One of the important tasks when analyzing a file system is to know how to locate and find a file's true logical location on disk. Which clusters is it occupying and why is extremely important. This lab is designed to understand how to do that manually. You are required to locate a couple of files by analyzing the NTFS attributes and especially the NTFS data-runs used.
\nUse the forensic image named \"Lab12.001\" file [located at C:\\DFP\\Labs\\Module05\\Lab12\\Lab12.001] for this lab.
\nUse your file system analysis skills to manually analyze the forensic image [located at C:\\DFP\\Labs\\Module05\\Lab12\\Lab12.001] and report back answers to the questions given below:
\nUse the data run results you obtained in Task #1 and report the following:\n* What does each part of the data run mean?\n* What is the first cluster for each file?\n* How many clusters are being used for each file?\n* What is the first sector number for each non-resident file?\n* Verify your results with the results automatically given to you by WinHex.
",
"published_date": "2020-10-20T15:32:26Z",
"solutions": "## SOLUTIONS\n### Task 1: Basic NTFS Attribute Analysis\nStart by opening the first disk which is [Lab12.001] [located at C:\\DFP\\Labs\\Module05\\Lab12\\Lab12.001] and loading it using FTK Imager.\n\n\n\nNow, let's start answering the required questions.\n\nWhat is the cluster size used for this disk?\n\nThis can be found by viewing the volume boot record (VBR). Click on the NTFS Partition \"CarveMe2\" and switch your view to hexadecimal. Bytes 11-12 bytes per sector. Byte 13 will tell you the sectors per cluster. Sweep bytes 11-12, and click on Hex Value Interpreter. \n\n\n\nNow sweep byte 13 for sectors per cluster\n\n\n\nThere are 512 bytes per sector and 8 secors in a cluster. That means each cluster is 4096kb.\n\nCheck this by switching from Hex Value Interpreter to Properties.\n\n\n\nHow many user files (pdf, exe, etc.) did you find and what was the size of each one of them.\n\n|Item|\tFile Name\t|Size|\n|----|--------------|----|\n|1|bin2sc.py|373 bytes|\n|2|Document1.pdf|531 Kilobytes|\n|3|File02.exe|7.9 Megabytes|\n|4|Photo05.jpg|1.4 Megabytes|\n\nNow we need to locate the MFT entry for each file and report back the following:\n\ta. Attribute ID for the Standard Information Attribute and its size\n\tb. File Name Attribute and its size\n\tc. Data Attribute and whether the file is resident or not (check residency flag)\n\td. Offset to the data-run, and the data run itself\n\n[Answer for the first file:] bin2sc.py\n\nRight click in the hexadecimal space and select find. Search for: \"bin2sec.py\", leaving the options at default. You will need to press F3 to continue to search. You are looking for the filename to me near the FILE0 entry. You should find this at offset 069946608, with FILE0 being at 069946368. You may need to switch to decimal offsets by right clicking in the hexadecimal space and selecting the option.\n\n\n\nThe File record header is from offset 1-55, The $STANDARD_INFORMATION attribute begins at offset 56 and continues through the next 80 bytes.\n\nNow, based on the NTFS documentation and the course notes, the standard information attribute has a type ID of 0x10.\n\nTherefore at offset 56 we find 10000000 which is the $STANDARD_INFORMATION attribute id 0x10. To locate the next attribute, we need to calculate the length of the $STANDARD_INFORMATION attribute, which is found in the next four bytes after the 4 bytes related to the attribute type ID. So, here we find the value (0x60000000 little endian) which means this attribute is 0x60 bytes long or 96 bytes (decimal).\n\nThis can be seen in the figure below. \n\n\n\nNow, as you can see, we have arrived at the next attribute which is 0x30000000 or 0x30. The attribute that has an ID of 0x30 is the $FILE_NAME attribute. The size is calculated the same way; we take the next four bytes to get the size of the attribute. Here we see 0x70000000 which means 0x70 or 112 in decimal. This can also be seen in the next figure. \n\n\n\nNow we reach the next attribute which starts with 0x80000000 or 0x80. The $DATA attribute is the one that uses an ID of 0x80. Now, if you go back and look at the size of this file, you will find that it is 373 bytes, which is under 700 bytes, and means we have a resident attribute here. This means the file content is going to be found within the MFT File Record entry, or in other words; within the 1024 bytes, allocated for the entry.\n\nIf we calculate the length of the file, we will find that it is 0x90010000 or 0x0190 bytes long, and this leads that our file has been allocated 400 bytes. Don't forget this includes the header. Before we finish the analysis for this file, just remember that at offset 0x8 we can find a single byte that is used to mark the attribute whether resident or not. So, if you go to offset 0x8, we find that it has the value 0x00, which means our file is resident (non-resident = 0x01).\n\nSince this is not a non-resident file, then we don't have a data run for it. Let us move on to the next file.\n\nAnswer for the second file: Document1.pdf\n\nSame as before, we start by right-clicking on the file and then select Navigation -> Seek FILE Record. Again, at offset 0x14 in hexadecimal, we can find a two bytes value which represents the offset to the first attribute for this file. So, if we check offset 0x14 (20 decimal), we find the value 0x3800 (little endian). This means that our first attribute is at offset 0x38 in hex or 56 in decimal. \n\nAgain, at offset 56 we found 10000000 which is the \\$STANDARD_INFORMATION id 0x10. As we did before, to locate the next attribute, we need to calculate the length of the $STANDARD_INFORMATION attribute, which can be found in the next four bytes after the 4 bytes related to the attribute type ID. So, here we find the value (0x60000000 little endian) which means this attribute is 0x60 bytes long or 96 bytes (decimal). This can be seen in the next figure. \n\nNow, as you can see, we have arrived at the next attribute which is 0x30000000 or 0x30. The attribute that has an ID of 0x30 is the $FILE_NAME attribute. The size is calculated the same way; we take the next four bytes to get the size of the attribute. Here we see 0x78000000 which means 0x78 or 120 in decimal. This can be seen in the next figure. \n\nNow we reach the next attribute which starts with 0x80000000 or 0x80. The $DATA attribute is the one that uses an ID of 0x80. Now, if you go to offset 0x8, we find that it has the value 0x01, which means our file is non-resident. Also, the length of this attribute is 0x48000000 or 0x48 (72 decimal) as seen in the next figure. \n\nTo find where this file is stored, we need to locate the data run for the file. This can be done by checking offset 0x20, which is two bytes long. So, by going to offset 0x20 or 32 in decimal, we find that the data run is located at 0x40 or 64 in decimal. Now, by going to that location, we find the following: \n\nSo, the data run is: 0x2285009107. We will come back to this later in Task #2.\n\nBTW, the values 0xFFFFFFFF82794711 are the marker of the end of the MFT File Record.\n\nNow, all you need to do is repeat the same process for the rest of the files (File02.exe and Photo05.jpg).\n\nSummary of findings:\n\n| File Name | SIA (size)| FNA (size)| Data (size)| Resident| Data-run|\n|-----------| ----------| ----------| -----------| --------| --------|\n|Bin2sc.py| 10 (0x60)| 30 (0x70) | 80 (0x190) | Yes | None|\n|Document1.pdf | 10 (0x60) | 30 (0x78) | 80 (0x48) | No | 0x2285009107 |\n|File02.exe | 10 (0x60)| 30 (0x70) | 80 (0x48) | No| 0x22DD071608|\n|Photo05.jpg | 10 (0x60) | 30 (0x70)| 80 (0x48) | No | 0x2264012D06|\n\n### Task 2: Parsing the NTFS Dataruns\nNow, let's use the results we got in Task #1 to answer the questions below:\n\nWhat does each part of the data run mean?\n[Answer:]\n\nThe data run string is defined like this:\n\nThe first byte is actually divided and parsed like this:\n\na. The first nibble represents the number of bytes that represent the first cluster number\n\nb. The second nibble represents the number of bytes that represent the number of clusters this file is occupying\n\n\n|Byte\t|Bytes\t|Bytes|\n|----------|----------|----------|\n|Nibble Nibble |Representing No. of Clusters|Representing No. of the First Cluster|\n\nSo, as you can see, it all goes down to the first byte in the data run.\n\nLet's answer both questions 2 and 3 together.\n\nWhat is the first cluster for each file?\n\nHow many clusters are being used for each file?\n\nAnswer:\n\nSince the first file is resident, we are not going to calculate where the first cluster is.\n\nThe first cluster for the second file Document1.pdf is calculated like this:\n\nData run: 0x2285009107\n\n2: 91 07 -> number of the first cluster (little endian)\n\n= 1937\n\n2: 85 00 -> number of clusters allocated (little endian)\n\n= 133\n\nAnd for the data run for File02.exe = 0x22DD071608\n\n2: 16 08 -> the first cluster\n\n= 2070\n\n2: DD 07 -> no. of clusters\n\n= 2013\n\nFinally, the data run for file Photo05.jpg = 0x2264012D06\n\n2: 2D 06 -> the first cluster\n\n= 1581 2: 64 01 -> no. of clusters = 356\n\nWhat is the first sector number for each non-resident file?\nAnswer:\n\nHere is when the size of the cluster comes in handy! Now, to locate the first sector for each file, we can do that based on the equation found below:\n\nFirst sector = (First cluster no. * cluster size ) / sector size\n\nMeans, for the second file Document1.pdf\n\nFirst sector = 1937 * 4096 / 512 = 15496\n\nFor the third file File02.exe\n\nFirst sector = 2070 * 4096 / 512 = 16560\n\nMeans, for the second file Photo05.jpg\n\nFirst sector = 1581 * 4096 / 512 = 12648\n\nVerify your results with the results automatically given to you by WinHex.\nAnswer:\n\nThis is easily done by right-clicking on the file and then Navigation List Clusters. The proof for each file is below. (Cluster = First cluster and Total = No. of clusters)\n\n**Document1.pdf**\n\n\n\t\n**File02.exe**\n\t\n\n\t\n**Photo05.jpg**\n\n\n\n\t\t\n**Summary of findings:**\n\n|File Name|First Cluster|No. of clusters|First sector|\n|---------|-------------|---------------|------------|\n|Document1.pdf|1937|133|15496|\n|File02.exe|2070|2013|16560|\n|Photo05.jpg|1581|356|12648|",
"solutions_html": "SOLUTIONS
\nTask 1: Basic NTFS Attribute Analysis
\nStart by opening the first disk which is [Lab12.001] [located at C:\\DFP\\Labs\\Module05\\Lab12\\Lab12.001] and loading it using FTK Imager.
\n![\"FTKImager\"](\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3524/1.jpg\")
\nNow, let's start answering the required questions.
\nWhat is the cluster size used for this disk?
\nThis can be found by viewing the volume boot record (VBR). Click on the NTFS Partition \"CarveMe2\" and switch your view to hexadecimal. Bytes 11-12 bytes per sector. Byte 13 will tell you the sectors per cluster. Sweep bytes 11-12, and click on Hex Value Interpreter.
\n![\"Bytes](\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3524/bytespersector.jpg\")
\nNow sweep byte 13 for sectors per cluster
\n![\"Sectors](\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3524/sectorspercluster.jpg\")
\nThere are 512 bytes per sector and 8 secors in a cluster. That means each cluster is 4096kb.
\nCheck this by switching from Hex Value Interpreter to Properties.
\n![\"Cluster](\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3524/clustersizeproperties.jpg\")
\nHow many user files (pdf, exe, etc.) did you find and what was the size of each one of them.
\n\n\n\n| Item | \nFile Name | \nSize | \n
\n\n\n\n| 1 | \nbin2sc.py | \n373 bytes | \n
\n\n| 2 | \nDocument1.pdf | \n531 Kilobytes | \n
\n\n| 3 | \nFile02.exe | \n7.9 Megabytes | \n
\n\n| 4 | \nPhoto05.jpg | \n1.4 Megabytes | \n
\n\n
\nNow we need to locate the MFT entry for each file and report back the following:\n a. Attribute ID for the Standard Information Attribute and its size\n b. File Name Attribute and its size\n c. Data Attribute and whether the file is resident or not (check residency flag)\n d. Offset to the data-run, and the data run itself
\n[Answer for the first file:] bin2sc.py
\nRight click in the hexadecimal space and select find. Search for: \"bin2sec.py\", leaving the options at default. You will need to press F3 to continue to search. You are looking for the filename to me near the FILE0 entry. You should find this at offset 069946608, with FILE0 being at 069946368. You may need to switch to decimal offsets by right clicking in the hexadecimal space and selecting the option.
\n![\"bin2sec](\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3524/bin2secstdinfo.jpg\")
\nThe File record header is from offset 1-55, The $STANDARD_INFORMATION attribute begins at offset 56 and continues through the next 80 bytes.
\nNow, based on the NTFS documentation and the course notes, the standard information attribute has a type ID of 0x10.
\nTherefore at offset 56 we find 10000000 which is the $STANDARD_INFORMATION attribute id 0x10. To locate the next attribute, we need to calculate the length of the $STANDARD_INFORMATION attribute, which is found in the next four bytes after the 4 bytes related to the attribute type ID. So, here we find the value (0x60000000 little endian) which means this attribute is 0x60 bytes long or 96 bytes (decimal).
\nThis can be seen in the figure below.
\n![\"StdAttribute\"](\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3524/stdattributes.jpg\")
\nNow, as you can see, we have arrived at the next attribute which is 0x30000000 or 0x30. The attribute that has an ID of 0x30 is the $FILE_NAME attribute. The size is calculated the same way; we take the next four bytes to get the size of the attribute. Here we see 0x70000000 which means 0x70 or 112 in decimal. This can also be seen in the next figure.
\n![\"File](\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3524/filenameattrib.jpg\")
\nNow we reach the next attribute which starts with 0x80000000 or 0x80. The $DATA attribute is the one that uses an ID of 0x80. Now, if you go back and look at the size of this file, you will find that it is 373 bytes, which is under 700 bytes, and means we have a resident attribute here. This means the file content is going to be found within the MFT File Record entry, or in other words; within the 1024 bytes, allocated for the entry.
\nIf we calculate the length of the file, we will find that it is 0x90010000 or 0x0190 bytes long, and this leads that our file has been allocated 400 bytes. Don't forget this includes the header. Before we finish the analysis for this file, just remember that at offset 0x8 we can find a single byte that is used to mark the attribute whether resident or not. So, if you go to offset 0x8, we find that it has the value 0x00, which means our file is resident (non-resident = 0x01).
\nSince this is not a non-resident file, then we don't have a data run for it. Let us move on to the next file.
\nAnswer for the second file: Document1.pdf
\nSame as before, we start by right-clicking on the file and then select Navigation -> Seek FILE Record. Again, at offset 0x14 in hexadecimal, we can find a two bytes value which represents the offset to the first attribute for this file. So, if we check offset 0x14 (20 decimal), we find the value 0x3800 (little endian). This means that our first attribute is at offset 0x38 in hex or 56 in decimal.
\nAgain, at offset 56 we found 10000000 which is the \\$STANDARD_INFORMATION id 0x10. As we did before, to locate the next attribute, we need to calculate the length of the $STANDARD_INFORMATION attribute, which can be found in the next four bytes after the 4 bytes related to the attribute type ID. So, here we find the value (0x60000000 little endian) which means this attribute is 0x60 bytes long or 96 bytes (decimal). This can be seen in the next figure.
\nNow, as you can see, we have arrived at the next attribute which is 0x30000000 or 0x30. The attribute that has an ID of 0x30 is the $FILE_NAME attribute. The size is calculated the same way; we take the next four bytes to get the size of the attribute. Here we see 0x78000000 which means 0x78 or 120 in decimal. This can be seen in the next figure.
\nNow we reach the next attribute which starts with 0x80000000 or 0x80. The $DATA attribute is the one that uses an ID of 0x80. Now, if you go to offset 0x8, we find that it has the value 0x01, which means our file is non-resident. Also, the length of this attribute is 0x48000000 or 0x48 (72 decimal) as seen in the next figure.
\nTo find where this file is stored, we need to locate the data run for the file. This can be done by checking offset 0x20, which is two bytes long. So, by going to offset 0x20 or 32 in decimal, we find that the data run is located at 0x40 or 64 in decimal. Now, by going to that location, we find the following:
\nSo, the data run is: 0x2285009107. We will come back to this later in Task #2.
\nBTW, the values 0xFFFFFFFF82794711 are the marker of the end of the MFT File Record.
\nNow, all you need to do is repeat the same process for the rest of the files (File02.exe and Photo05.jpg).
\nSummary of findings:
\n\n\n\n| File Name | \nSIA (size) | \nFNA (size) | \nData (size) | \nResident | \nData-run | \n
\n\n\n\n| Bin2sc.py | \n10 (0x60) | \n30 (0x70) | \n80 (0x190) | \nYes | \nNone | \n
\n\n| Document1.pdf | \n10 (0x60) | \n30 (0x78) | \n80 (0x48) | \nNo | \n0x2285009107 | \n
\n\n| File02.exe | \n10 (0x60) | \n30 (0x70) | \n80 (0x48) | \nNo | \n0x22DD071608 | \n
\n\n| Photo05.jpg | \n10 (0x60) | \n30 (0x70) | \n80 (0x48) | \nNo | \n0x2264012D06 | \n
\n\n
\nTask 2: Parsing the NTFS Dataruns
\nNow, let's use the results we got in Task #1 to answer the questions below:
\nWhat does each part of the data run mean?\n[Answer:]
\nThe data run string is defined like this:
\nThe first byte is actually divided and parsed like this:
\na. The first nibble represents the number of bytes that represent the first cluster number
\nb. The second nibble represents the number of bytes that represent the number of clusters this file is occupying
\n\n\n\n| Byte | \nBytes | \nBytes | \n
\n\n\n\n| Nibble Nibble | \nRepresenting No. of Clusters | \nRepresenting No. of the First Cluster | \n
\n\n
\nSo, as you can see, it all goes down to the first byte in the data run.
\nLet's answer both questions 2 and 3 together.
\nWhat is the first cluster for each file?
\nHow many clusters are being used for each file?
\nAnswer:
\nSince the first file is resident, we are not going to calculate where the first cluster is.
\nThe first cluster for the second file Document1.pdf is calculated like this:
\nData run: 0x2285009107
\n2: 91 07 -> number of the first cluster (little endian)
\n= 1937
\n2: 85 00 -> number of clusters allocated (little endian)
\n= 133
\nAnd for the data run for File02.exe = 0x22DD071608
\n2: 16 08 -> the first cluster
\n= 2070
\n2: DD 07 -> no. of clusters
\n= 2013
\nFinally, the data run for file Photo05.jpg = 0x2264012D06
\n2: 2D 06 -> the first cluster
\n= 1581 2: 64 01 -> no. of clusters = 356
\nWhat is the first sector number for each non-resident file?\nAnswer:
\nHere is when the size of the cluster comes in handy! Now, to locate the first sector for each file, we can do that based on the equation found below:
\nFirst sector = (First cluster no. * cluster size ) / sector size
\nMeans, for the second file Document1.pdf
\nFirst sector = 1937 * 4096 / 512 = 15496
\nFor the third file File02.exe
\nFirst sector = 2070 * 4096 / 512 = 16560
\nMeans, for the second file Photo05.jpg
\nFirst sector = 1581 * 4096 / 512 = 12648
\nVerify your results with the results automatically given to you by WinHex.\nAnswer:
\nThis is easily done by right-clicking on the file and then Navigation List Clusters. The proof for each file is below. (Cluster = First cluster and Total = No. of clusters)
\nDocument1.pdf
\n![\"Document1Info\"](\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3524/Document1Details.jpg\")
\nFile02.exe
\n![\"File02Info\"](\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3524/File02Details.jpg\")
\nPhoto05.jpg
\n![\"Photo05Info\"](\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3524/Photo05Details.jpg\")
\nSummary of findings:
\n\n\n\n| File Name | \nFirst Cluster | \nNo. of clusters | \nFirst sector | \n
\n\n\n\n| Document1.pdf | \n1937 | \n133 | \n15496 | \n
\n\n| File02.exe | \n2070 | \n2013 | \n16560 | \n
\n\n| Photo05.jpg | \n1581 | \n356 | \n12648 | \n
\n\n
",
"flags": [],
"min_points_to_pass": null,
"access_type": "default",
"user_status": "unstarted",
"user_lab_status": null,
"user_status_modified": null,
"user_flags": [],
"global_running_session": null
}