So we'll forensically clean it, writing 00 on every byte.
In your virtual machine, click Start, Run.
In the Run box, type CMD and press Enter to open a Command Prompt.
In the Command Prompt window, type these commands, pressing Enter after each one:
DISKPART
LIST DISK
Read the output to find the new 101 MB disk you want to clean--when I did it, it was Disk 0. You don't want to erase the wrong disk by accident!
In the Command Prompt window, excute these commands, specifying the correct disk in the first command:
SELECT DISK 0
CLEAN ALL
Right-click "Computer" and click Manage.
In the left pane of Server Manager, expand Storage and click "Disk Management".
An "Initialize Disk" box opens, as shown below.
In the "Initialze Disk" box, accept the default choice of "MBR (Master Boot Record)" and click OK.
In the context menu, click "New Simple Volume...", as shown below.
The "New Simple Volume Wizard" opens.
Click Next.
In the "Select Volume Size" screen, accept the default size and click Next.
In the "Assign Drive Letter or Path" screen, accept the default selection and click Next.
In the "Format Partition" screen, set the "Allocation unit size" to 512, as shown below, and click Next.
This size makes each cluster equal to a sector, which is how floppy disks work. It's inefficient for large disks, but OK for this small disk and it simplifies the project.
In the "Completing the New Simple Volume Wizard" screen, click Finish.
In the top left portion of Server Manager, click the top item, "Server Manager".
In the lower right of Server Manager, in the "Security Information" section, click the "Configure IE ESC" link, as shown below.
Click both Off buttons, as shown below. Then click OK.
Right-click the FILE1.TXT link below and save the file on your desktop.
Repeat the process for FILE2.TXT.
FILE1.TXTOn your desktop, double-click FILE1.TXT to open it in Notepad.
FILE2.TXT
As you can see, this file contains 1000 "1" characters on a single line.
Open FILE2.TXT to see what it contains--1000 "2" characters.
Close all Notepad windows.
Double-click the "New Volume" icon.
Using the mouse, hold the button down and draw a rectangle around both FILE1.TXT and FILE2.TXT, as shown below.
Drag the two files FILE1.TXT and FILE2.TXT into the "New Volume" window and drop them there.
The two files should be visible on the new drive, as shown below.
In the center of the page, click WinHex
In the left center portion of the window, click Download. Save the file on your desktop.
On your desktop, right-click the winhex.zip file and click "Extract All...".
In the "Extract Compressed (zipped) Folders" box, click Extract.
A folder with several files opens. Double-click the setup.exe file.
Troubleshooting
If double-clicking the setup.exe file does nothing, open a Command prompt and run it from there.
If a pop-up box, asks whether you want to run the file, click Run.
In the "WinHex" screen, on right side, click the OK button. as shown below.
A pop-up box, asks whether you want to "Install into C:\Program Files\Winhex". Click Yes.
A pop-up box, asks whether you want to "Create program shortcut". Click Yes.
A pop-up box, asks whether you want to "Run program". Click Yes.
WinHex opens, as shown below.
In the "Select Disk" box, click "New Volume", as shown below, and then click the OK button.
The Directory Browser pane should be visible in the upper center of the window, showing files and folders on Drive E:, as shown below.
If it is not visible, from the WinHex menu bar, click View, Show, "Directory Browser".
In the Directory Browser, click FILE1.TXT.
The lower pane shows the raw hex data in the first cluster containing data for FILE1.TXT, as shown below. All the bytes are hexadecial 31, or the numeral "1".
In the figure above, in the center right, find the little icon marked with a green box. (It's a magnifying glass on a folder). This icon toggles the display of Directory Browser.
In your WinHex window, click that icon now.
Directory Browser vanishes, so you can see more of the hex view, as shown below.
Scroll up a few rows in the hex view so you can see where the "1" characters start, as shown below.
Click the first "31" to put the cursor there.
Just to the left you can see the hexadecimal address of that disk location--when I did it, the address was 02F29200.
The right side of WinHex shows a gray bar with further details, including the cluster number. When I did it, FILE1 started at cluster number 96585, as shown below.
Scroll down in the Hex view until you find the end of the "1" characters.
As shown below, they fill one sector completely, and nearly fill the next sector.
Sometimes there is a large gap of zeroes between the two files--if that happens, perhaps you forgot to set the cluster size to 512 bytes on your volume.
If the cluster size is correct, and you still see a large gap, use two images to show both the 1s and 2s.
Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!
Open Paint and paste in the image.
Save the image with the filename "Your Name Proj 8a". Use your real name, not the literal text "Your Name".
They should follow the same pattern, filling one sector completely, and nearly filling the next sector, as shown below.
Here's a summary of the data layout:
Sector Contents
------ --------
96585 1s
96586 1s and 0s
96587 2s
96588 2s and 0s
In the upper right corner of the
WinHex window there are two X buttons,
as shown below.
Click the lower X button. This closes the "New Volume" drive.
Click the remaining X button. This closes WinHex.
Double-click the "New Volume" icon to open the volume.
Double-click the FILE1.TXT icon to open the file in Notepad.
Click in the Notepad Window.
Press Ctrl+A, Ctrl+C to copy the text.
Press Ctrl+V five times. This makes the file 5000 bytes long.
Save the file.
If an "Open File -- Security Warning" box pops up, click Run.
From the WinHex menu bar, click Tools, "Open Disk...".
In the "Select Disk" box, click "New Volume", and then click the OK button.
From the WinHex menu bar, click View, Show, "Directory Browser".
A box pops up saying that a snapshot is reused, as shown below. Directory Browser actually works from a copy of the data called a Snapshot, not from the original disk.
We just changed the disk, so an old snapshot won't be accurate.
So click "Take new one".
The Directory Browser pane appears in the upper center of the window.
In the Directory Browser, click FILE1.TXT.
Notice that FILE1 now has a size of 4.9 KB, as shown below.
Click the yellow icon to hide Directory Browser, as you did before.
Scroll down through the two sectors of "1" characters.
Scroll down through the two sectors of "2" characters.
You may find the additional "1" characters here, or far away on the disk. If you can't find them easily, click Search, "Find Text..., and search for the string 11111, as shown below.
I found it hundreds of sectors away when I did it on 10-5-16.
There should be additional sectors of "1" characters below the "2" characters, as shown below.
Here's a summary of the data layout:
Sector Contents
------ --------
96585 1s
96586 1s
96587 2s
96588 2s and 0s
...
Hundreds of skipped sectors
...
1s
1s
... ...
Scroll to the bottom.
Right-click FILE2.TXT.
In the context menu, click Navigation, "Seek FILE Record", as shown below.
This is the Master File Table (MFT) record which contains information about FILE2.TXT.
Each MFT record begins with the ASCII text "FILE0".
Highlight that text, so your screen looks like the image below.
We need to count 56 bytes from this point. That will be a lot easier with only 16 bytes per row.
From the WinHex menu bar, click Options, General.
On the right side, in the center, verify that it is set to 16 in the "bytes per line" box, as shown below.
Click OK.
WinHex now has only 16 bytes per line, labelled 0 though F in the "Offset" line at the top of the display, as shown below.
Click on the first byte, with the value: 46.
Hold down the Shift key and press the down-arrow on the keyboard three times. This selects three lines of 16 bytes for a total of 48 bytes.
Now, holding down the Shift key, press the right-arrow key until you have selected bytes 0 through 7 in that row.
This selects the entire 56 bytes of the MFT record header, as shown below.
Each section of the MFT begins with a four-byte identifier--in this case 10 00 00 00.
Here is a chart of the MFT attribute types, from http://grayscale-research.org/new/pdfs/NTFS%20forensics.pdf
The next four bytes indicate the length of the section, in hexadecimal, with the least significant byte first.
So the eight bytes highlighted below indicate that the Standard Information section is 60 bytes long.
Highlight the entire Standard Information section. It will be six entire rows of 16 bytes, as shown below.
Highlight the section.
Notice the readable file name near the end of this section: FILE2.TXT.
It's in Unicode, so there's a 00 byte after each readable character.
This section indicates where the data is actually stored on the disk.
Highlight the section.
The last eight bytes of this section contain the "Data Run", as highlighted below.
In this case, the Data Run is
31 02 4B 79 01
3: the last 3 bytes contain the starting cluster numberSo there are 2 clusters in a row here, at cluster # 4B 79 01.1: The first 1 byte contains the length of this portion of the file, in clusters.
The cluster # bytes are in "Little Endian" notation, so they must be reversed in order, resulting in Cluster number 01 79 4B.
This means 1x65536 + 7x4096+ 9x256 + 4x16 + 11 = 96587.
Look in the Directory Browser pane in WinHex, and you can see on the right side that FILE2.TXT does indeed start at that cluster number.
In the context menu, click Navigation, "Seek FILE Record".
Walk through the MFT record as you did before, to find the Data section and the File Run, which starts with 31 (or 21), as shown below.
Highlight the Data Run, including eight bytes, as shown below.
Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!
Open Paint and paste in the image.
Save the image with the filename "Your Name Proj 8b". Use your real name, not the literal text "Your Name".
Send it to: cnit.121@gmail.com with a subject line of "Proj 8 From Your Name", replacing "Your Name" with your own first and last name.
Send a Cc to yourself.
http://stam.blogs.com/8bits/2009/10/lab-ftk-imager-file-carving-using-the-mft-.html
http://grayscale-research.org/new/pdfs/NTFS%20forensics.pdf
Last modified: 10-5-16 5:30 pm