Exercise 2

Review the following volume boot record:

1. What are the number sectors per cluster (Decimal) ?

2. What is the number of bytes per sector (Decimal) ? __________

3. What are the number bytes per cluster (Decimal) ?

In this scenario, files are not contiguous, and the file allocation table reflects bad clusters. Using the following directory of files, complete the file allocation table using EOF for the End of File marker.

File Allocation Table – insert pointers (hints are shown in red)

Part II – FAT Cluster Tracking

Open the disk image 4.2-Exercise.001 using FTK Imager.

1. What are the number sectors per cluster (Decimal) ?

2. What is the number of bytes per sector (Decimal) ? __________

3. What are the number bytes per cluster (Decimal) ?

Complete the following table for each directory entry in the disk image. Exclude any folders, but include their contents. Hints are shown in red.

Part III – RAM Slack and Residual Slack

Open the disk image 4.2-Exercise.001 using FTK Imager.

Complete the following table. Hints are shown in red.

Part IV – FAT File Recovery

Exercise 1

Start Active @ Disk Editor. Close the Getting Started screen if it appears. Select Add Disk Image and open the disk image 4.4-Exercise.001.

Select the volume NO NAME and then Open in Disk Editor

Examine the volume boot record.

1. What are the number sectors per cluster (Decimal) ?

2. What are the number of bytes per sector (Decimal) ?

3. What are the number bytes per cluster (Decimal) ?

Select the Navigate menu and then choose Root Directory.

The first directory entry lists a deleted file with the name åNE.TXT

4. What is its file size (Decimal)?

5. What is the first used cluster?

6. How many clusters are needed for the file?

Since the file was deleted, the first byte of the file was changed to å. Right-click on the first byte of the file, E5, and select Allow Edit Content.

In the left pane, double-click the value for the file name, and change the å to an underscore, _. The file name should now be _NE. Click Save and when prompted to confirm the changes, select Yes.

7. After editing the file name, what is the value for the file name in hex?

8. Provide a screen shot of the hex values of changed directory entry.

To “undelete” the file, the file allocation table needs to be updated to link the clusters of the file. Select the Navigate menu and then choose FAT1.

Using the information derived for the file from the directory entry of the file, edit the cluster(s) to reference the file. Navigate to FAT2 and do the same. Save your changes.

9. Provide a screen shot of the hex values of the updated FAT.

Following the same process, recover all other files in the image.

10. Following the same process, recover all other files in the image. Provide a screen shot of the hex values of the all the changed entries in the root directory

11. Provide a screen shot of the hex values of the completed file allocation table .

12. Mount the image in FTK Imager, highlight the root directory, and provide a screen shot of the root directory file list .

Exercise 2 (Two Parts)

Using Active @ Disk Editor, open the disk image 4.5-Exercise.001 and recover the 6 contiguous files. Remember to save your changes.

HINT – the template feature of Active @ Disk Editor will be VERY helpful with this exercise.

There are 3 basic ways to recover the images:

1.  Manually.  A manual recovery would require that you reassemble the Directory and the FAT tables based on available data. You should be able to view the images in FTK Imager afterwards.

2. Semi-Auto.  Many tools and hex editors will allow you to highlight (or otherwise select) the clusters after you have identified them and perform a simple "save as a new file".  You would then click on the new file and your image will appear.   The copy of WinHex on your disk should have this feature available. You can also do this with a source code editor such as NotePad++.

3. Automatic – Many advanced tools will allow you to simply click a button to recover files from unallocated space.  It is that simple. For example, try using Autopsy. Autopsy may be downloaded at: http://www.sleuthkit.org/autopsy/

· Autopsy is free.

· Be sure to select the appropriate version, either the 32-bit (x86) version or the 64-bit (x64) version appropriate for your Windows installation.

· A version of Autopsy compiled for Mac OSX is available from Surmuri on their ISO for the latest release of Paladin.

Two Parts:

Part 1: Manually recover File1.JPG by reassembling the directory and the FAT tables. All that you need to do is: (1) open the existing image 4.5-Exercise.001 (as is) in a hex editor (2) fill in the information for the 4.5-Exercise.001 directory and the FAT directly in the existing image itself (3) save the changes and close the existing image (4) load the image into FTK Imager.

A. Paste a screen capture of the reassembled directory entry here:

a. IMPORTANT: Before you save your directory, type your first name in ACSII on the line below the directory entry. Take the screenshot with your name in the directory. Afterwards, overwrite your name with the values of 0x00 or the correct values. Then save the directory. You will NOT receive credit unless your screen capture contains your first name.

B. Paste a screen capture of the one of the two reassembled FATs here:

a. IMPORTANT: Before you save your first FAT, type your first name in ACSII on the line below the FAT entry. Take the screenshot with your name in the FAT. Afterwards, overwrite your name with the values of 0x00 or the correct values. Then save the directory. You will NOT receive credit unless your screen capture contains your first name.

C. Paste a screen capture of the image as viewed in FTK Imager here. You must include enough of the surrounding Imager window so as to demonstrate that the image is being viewed from within FTK Imager. Your screen capture MUST display the Properties pane with the Starting Cluster and Starting Sector clearly displayed. You will NOT receive credit otherwise.

Part 2: Recover the remaining images and complete the table below. You may use either automated or semi-automated methodologies, or even manual methods if you like.

Please provide all answers in decimal or ASCII.

Complete the following table for each file. Hints are shown in red.

8