Anonymous
Required textbook: Carrier, Brian, File System Forensic Analysis, Addison-Wesley, 2005, pgs 569. (ISBN 0- 32-126817-2)
HW 04 NTFS Hands-on
Purpose: The purpose of this assignment is to better understand NTFS file system concepts by seeing and interpreting on-disk data, specifically an MFT entry. This assignment will also give you additional experience with recognizing, interpreting, and following data structures in general.
Turn in: Electronically submit answers to questions via Blackboard. Please just number/list your answers. Do not recreate/include the questions in your answers. Just list your numbered answers… no questions.
Instructions:
Location: This lab can be completed elsewhere with a sufficiently functioning hex editor. The lab was built with WinHex and the lab workstations in mind. You will do all of this within your Forensics virtual machine.
Required Materials: A small thumb drive, since you will be reformatting the thumb drive for this lab. You will also need your course textbook to reference data structure tables therein.
Media Preparation:
vWipe thumb drive via WinHex.
ØInsert thumb drive into VM
ØStart WinHex
ØTools à Start Center à Open Disk à select the thumb drive under physical media (NOT logical drives) Make sure you select the correct media, else you wipe the wrong thing!
ØOptions à Edit Mode à In-Place Edit Mode
ØEdit à Select All
ØEdit à Fill Block … Fill with x00, 1 pass only
vReformat the thumb drive with NTFS
ØReturn Edit Mode to “Read-Only” and close WinHex
ØFormat the drive with NTFS
ØDefault allocation size
ØVolume label à enter your last name
ØSelect quick format
Use MyFragmenter (part of the MyDefrag command line utility, located on CondorPubic ShareForensics (Beebe)MyDefrag) to create a 22KB file containing random data, named random.txt
-You must create a 2-fragment file [-p 2].
Note, if you run MyFragmenter as Administrator, the CMD box will persist, allowing you to take a screen print of the process output, as directed below.
“c:Program FilesMyDefrag v4.3.1MyFragmenter.exe” -s 22 –p <<X>> f:random.txt (of course replacing paths and drive letters as appropriate).
Note, you are advised against cutting/pasting the command, which has been known to cause problems with CMD recognizing the command text properly.)
Note, an alternative tool you may use is: http://www.passmark.com/products/fragger.htm
Locate that file’s MFT entry in the thumbdrive’s $MFT. Have WinHex traverse the file system and then you can right-click on the file, select Navigate and then Go To FILE Record.
Take a screen shot of the command line results from running MyFragmenter. You MUST turn this in (and in a readable size) with your answers.
Take a screen shot of the first sector of the MFT record for random.txt. You MUST turn this in (and in a readable size) with your answers.
Now, analyze your MFT record answering the following questions. Use Ch. 13 data structure tables. If any are not applicable, explain why.
Table 13.1
1.What is the four-byte signature for the MFT entry in hex and ASCII?
2.Is this MFT entry allocated or unallocated? How do you know
3.Does the MFT entry pertain to a file or a directory? How do you know? File;
4.How many bytes long is the MFT entry header? How do you know?
Tables 13.2 & 11.2
5.What is the TYPE of the first attribute? Give the formal attribute name, properly written, the hex number for that type, and the decimal number for that type.
Table 13.2
6.How long is the first attribute (in bytes)?
7.Is this attribute’s data resident or non-resident? How do you know?
Use Table 13.3 or 13.4, as appropriate
8.How many bytes (decimal) from the start of the attribute header to the attribute content?
Use Tables 13.5 and 13.6, as appropriate
9.When was this file created? (provide string and converted value)
10.When was this file last modified? (provide string and converted value)
11.When was this file last accessed? (provide string and converted value)
12.When was this file’s MFT entry last modified? (provide string and converted value)
13.Is this file a READ-ONLY file? How do you know?
14.Is this file a SYSTEM file? How do you know?
15.Is this file being indexed (for faster searches)? How do you know?
Tables 13.2, 11.2, & 13.7
16.What is the TYPE of the second attribute?
17.How long is the second attribute (in bytes)?
18.Briefly compare/contrast the date/time stamps found in the first and second attribute. Which ones are likely more accurate?
19.What is the name of the file this MFT entry pertains to?
Tables 13.2, 11.2, 13.3, and 13.4, as appropriate
20.What attribute is the $DATA attribute (1st, 2nd, 3rd, etc.)?
21.How long is the $DATA attribute (in bytes)?
22.Is the $DATA attribute’s data resident or non-resident?
Table 13.4
23.How many bytes from the start of the $DATA attribute is this file’s runlist located (“offset to the runlist)?
24.What is the runlist as a data structure (exact on-disk data string)?
25.What are the starting cluster(s) for this file’s fragment(s) (in hex and decimal)?
26.How long (in clusters (decimal)) is/are this file’s fragment(s)?
27.How many end of entry markers does it have? How do you know?
28.How could an MFT entry have more than one end of entry marker?
Go to the fragment location(s) on disk that you obtained from parsing the runlist. Verify the data is there.
Annotate the physical sector address of your MFT entry and THEN delete the file from your thumb drive.
29. Return to that physical location and identify what data has and has not changed in the MFT entry
30. Now go to fragment locations on disk you previously identified. Is the data still there? Why or why not?
ATTACHMENTS
hw_04_ntfs_hands_on__1_.docx
Student has agreed that all tutoring, explanations, and answers provided by the tutor will be used to help in the learning process and in accordance with Studypool’s honor code & terms of service.
Get professional assignment help cheaply
Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?
Whichever your reason may is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.
Our essay writers are graduates with diplomas, bachelor, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college diploma. When assigning your order, we match the paper subject with the area of specialization of the writer.
Why choose our academic writing service?
Plagiarism free papers
Timely delivery
Any deadline
Skilled, Experienced Native English Writers
Subject-relevant academic writer
Adherence to paper instructions
Ability to tackle bulk assignments
Reasonable prices
24/7 Customer Support
Get superb grades consistently
Get Professional Assignment Help Cheaply
Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?
Whichever your reason may is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.
Our essay writers are graduates with diplomas, bachelor’s, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college diploma. When assigning your order, we match the paper subject with the area of specialization of the writer.
Why Choose Our Academic Writing Service?
Plagiarism free papers
Timely delivery
Any deadline
Skilled, Experienced Native English Writers
Subject-relevant academic writer
Adherence to paper instructions
Ability to tackle bulk assignments
Reasonable prices
24/7 Customer Support
Get superb grades consistently
How It Works
1. Place an order
You fill all the paper instructions in the order form. Make sure you include all the helpful materials so that our academic writers can deliver the perfect paper. It will also help to eliminate unnecessary revisions.
2. Pay for the order
Proceed to pay for the paper so that it can be assigned to one of our expert academic writers. The paper subject is matched with the writer’s area of specialization.
3. Track the progress
You communicate with the writer and know about the progress of the paper. The client can ask the writer for drafts of the paper. The client can upload extra material and include additional instructions from the lecturer. Receive a paper.
4. Download the paper
The paper is sent to your email and uploaded to your personal account. You also get a plagiarism report attached to your paper.
PLACE THIS ORDER OR A SIMILAR ORDER WITH Essay fount TODAY AND GET AN AMAZING DISCOUNT
The post Assignment on engineering paper appeared first on Essay fount.
What Students Are Saying About Us
.......... Customer ID: 12*** | Rating: ⭐⭐⭐⭐⭐"Honestly, I was afraid to send my paper to you, but you proved you are a trustworthy service. My essay was done in less than a day, and I received a brilliant piece. I didn’t even believe it was my essay at first 🙂 Great job, thank you!"
.......... Customer ID: 11***| Rating: ⭐⭐⭐⭐⭐
"This company is the best there is. They saved me so many times, I cannot even keep count. Now I recommend it to all my friends, and none of them have complained about it. The writers here are excellent."
"Order a custom Paper on Similar Assignment at essayfount.com! No Plagiarism! Enjoy 20% Discount!"
