WEBVTT

0:00:02.920000 --> 0:00:07.380000
 Hello, and welcome to the C-Learn Security
 video on Performing Disk Analysis

0:00:07.380000 --> 0:00:10.560000
 Procedures on a Suspects Disk.

0:00:10.560000 --> 0:00:13.960000
 In this video, we will
 cover three topics.

0:00:13.960000 --> 0:00:17.120000
 First, we will cover Disk Management
 and discuss how disks are attached

0:00:17.120000 --> 0:00:22.180000
 to a system. Next, we will go over
 how to use a tool called WinHEX to

0:00:22.180000 --> 0:00:26.600000
 Analyze Disks. And finally, we will cover
 the manual process of analyzing

0:00:26.600000 --> 0:00:30.340000
 the master boot record
 for a WinHEX.

0:00:30.340000 --> 0:00:33.040000
 It's important in the beginning to
 understand a little bit about disks

0:00:33.040000 --> 0:00:36.540000
 and how they are laid out on the
 system or attached to the system.

0:00:36.540000 --> 0:00:38.840000
 Let's go ahead and get started.

0:00:38.840000 --> 0:00:42.880000
 If we go to my computer and then manage,
 the Computer Management Control

0:00:42.880000 --> 0:00:48.860000
 Panel appears. On the right, we see the
 option for Disk Management, which

0:00:48.860000 --> 0:00:52.140000
 is a configuration tool that allows
 you to format and perform additional

0:00:52.140000 --> 0:00:54.020000
 disk management tasks.

0:00:54.020000 --> 0:01:00.560000
 If we select it, two disks appear,
 disk 0 and disk number 1.

0:01:00.560000 --> 0:01:04.840000
 Disk 0 holds almost 500 GB.

0:01:04.840000 --> 0:01:10.900000
 We can see that it is using 124 MB and
 that it's healthy and is online.

0:01:10.900000 --> 0:01:15.220000
 If we click on any one of these partitions,
 it highlights it in the above

0:01:15.220000 --> 0:01:22.500000
 section. This partition here
 is found on disk number 1.

0:01:22.500000 --> 0:01:26.720000
 If we select C and turn our attention
 to the top middle section, here

0:01:26.720000 --> 0:01:29.000000
 we see that it's using
 a simple layout.

0:01:29.000000 --> 0:01:33.560000
 It's a basic disk and uses
 an NTFS file system.

0:01:33.560000 --> 0:01:36.340000
 We also see that its
 status is healthy.

0:01:36.340000 --> 0:01:41.480000
 Further down, we see its capacity, free
 space and free space in percentage.

0:01:41.480000 --> 0:01:45.960000
 The details we see here come from the
 disk that is currently attached

0:01:45.960000 --> 0:01:49.540000
 to the system. It's extremely important
 to understand the information

0:01:49.540000 --> 0:01:53.280000
 presented here, because there may be
 an instance where you need to take

0:01:53.280000 --> 0:01:57.920000
 a digital forensic image of a system
 and, for example, then focus on a

0:01:57.920000 --> 0:02:00.720000
 specific disk, like disk number 1.


0:02:00.720000 --> 0:02:04.800000
 You will need to understand which disk
 is actually disk number 1, or,

0:02:04.800000 --> 0:02:08.440000
 instead, your focus could be on a single
 partition attached to a drive

0:02:08.440000 --> 0:02:12.540000
 letter D, meaning that your focus will
 not be on a physical layer, but

0:02:12.540000 --> 0:02:16.320000
 rather, the logical layer.

0:02:16.320000 --> 0:02:19.840000
 Again, it's important that you understand
 all of this, so you know which

0:02:19.840000 --> 0:02:21.880000
 partition you're going to acquire.


0:02:21.880000 --> 0:02:26.060000
 Let's go ahead and move to the second
 topic of the video and turn our

0:02:26.060000 --> 0:02:29.520000
 attention to a really important tool
 for digital forensic investigators,

0:02:29.520000 --> 0:02:31.800000
 a tool called WinHacks.

0:02:31.800000 --> 0:02:37.120000
 To obtain a copy of WinHacks, you can simply
 search for WinHacks and download

0:02:37.120000 --> 0:02:43.920000
 it from Xways. You have the option to
 set it up, or you can run it from

0:02:43.920000 --> 0:02:46.220000
 the standard application.

0:02:46.220000 --> 0:02:50.460000
 Let's go ahead and right-click WinHacks
.exe and run as administrator,

0:02:50.460000 --> 0:02:54.380000
 as we're going to analyze the current
 disk that is attached to this system.

0:02:54.380000 --> 0:03:00.620000
 Across the top, we see a menu with
 a variety of options and features.

0:03:00.620000 --> 0:03:03.500000
 We will have the opportunity to explore
 some of these features in this

0:03:03.500000 --> 0:03:07.240000
 video. Let's start off
 by opening a disk.

0:03:07.240000 --> 0:03:10.580000
 Let's go to Tools and
 then select Open Disk.

0:03:10.580000 --> 0:03:12.660000
 Here we have two views.

0:03:12.660000 --> 0:03:16.140000
 We have a physical view, where we can
 directly access the hard disk that

0:03:16.140000 --> 0:03:17.980000
 is attached to this machine.

0:03:17.980000 --> 0:03:21.400000
 We also have a logical view, where we
 can access the partitions and file

0:03:21.400000 --> 0:03:23.620000
 systems that are found
 in each partition.

0:03:23.620000 --> 0:03:28.580000
 What we're going to do is select the
 first disk, disk 0, and click the

0:03:28.580000 --> 0:03:34.440000
 OK button. Here we can see that WinHacks
 has automatically identified

0:03:34.440000 --> 0:03:36.980000
 that there are a couple
 of starting sectors.

0:03:36.980000 --> 0:03:43.740000
 Here we have Partition 1, Partition 2,
 which is attached to C, in Partition

0:03:43.740000 --> 0:03:46.660000
 3, which is attached to D.

0:03:46.660000 --> 0:03:56.400000
 Let's navigate back to my computer, select
 Manage, and then Disk Management.

0:03:56.400000 --> 0:04:01.720000
 The first partition was the System Reserve
 Partition, which is this one.

0:04:01.720000 --> 0:04:05.360000
 And as we can see here in WinHacks,
 this partition is not attached to

0:04:05.360000 --> 0:04:09.060000
 any drive letter, so this is referring
 to the same one we just looked

0:04:09.060000 --> 0:04:11.140000
 at in Disk Management.

0:04:11.140000 --> 0:04:16.200000
 WinHacks was able to analyze the disk and
 understand its structure automatically.

0:04:16.200000 --> 0:04:20.640000
 If we look towards the bottom of the
 screen, we can see a line separator.

0:04:20.640000 --> 0:04:25.380000
 The line is actually separating sectors,
 and this here is an entire sector.

0:04:25.380000 --> 0:04:29.300000
 This is extremely useful
 when analyzing disks.

0:04:29.300000 --> 0:04:32.900000
 Since we have this whole sector selected,
 to clear it we can simply press

0:04:32.900000 --> 0:04:34.600000
 the Escape button.

0:04:34.600000 --> 0:04:39.720000
 To the right we see several details
 displayed like, the model, which is

0:04:39.720000 --> 0:04:48.800000
 the model of the disk, and the bus, which
 is using a serial ATA disk drive.

0:04:48.800000 --> 0:04:54.320000
 Here we see the total capacity of the
 disk, number of cylinders, number

0:04:54.320000 --> 0:04:57.820000
 of heads, tracks, and
 many more details.

0:04:57.820000 --> 0:05:05.140000
 Now, looking back over here at the
 starting sector you may recall from

0:05:05.140000 --> 0:05:09.340000
 the slides that the MBR, the Master
 Boot Record, resides in this sector.

0:05:09.340000 --> 0:05:13.340000
 We will analyze it soon.

0:05:13.340000 --> 0:05:18.140000
 If we select Partition 1, it takes
 us directly to the first partition.

0:05:18.140000 --> 0:05:21.820000
 Selecting Partition 2 will take us to
 the second partition and, selecting

0:05:21.820000 --> 0:05:25.300000
 Partition 3, will take us
 to the third partition.

0:05:25.300000 --> 0:05:29.160000
 If we select a partition and right click
 and select Explore, we can see

0:05:29.160000 --> 0:05:31.320000
 all the files that are
 in that partition.

0:05:31.320000 --> 0:05:38.360000
 To close this tab we can simply
 right click it and close it.

0:05:38.360000 --> 0:05:42.300000
 Let's select the start sector again,
 and now we will begin our analysis

0:05:42.300000 --> 0:05:46.920000
 of the Master Boot Record so that we can
 learn more about the Winhex features.

0:05:46.920000 --> 0:05:52.940000
 As you may recall from the slides, the
 Master Boot Record is 512 bytes,

0:05:52.940000 --> 0:05:58.220000
 which is a sector, and it always ends
 with 5.5AA, which is usually called

0:05:58.220000 --> 0:06:00.740000
 the end of the sector marker.

0:06:00.740000 --> 0:06:04.260000
 I've created a reference document on
 the MBR layout, so we can refresh

0:06:04.260000 --> 0:06:07.880000
 ourselves on the layout we
 covered in the slides.

0:06:07.880000 --> 0:06:18.100000
 446 bytes represent the boot code.


0:06:18.100000 --> 0:06:29.100000
 If we go back to Winhex, let's
 start selecting the 446 bytes.

0:06:29.100000 --> 0:06:35.840000
 446 bytes is actually 1BE, as we
 can see here at the bottom right.

0:06:35.840000 --> 0:06:41.560000
 If we right click it, we can see that
 it is 446, so here we've selected

0:06:41.560000 --> 0:06:46.920000
 446 bytes, which represent
 the boot code.

0:06:46.920000 --> 0:06:50.260000
 Let's right click our selection
 and select Add Position.

0:06:50.260000 --> 0:06:54.200000
 This is useful, as it will help us identify
 this part of the sector, as

0:06:54.200000 --> 0:06:56.860000
 we can add some positions
 and give it a color.

0:06:56.860000 --> 0:07:01.160000
 In the description, let's type boot
 code and select a color for it.

0:07:01.160000 --> 0:07:09.380000
 Let's choose this yellow.

0:07:09.380000 --> 0:07:13.620000
 Now we can see that the selection color
 is the yellow we just selected.

0:07:13.620000 --> 0:07:17.400000
 When you hover your cursor over it, we
 can see the description we entered,

0:07:17.400000 --> 0:07:23.120000
 boot code. Let's go back to the
 MBR layout reference document.

0:07:23.120000 --> 0:07:27.480000
 Here we have 4 different partition
 entries, which are 16 bytes each.

0:07:27.480000 --> 0:07:32.220000
 Let's go ahead and select the first
 16 bytes, which starts here.

0:07:32.220000 --> 0:07:38.480000
 Here's 2 bytes, and as we keep selecting,
 we see that it ends here.

0:07:38.480000 --> 0:07:42.320000
 Let's right click this selection
 and choose Add Position.

0:07:42.320000 --> 0:07:46.480000
 Let's type partition entry number
 1 for the description.

0:07:46.480000 --> 0:07:51.300000
 Let's copy this if we'll need
 it for other entries.

0:07:51.300000 --> 0:07:53.940000
 And now, let's select
 a color for it.

0:07:53.940000 --> 0:07:57.480000
 Let's choose red.

0:07:57.480000 --> 0:08:01.220000
 If we press the escape button, we can
 now see that the color is updated,

0:08:01.220000 --> 0:08:04.560000
 and if we hover over it, it says that
 it's for partition entry number

0:08:04.560000 --> 0:08:10.740000
 1. Let's do the same for the next
 partition and highlight 16 bytes.

0:08:10.740000 --> 0:08:14.460000
 Let's add a position to this selection,
 and in the description, let's

0:08:14.460000 --> 0:08:18.040000
 paste the text we copied from earlier and
 update it, so that it says partition

0:08:18.040000 --> 0:08:23.740000
 entry number 2. Let's select
 blue for its color.

0:08:23.740000 --> 0:08:28.760000
 Let's press the escape button, and here
 we can see partition entry number

0:08:28.760000 --> 0:08:33.880000
 2. Let's go ahead and highlight the
 third and fourth partition the same

0:08:33.880000 --> 0:09:05.720000
 way. Add a position, enter the description,
 and select a color.

0:09:05.720000 --> 0:09:09.860000
 Now, we can easily see all four partitions,
 and if we hover over them,

0:09:09.860000 --> 0:09:11.780000
 we can see which one is what.

0:09:11.780000 --> 0:09:13.940000
 Let's also give our
 marker a color.

0:09:13.940000 --> 0:09:15.200000
 Let's add a position.

0:09:15.200000 --> 0:09:20.120000
 Based on the layout reference document,
 this selection is the signature.

0:09:20.120000 --> 0:09:22.900000
 Let's make sure our description reflects
 this, and go ahead and give it

0:09:22.900000 --> 0:09:24.340000
 a name of signature.

0:09:24.340000 --> 0:09:28.200000
 Let's also give it a color.

0:09:28.200000 --> 0:09:37.880000
 Also like this one, so it's easier
 to differentiate from the others.

0:09:37.880000 --> 0:09:41.460000
 So now we have our boot code.

0:09:41.460000 --> 0:09:43.600000
 All of our partition entries.

0:09:43.600000 --> 0:09:51.840000
 As well as our signature.

0:09:51.840000 --> 0:09:55.460000
 Also, we can go to navigation and then
 position manager, and it will show

0:09:55.460000 --> 0:09:57.660000
 us where we can find
 each of these.

0:09:57.660000 --> 0:10:01.080000
 And, if you click on one of them, it
 will take you to the exact offset

0:10:01.080000 --> 0:10:05.120000
 of the entry. This is very useful
 when doing disk analysis.

0:10:05.120000 --> 0:10:10.960000
 So, as you can see here, we've created
 entries for the whole MBR disk

0:10:10.960000 --> 0:10:16.140000
 layout. Let's go to the position manager
 and change our layout back to

0:10:16.140000 --> 0:10:21.120000
 what it was. Now, let's start
 analyzing these layouts.

0:10:21.120000 --> 0:10:25.140000
 The first thing we did was understand
 how the structure of this layout

0:10:25.140000 --> 0:10:27.300000
 was on the 512 bytes.

0:10:27.300000 --> 0:10:32.640000
 Now, let's analyze the
 first partition.

0:10:32.640000 --> 0:10:35.240000
 We'll need another layout.

0:10:35.240000 --> 0:10:38.600000
 I'm going to open a partition layout
 reference document I've prepared.

0:10:38.600000 --> 0:10:52.800000
 Let's also open notepad
 so we can add notes.

0:10:52.800000 --> 0:10:57.880000
 Let's see how the 16 bytes of the
 first partition is structured.

0:10:57.880000 --> 0:11:00.580000
 We have one byte for
 the bootable flag.

0:11:00.580000 --> 0:11:04.680000
 So, if this partition is bootable,
 we have 80 hexadecimal.

0:11:04.680000 --> 0:11:07.660000
 If it is not, then
 we will have 0, 0.

0:11:07.660000 --> 0:11:17.420000
 We then have 3 bytes for the starting
 cylinder head sector.

0:11:17.420000 --> 0:11:21.000000
 We have another 1 byte, and it's for
 the partition type, which defines

0:11:21.000000 --> 0:11:24.500000
 what type of partition it is, and usually
 this is related to the file

0:11:24.500000 --> 0:11:26.600000
 system it's holding.

0:11:26.600000 --> 0:11:31.600000
 Here's another 3 bytes, which is
 the ending cylinder head sector.

0:11:31.600000 --> 0:11:38.300000
 We have 4 bytes for the logical block
 addressing, which is currently being

0:11:38.300000 --> 0:11:42.500000
 used to deal with disks.

0:11:42.500000 --> 0:11:46.340000
 And lastly, we have another 4 bytes,
 and therefore the number of sectors

0:11:46.340000 --> 0:11:47.820000
 in this partition.

0:11:47.820000 --> 0:11:52.440000
 Now what we'll do is take the 16 bytes
 and begin our analysis of each

0:11:52.440000 --> 0:11:55.220000
 byte at the byte level.

0:11:55.220000 --> 0:11:59.260000
 I've also prepared another reference
 document for the CHS value.

0:11:59.260000 --> 0:12:09.660000
 This is how the CHS is structured.


0:12:09.660000 --> 0:12:11.920000
 We have 10 bits for the cylinder.

0:12:11.920000 --> 0:12:13.720000
 We have 8 bits for the head.

0:12:13.720000 --> 0:12:16.580000
 And we have 6 bits for the sector.


0:12:16.580000 --> 0:12:19.980000
 You may be wondering why I read it
 in that order, rather than from top

0:12:19.980000 --> 0:12:24.440000
 to bottom. As we can see here, they
 are actually stored as HSC instead

0:12:24.440000 --> 0:12:30.340000
 of CHS. So they should be read as CHS
 rather than how they are stored.

0:12:30.340000 --> 0:12:33.780000
 Let's go back to WinHacks and select
 the first partition entry from the

0:12:33.780000 --> 0:12:40.280000
 beginning to the end point and then
 right click, and select Edit.

0:12:40.280000 --> 0:12:45.080000
 From here, choose Copy Block and then
 Hex Values, as we want to copy as

0:12:45.080000 --> 0:12:51.580000
 Hex Values. As we've seen earlier,
 we have reference documents we can

0:12:51.580000 --> 0:12:53.540000
 use throughout this process.

0:12:53.540000 --> 0:12:57.760000
 This one contains information on the partition
 entry and how it's structured.

0:12:57.760000 --> 0:13:02.780000
 This document contains the structure
 of the cylinder head sector.

0:13:02.780000 --> 0:13:14.300000
 For Partition 1, we can copy the hex values
 we just obtained from WinHacks.

0:13:14.300000 --> 0:13:14.820000
 This is how we can copy the hex values
 we just created from WinHacks.

0:13:14.820000 --> 0:13:18.640000
 Based on the first one byte, it
 is for bootable or non-bootable.

0:13:18.640000 --> 0:13:23.440000
 So, let's take this byte,
 cut it and add it here.

0:13:23.440000 --> 0:13:24.940000
 Is this bootable?

0:13:24.940000 --> 0:13:29.000000
 Yes, it is because it
 holds a value 80.

0:13:29.000000 --> 0:13:32.880000
 Now let's take the starting
 CHS, which is 3 bytes.

0:13:32.880000 --> 0:13:37.680000
 So, let's select 3 bytes.

0:13:37.680000 --> 0:13:41.420000
 Cut it and paste it here.

0:13:41.420000 --> 0:13:44.760000
 Since this isn't little endian, it's
 read from the least significant byte

0:13:44.760000 --> 0:13:49.300000
 first, so it's read as 002120.

0:13:49.300000 --> 0:13:54.600000
 Now we need a calculator to
 start doing calculations.

0:13:54.600000 --> 0:14:00.440000
 Make sure that the programmer
 version is running.

0:14:00.440000 --> 0:14:03.540000
 Let's take this value and put
 it into the calculator.

0:14:03.540000 --> 0:14:06.360000
 Make sure it's in hex,
 as it is a hex value.

0:14:06.360000 --> 0:14:10.960000
 Now, we need to transfer this value
 to binary because these entries are

0:14:10.960000 --> 0:14:13.560000
 in bits instead of bytes.

0:14:13.560000 --> 0:14:17.720000
 So this value represents the bits
 for the cylinder head sector.

0:14:17.720000 --> 0:14:25.940000
 Let's copy this value and paste
 it into our CHS notepad file.

0:14:25.940000 --> 0:14:30.840000
 Let's now move it here so we
 can start working on it.

0:14:30.840000 --> 0:14:33.920000
 First up is the head,
 which is 8 bytes.

0:14:33.920000 --> 0:14:37.300000
 So, let's go ahead and
 take 8 bits from here.

0:14:37.300000 --> 0:14:42.840000
 Let's cut and paste
 that value here.

0:14:42.840000 --> 0:14:48.580000
 Then we have 6 bits
 for the sector.

0:14:48.580000 --> 0:14:51.140000
 Let's cut and paste
 those values here.

0:14:51.140000 --> 0:14:54.280000
 Since we don't have any more to pad the
 rest of the 24 bits, we will just

0:14:54.280000 --> 0:14:56.780000
 add 10 zeros here.

0:14:56.780000 --> 0:15:17.580000
 If we calculate the head now and
 convert to decimal, we get 32.

0:15:17.580000 --> 0:15:19.540000
 Let's do the same for the sector.

0:15:19.540000 --> 0:15:24.940000
 Make sure the calculator
 is in binary first.

0:15:24.940000 --> 0:15:30.300000
 Then, when we convert it
 to decimal, we get 33.

0:15:30.300000 --> 0:15:32.920000
 And the cylinder equals zero.

0:15:32.920000 --> 0:15:38.180000
 We know that we have a
 cylinder that's zero.

0:15:38.180000 --> 0:15:44.080000
 We have a head, which is 32,
 and we had 33 for the sector.

0:15:44.080000 --> 0:15:46.920000
 So this is the starting CHS.

0:15:46.920000 --> 0:15:50.600000
 Now, let's go to the partition
 type, which is 1 byte.

0:15:50.600000 --> 0:15:54.220000
 So, let's take this 1 byte
 out and bring it here.

0:15:54.220000 --> 0:15:58.920000
 We can actually check to see which
 partition this belongs to by going

0:15:58.920000 --> 0:16:00.800000
 to this website.

0:16:00.800000 --> 0:16:11.120000
 Zero 7 is an NTFS file system.

0:16:11.120000 --> 0:16:15.100000
 Let's go ahead and calculate the
 ending CHS, which is 3 bytes.

0:16:15.100000 --> 0:16:17.540000
 So, let's take these 3 bytes here.


0:16:17.540000 --> 0:16:24.480000
 Let's move them to here.

0:16:24.480000 --> 0:16:29.120000
 These are also in little Andean.

0:16:29.120000 --> 0:16:34.300000
 So it's 2F, 1, 2, 8, 2.

0:16:34.300000 --> 0:16:36.400000
 So, what does this give us?

0:16:36.400000 --> 0:16:38.840000
 Let's go over to the
 calculator and see.

0:16:38.840000 --> 0:16:42.240000
 Make sure that it's in hex
 and paste the value there.

0:16:42.240000 --> 0:16:46.040000
 Let's copy this value and
 put it in our CHS file.

0:16:46.040000 --> 0:16:49.020000
 Now, let's take 8
 bits for the head.

0:16:49.020000 --> 0:17:04.660000
 Let's take 6 bits for the sector.

0:17:04.660000 --> 0:17:08.960000
 And now, let's take
 8 for the cylinder.

0:17:08.960000 --> 0:17:17.360000
 And, we can pat it with zeros
 to make it 10 bits.

0:17:17.360000 --> 0:17:21.320000
 Now, let's take the head value
 and see what it equals.

0:17:21.320000 --> 0:17:23.480000
 Let's clear this out.

0:17:23.480000 --> 0:17:26.560000
 Paste in the new value and
 convert it to decimal.

0:17:26.560000 --> 0:17:33.020000
 So the head equals 130.

0:17:33.020000 --> 0:17:35.440000
 Let's do the same for the sector.

0:17:35.440000 --> 0:17:42.280000
 Again, make sure that
 it's binary first.

0:17:42.280000 --> 0:17:44.960000
 So, the sector is 18.

0:17:44.960000 --> 0:17:48.340000
 And, now let's see what
 it is for the cylinder.

0:17:48.340000 --> 0:17:58.900000
 So the cylinder is 188.

0:17:58.900000 --> 0:18:05.100000
 Here we have the ending CHS, which
 is located at 188 cylinder, sector

0:18:05.100000 --> 0:18:11.320000
 18, and head 130.

0:18:11.320000 --> 0:18:17.160000
 The partition type is 07, which
 we can find here and is NTFS.

0:18:17.160000 --> 0:18:23.640000
 Okay, so now we want to calculate the
 LBA, which has 4 bytes, which we

0:18:23.640000 --> 0:18:28.120000
 can see here. Let's go
 ahead and take 4 bytes.

0:18:28.120000 --> 0:18:30.280000
 Let's paste it here.

0:18:30.280000 --> 0:18:33.660000
 The rest are actually for
 the number of sectors.

0:18:33.660000 --> 0:18:44.420000
 This needs to be converted to Little
 Endian, so we have 00008.

0:18:44.420000 --> 0:18:54.540000
 For the number of sectors,
 we have 00A F00.

0:18:54.540000 --> 0:18:57.100000
 Now let's go back
 to our calculator.

0:18:57.100000 --> 0:19:01.140000
 Make sure that it's in hex
 and convert it to decimal.

0:19:01.140000 --> 0:19:04.380000
 So, we have 2048.

0:19:04.380000 --> 0:19:07.180000
 Let's copy this value for the LBA.


0:19:07.180000 --> 0:19:13.720000
 Next, let's copy the value for the
 number of sectors and calculate it.

0:19:13.720000 --> 0:19:15.980000
 Again, make sure it's in hex.

0:19:15.980000 --> 0:19:20.180000
 Let's paste our value and
 convert it to decimal.

0:19:20.180000 --> 0:19:25.040000
 And we have 716,800.

0:19:25.040000 --> 0:19:31.040000
 If we multiply this value by 512, we get
 this value, which is the partition

0:19:31.040000 --> 0:19:37.560000
 size in bytes. To convert it to kilobytes,
 we can simply divide it by

0:19:37.560000 --> 0:19:53.340000
 1024. If we divide it again by 1024,
 we get it in megabytes, which is

0:19:53.340000 --> 0:20:12.520000
 350. Let's go to Winhex
 and check our values.

0:20:12.520000 --> 0:20:17.600000
 For partition 1, we have cylinder
 0 in Winhex and in our file.

0:20:17.600000 --> 0:20:22.020000
 For head number, we have 32 in
 Winhex and 32 in our file.

0:20:22.020000 --> 0:20:26.200000
 Sector number is 33 in Winhex
 and is the same in our file.

0:20:26.200000 --> 0:20:30.160000
 The partition is actually bootable,
 which we found from the 80.

0:20:30.160000 --> 0:20:39.680000
 The number of megabytes is 350,
 same in Winhex and our file.

0:20:39.680000 --> 0:20:43.380000
 It seems that everything here is correct,
 so let's move on and calculate

0:20:43.380000 --> 0:20:44.920000
 the next partition.

0:20:44.920000 --> 0:20:51.440000
 Let's go back to the starting sector
 and analyze partition number 2.

0:20:51.440000 --> 0:20:54.000000
 Let's select the entry
 for partition number 2.

0:20:54.000000 --> 0:20:55.800000
 Right-click it and select Edit.

0:20:55.800000 --> 0:20:59.720000
 Select Copy Block and then
 choose Hex Values.

0:20:59.720000 --> 0:21:05.980000
 Let's go back to our CHS file and copy
 the information from Winhex here

0:21:05.980000 --> 0:21:11.020000
 for partition number 2.

0:21:11.020000 --> 0:21:15.640000
 One thing to note here is that this
 partition is more than 4GB, so it

0:21:15.640000 --> 0:21:19.320000
 will not be using starting
 CHS or ending CHS here.

0:21:19.320000 --> 0:21:23.080000
 It will be depending completely on the
 LBA and number of sectors to know

0:21:23.080000 --> 0:21:25.620000
 the beginning and end
 of their partition.

0:21:25.620000 --> 0:21:30.560000
 So let's go ahead and
 analyze partition 2.

0:21:30.560000 --> 0:21:34.660000
 The first byte tells us whether
 it's bootable or not.

0:21:34.660000 --> 0:21:38.060000
 Since it's 0, it means
 that it's non-bootable.

0:21:38.060000 --> 0:21:59.880000
 Now, let's take the CHS out, which
 is 3 bytes and put them here.

0:21:59.880000 --> 0:22:04.340000
 The partition type is 1 byte and based
 on this website, it is an nTFS

0:22:04.340000 --> 0:22:15.960000
 file system. The ending
 CHS is also 3 bytes.

0:22:15.960000 --> 0:22:19.120000
 So let's also take this information
 and put it in the ending CHS portion

0:22:19.120000 --> 0:22:23.260000
 below. The logical block
 address has 4 bytes.

0:22:23.260000 --> 0:22:31.040000
 Let's also grab this information
 and put it below.

0:22:31.040000 --> 0:22:34.640000
 The last 4 bytes are for
 the number of sectors.

0:22:34.640000 --> 0:22:44.740000
 Now, let's convert the LBA value to
 a little Indian, 0 0 0 A F 8 0 0.

0:22:44.740000 --> 0:22:48.100000
 Let's use the calculator
 to see what this equals.

0:22:48.100000 --> 0:22:55.120000
 Make sure that it's in hex and that
 we can convert it to decimal.

0:22:55.120000 --> 0:23:01.980000
 So, the logical block
 address equals 718848.

0:23:01.980000 --> 0:23:04.220000
 We'll verify it shortly.

0:23:04.220000 --> 0:23:09.880000
 Let's now convert the number
 of sectors, 12449000.

0:23:09.880000 --> 0:23:25.100000
 So these are the number of sectors
 we have in this partition.

0:23:25.100000 --> 0:23:28.280000
 To get the number of bytes in this partition,
 we simply need to take this

0:23:28.280000 --> 0:23:31.020000
 value and multiply it by 512.

0:23:31.020000 --> 0:23:36.820000
 This is the number of bytes
 in the partition.

0:23:36.820000 --> 0:23:45.600000
 And, if we divide it twice by 1024,
 we now have the partition size in

0:23:45.600000 --> 0:24:03.240000
 megabytes. Let's verify this
 information in WinHEX.

0:24:03.240000 --> 0:24:09.100000
 If we go to Partition 2, right-click
 it and select Explore, it will open.

0:24:09.100000 --> 0:24:17.600000
 Let's bring our file back up.

0:24:17.600000 --> 0:24:27.120000
 The partition type is 07, which
 we can find here and in NTFS.

0:24:27.120000 --> 0:24:34.160000
 The logical boot address starts at
 this address, which is 711848.

0:24:34.160000 --> 0:24:47.600000
 If we go back here, the values
 are exactly the same.

0:24:47.600000 --> 0:24:50.000000
 If we go back here, we can see that the
 number of sectors we see the sector

0:24:50.000000 --> 0:24:55.360000
 count 3, 06, 483, 200.

0:24:55.360000 --> 0:25:02.260000
 And the size and bytes starting
 here, with 1569.

0:25:02.260000 --> 0:25:06.480000
 If we look at the far right in WinHEX,
 we can also see it here too.

0:25:06.480000 --> 0:25:12.220000
 We've managed to analyze the second partition
 and get the exact same values.

0:25:12.220000 --> 0:25:15.940000
 In this video, we were able to analyze
 and parse from just going through

0:25:15.940000 --> 0:25:18.860000
 the bytes and the master
 boot record.

0:25:18.860000 --> 0:25:22.620000
 The same technique can be applied
 to the third and fourth partition.

0:25:22.620000 --> 0:25:26.080000
 However, in looking at the fourth partition,
 it's already cleared out

0:25:26.080000 --> 0:25:31.040000
 and is zero, which means we don't
 have a fourth partition.

0:25:31.040000 --> 0:25:35.940000
 And this concludes our video lesson on
 Performing Disk Analysis Procedures

0:25:35.940000 --> 0:25:38.320000
 on a Suspects Disk.

0:25:38.320000 --> 0:25:39.320000
 Thank you for joining us.