00dd ffff 0064 0000 00a5 0000 0000 ffff ffff 6f00 6400 499e 0000 6200 4700 8a9e 1d00 4c9e 0000 4c00 ffff 4c9e 0000 ffff Part2.odt r/r * 8: mish_back.9... l...60085 FAT CONTENTS (in sectors) -------------------------------------------519-566 (48) -> EOF 567-582 (16) -> EOF 583-4390 (3808) -> EOF 4391-4566 (176) -> EOF 4567-4582 (16) -> EOF 4583-4598 (16) -> EOF 4599-4614 (16) -> EOF 4615-4630 (16) -> EOF mishy@mishy-laptop:~$ sudo fls -f fat FullSecondPartition..9.....!.c.y.o.961856 ** Root Directory: 471 .... ..i...L...n..NTITL~1 .9...o.Bo. TECHNO~1ODT ..o.. AN.W...I.k.. NEWFOL~1 ......g..J.* Data Area: 471 ...d... ..[M9.~9.....5b.....P.961846 ** Non-clustered: 961847 .ISH_B~1JPG ...G. Bt.L.9....... . D...O.9.... .h.502 ** Cluster Area: 503 ....s.e...R.....m. ..E...B. Dd.961856 METADATA INFORMATION -------------------------------------------Range: 2 .L...T... .9... .c..dd > Files r/r 6: Technology.Trash-1000 v/v 15382179: $MBR v/v 15382180: $FAT1 v/v 15382181: $FAT2 d/d 15382182: $OrphanFiles The above file output shows the files contained in Partition 2............D..F. .... We can see that the files mish_Back.....15382182 Root Directory: 2 CONTENT INFORMATION -------------------------------------------Sector Size: 512 Cluster Size: 8192 Total Cluster Range: 2 ...c..9...JPG d/d * 9: _NTITL~1 d/d 11: NEWFOLDER r/r 16: NEW TELLER CASH TRANSFER (final draft).9... a.h. ..L.9.doc d/d 18: .......d._.9..dL.E. . ..

1..0. .i. NEWTEL~1DOC ... Image 8 Partition 1 Image 9 Partition 2 .R. A....R.T.9..L... ...9. The first entry is volume name.T.Y ... d...s. The root directory is located after the reserve sector and 2 FATs.2.E.. .b. . Part2.d..S..... . -..(.. ..).N.. From this we can see that the image mish_back. N.T.A.r.S.f...n....t..a.L.r..9..Y..... .E.C. File output 14 shows the root directory of the second partition.9.R........E..A. .l. .W. TRASH-~1 ..f.9.a.0000130: 0000140: 0000150: 0000160: 0000170: 0000180: 0000190: 00001a0: 00001b0: 00001c0: 00001d0: 00001e0: 00001f0: ffff 0366 6400 0253 4e00 014e 4c00 4e45 9e39 412e 2d00 5452 9f39 ffff 0069 7200 0048 5300 0045 4c00 5754 9e39 0054 3100 4153 9f39 ffff 006e 6100 0020 4600 0057 4500 454c 0000 0072 3000 482d 0000 ffff 0061 6600 0054 4500 0020 5200 7e31 c862 0061 3000 7e31 0a59 ffff 006c 7400 0052 5200 0054 2000 444f cf32 0073 3000 2020 9f39 0000 000f 0000 000f 0000 000f 0000 4320 f500 000f 0000 2010 0001 ffff 00a5 2900 00a5 2000 00a5 4300 0000 004c 00e4 0000 0064 0000 ffff 2000 2e00 4100 2800 4500 4100 9a9e 0100 6800 ffff 0a59 0000 ....... L...jpg has been deleted.0.F.a..0..H.E.h...

This was done by zeroing out partition two as seen above and saving the result back to the USB drive. It now looks like . It also shows the volume slack where some users may hide information. File Output 15 mishy@mishy-laptop:~$ sudo dd if=BSNEW.6666e-05 s. we can see that partition 2 has been removed. 5.dd of=/dev/sdb count=1 1+0 records in 1+0 records out 512 bytes (512 B) copied.3 MB/s Image 10 Image 11 From the images 10 and 11 and file output 15 above.Image 8 & 9 above shows the free space on Partition 1 and Partition 2. 9.

This can be reverted by using the original image for the MBR with two partitions and saving it to the USB drive. References .the USB drive only has one partition. which was done.

Fat File system [Online] Available at: http://www.tue.[UTECH] University of Technology. Netherlands.nl/~aeb/linux/fs/fat/fat-1.win.html 6-01-09 (lasted accessed) .

Sign up to vote on this title
UsefulNot useful