Filesystem exercise

• FTK imager -> Add Evidence item -> Image File

• “dfr-02-fat.dd”
MBR – Phy Sec 0 Partition 1:
00 02 03 00 01 07 06 01 80 00 00 00 00 40 00 00

00 – Not bootable volume (80 for bootable)

02 03 00 – Starting of volume written in CHS format
01 – Partition Type
07 06 01 – End of volume written in CHS format
80 00 00 00 – Relative start sector of volume in LBA
00 40 00 00 – total sectors

Partition 2:
00 07 07 01 06 1B 16 05 80 40 00 00 00 00 01 00

__ – bootable volume
__ __ __– Starting of volume written in CHS format
__ – Partition Type
__ __ __– End of volume written in CHS format
__ __ __ __ – Relative start sector of volume in LBA
__ __ __ __– total sectors
VBR of the Partition2
VBR of partition2 resides on “phy sec = 16512”

OEM name = “MSDOS5.0” -> FAT

Byte per sector = 00 02

Sector per cluster = 02

FAT of the Partition2

F8 FF FF FF 00 00 04 00 FF FF 00 00 00 00 08 00
FF FF 00 00 00 00 0C 00 FF FF 00 00 00 00 00 00

0 1 2 3 4 5 6 7
F8FF FFFF 0000 0400 FFFF 0000 0000 0800
8 9 10 11 12 13 14 15
FFFF 0000 0000 0C00 FFFF 0000 0000 0000
The file using cluster 3 will also use cluster 4
Root directory of Partition 2 (Directory Entry)
41 4C 43 4F 52 20 20 20 54 58 54|20|00|64|66 73|99 3F|21 26|00 00|20 10|21 26|03 00|00 08 00 00|
0-10 (8.3 name) 11 attribute 12 Reserved 13 Ctime (in 10ms)
ALCOR.TXT 20 00 64 -> 100 = 1.00
14-15 Ctime (h/m/s) 16-17 Cday Y/M/D 18-19 Aday 20-21 hbyte
cluster
66 73 01110 011011 99 3F 0011111 1100 21 26 0010011 0001 00 00
00110 11001 00001
Hour = 14 Minute = 27 Year = 1980 + 31 = 2011 Year = 1980 + 19 = 1999
Second = 6 x 2 +1 = 7 Month = 12 , Day = 25 Month = 1, Day =1
22-23 Wtime 24-25 26-27 lbyte 28-31 size
Wday cluster
20 10 00010 000001 21 26 03 00 00 08 00 00
00000 3 2048 (byte)
Hour = 2, Minute = 1
Second = 0 x 2 = 0

So that means ALCOR.TXT’s file size is 2048byte starting at

Cluster 3. Combining the FAT’s information, we know
ALCOR.TXT is using cluster 3 and 4.
Deleted file and data recovery
At offset 00a0, there is a file “?ETELG~1TXT”. The first
byte is changed to 0xE5, denoting this is a deleted file.

By looking at this directory entry, filesize is 4096 bytes

starting at cluster5.
Long file name entry
Previously, we are looking at the file “ALCOR.TXT”,
But its original name is “Alcor.TXT”.

What about the original filename of the deleted

““?ETELG~1TXT”?
Practical
• FTK imager -> Image mounting
(Should be in Read/Write Mode)

• Go to the drive letter referring to the

partition 2 (H:\ in my case)
• Delete Alcor.txt
• Then open another FTK imager
instance and add logical drive (H:\)
• Discuss the change of the file entry
and disk status (FAT), is it
recoverable?
Discussion of Data Recovery
• It seems “?ETELG~1TXT” is recoverable at this moment. What will
happen if “Capella.txt” is being deleted afterward.
• Which file(s) can be recovered?
NTFS
• FTK Imager -> Add Evidence Item -> Image File

• NTFS_2GB.E01
Go to $MFT, go to offset 58368 (57x1024).

What is “Flag” of file? And status?

What is the File name(s)?

What attributes do we have here?

Where can we see the file time?

Where is the location of file data?

Go to $MFT, go to offset 54272 (53x1024).

What is “Flag” of file? And status?

What is the File name(s)?

What attributes do we have here?

Where can we see the file time?

Where is the location of file data?

$MFT record divided into parts
Using MFTRCRD on a NTFS volume