WEBVTT

0:00:03.080000 --> 0:00:08.040000
 In this video, we will do another test
 on an NTFS file system to see how

0:00:08.040000 --> 0:00:12.100000
 the file system interprets data runs,
 which are used to locate files,

0:00:12.100000 --> 0:00:16.580000
 especially files that are stored outside
 the MFT, in other words, non

0:00:16.580000 --> 0:00:21.900000
-resident files. A small disk with an
 empty file system was created for

0:00:21.900000 --> 0:00:25.580000
 this video. We can see that there are
 no files currently stored on this

0:00:25.580000 --> 0:00:31.200000
 disk. I have also created two files,
 which are here, on the desktop.

0:00:31.200000 --> 0:00:35.360000
 If we open the first file, which is
 called File AB, it is named as such

0:00:35.360000 --> 0:00:40.880000
 because it has 2000 As and 2000
 Bs, which total 4000 bytes.

0:00:40.880000 --> 0:00:46.780000
 Our second file, File CD, is similar
 to the first in that it has 2000

0:00:46.780000 --> 0:00:54.180000
 Cs and 2000 Ds, totaling
 4000 bytes.

0:00:54.180000 --> 0:00:58.300000
 If we go to the properties of these
 files to look at the storage, we can

0:00:58.300000 --> 0:01:02.900000
 confirm the file size is 4000 bytes,
 as each character represents one

0:01:02.900000 --> 0:01:18.520000
 byte. Looking at the disk, it has a
 cluster size of 4096, which we will

0:01:18.520000 --> 0:01:22.520000
 also calculate. So, let's
 go ahead and close this.

0:01:22.520000 --> 0:01:27.120000
 Now, let's copy these
 files to the disk.

0:01:27.120000 --> 0:01:36.220000
 We can now open and run FTK Imature
 as an administrator so that we can

0:01:36.220000 --> 0:01:38.500000
 take a forensic copy of this disk.


0:01:38.500000 --> 0:01:45.500000
 Let's go to the file and
 select Create Disk Image.

0:01:45.500000 --> 0:01:47.880000
 Let's create it for
 a logical drive.

0:01:47.880000 --> 0:01:51.440000
 Select the A drive and click
 the Finish button.

0:01:51.440000 --> 0:01:55.460000
 Now, let's click the Add button so
 that we can add a destination.

0:01:55.460000 --> 0:01:59.160000
 Let's select raw DD
 and click Next.

0:01:59.160000 --> 0:02:01.660000
 We're not going to fill
 this in right now.

0:02:01.660000 --> 0:02:04.500000
 We can always enter this
 information in later.

0:02:04.500000 --> 0:02:07.380000
 Next, let's store the
 file on the desktop.

0:02:07.380000 --> 0:02:15.560000
 Let's name the file NTFS test01.

0:02:15.560000 --> 0:02:19.400000
 Since we don't want the file split,
 let's update this value to zero and

0:02:19.400000 --> 0:02:21.320000
 then click the Finish button.

0:02:21.320000 --> 0:02:24.580000
 Now, we can click the Start button to
 begin the creation of the forensic

0:02:24.580000 --> 0:02:34.120000
 image. Everything is now
 complete and verified.

0:02:34.120000 --> 0:02:40.140000
 We can go ahead and close this.

0:02:40.140000 --> 0:02:43.740000
 Now, let's copy this file over so we
 can open this image using WinHacks

0:02:43.740000 --> 0:02:45.580000
 on this virtual machine.

0:02:45.580000 --> 0:02:59.140000
 Let's go ahead and run WinHacks
 as an administrator.

0:02:59.140000 --> 0:03:10.100000
 Once open, let's go to File, then
 Open and open the file we created.

0:03:10.100000 --> 0:03:16.360000
 Now, let's go to the Specialist and
 select Interpret Image File as Disk.

0:03:16.360000 --> 0:03:21.320000
 So now, we have an NTFS disk
 with an NTFS file system.

0:03:21.320000 --> 0:03:24.760000
 Here, we see all of our files from previous
 videos, which represent the

0:03:24.760000 --> 0:03:27.220000
 NTFS file system.

0:03:27.220000 --> 0:03:29.400000
 Here's the file AB.

0:03:29.400000 --> 0:03:32.680000
 As we scroll through its contents,
 we can see the As as well as where

0:03:32.680000 --> 0:03:40.960000
 the Bs start. And, if we scroll down,
 we can see that there are 96 bytes

0:03:40.960000 --> 0:03:44.820000
 of empty space, which is why there
 are zeros because the file size is

0:03:44.820000 --> 0:03:46.480000
 only 4,000 bytes.

0:03:46.480000 --> 0:03:51.220000
 Just below, File CD starts.

0:03:51.220000 --> 0:03:54.340000
 And, as we scroll through the entries,
 we can also see that it's using

0:03:54.340000 --> 0:04:02.700000
 a cluster. And like the other file,
 the rest is filled with zeros.

0:04:02.700000 --> 0:04:07.580000
 Our goal, and the goal of this video,
 is to locate the exact cluster number.

0:04:07.580000 --> 0:04:11.880000
 Before we do that, though, there is one
 more important thing that we need.

0:04:11.880000 --> 0:04:14.920000
 We need to go to the boot to understand
 what the exact size of the cluster

0:04:14.920000 --> 0:04:19.760000
 is. We should always verify this by
 checking the boot of the disk, as

0:04:19.760000 --> 0:04:23.280000
 we cannot depend on what we see here
 in the video, and assume we'll always

0:04:23.280000 --> 0:04:27.400000
 have this. In a real case, we need to
 understand how big this size actually

0:04:27.400000 --> 0:04:32.420000
 is. We cannot depend on what
 we see in the video.

0:04:32.420000 --> 0:04:36.580000
 So, let's select the boot, and go to
 View, and select Template Manager,

0:04:36.580000 --> 0:04:40.800000
 and then, let's apply the boot sector
 NTFS, as this option allows us to

0:04:40.800000 --> 0:04:44.920000
 find the location where we'll find
 the bytes, the sectors per cluster,

0:04:44.920000 --> 0:04:46.920000
 and bytes per sector.

0:04:46.920000 --> 0:04:52.480000
 Let's click the Apply button.

0:04:52.480000 --> 0:04:58.140000
 Here, we can see that we have eight sectors,
 and each sector is 512 bytes.

0:04:58.140000 --> 0:05:01.480000
 So now we know that we have eight sectors,
 which means we have a cluster

0:05:01.480000 --> 0:05:08.720000
 size of 4096. Let's go ahead and close
 this, and go back to File AB.

0:05:08.720000 --> 0:05:14.080000
 This time, though, let's right-click,
 go to Navigate, and select Seek

0:05:14.080000 --> 0:05:21.540000
 File Record. Here we can see the file
 entry, also called File Record,

0:05:21.540000 --> 0:05:23.740000
 in the MFT file table.

0:05:23.740000 --> 0:05:27.460000
 What we need to do now
 is locate the data run.

0:05:27.460000 --> 0:05:41.660000
 To do that, let's use a really useful
 document by Jason Maderos.

0:05:41.660000 --> 0:05:44.640000
 Let's go to the Attributes section as
 we need to identify the attributes

0:05:44.640000 --> 0:05:52.460000
 type and ID. Here, we see the Data attribute,
 which is the attribute that

0:05:52.460000 --> 0:05:58.580000
 we'll be holding our data,
 and has an ID of 80.

0:05:58.580000 --> 0:06:03.180000
 So, let's go back to WinHacks and,
 like in a previous video, we'll go

0:06:03.180000 --> 0:06:08.800000
 through all of these.

0:06:08.800000 --> 0:06:13.200000
 Here, this is an attribute
 and its size.

0:06:13.200000 --> 0:06:17.040000
 We can see that our data attribute
 starts here, and since we have 48,

0:06:17.040000 --> 0:06:29.840000
 which is 72 bytes in decimals,
 we need to select 72 bytes.

0:06:29.840000 --> 0:06:32.680000
 This selection is all
 of the data attribute.

0:06:32.680000 --> 0:06:36.840000
 It starts with 80, the attribute ID,
 and then we have 4 bytes for its

0:06:36.840000 --> 0:06:40.660000
 size, which says we have
 72 bytes in decimal.

0:06:40.660000 --> 0:06:47.440000
 At the end of this attribute is
 where we have our data run.

0:06:47.440000 --> 0:06:52.960000
 So, the data run is located here.

0:06:52.960000 --> 0:06:55.400000
 How can we interpret
 this data run?

0:06:55.400000 --> 0:07:00.280000
 To answer that question, let's start
 off by copying it by right-clicking,

0:07:00.280000 --> 0:07:03.560000
 selecting Copy Block,
 and then Hex Values.

0:07:03.560000 --> 0:07:09.180000
 On the desktop, I'll open the Notes
 file we used previously and copy in

0:07:09.180000 --> 0:07:16.140000
 the values. So, now we have
 1, 1, 0, 1, and 24.

0:07:16.140000 --> 0:07:20.720000
 The second number in the Values box,
 the 1, indicates that we have 1 byte

0:07:20.720000 --> 0:07:24.900000
 used for the number of clusters
 or the number of runs.

0:07:24.900000 --> 0:07:37.980000
 So, this particular 1
 here represents this.

0:07:37.980000 --> 0:07:41.800000
 The first number, this 1, means that
 we have 1 byte used for the first

0:07:41.800000 --> 0:07:47.140000
 cluster number. So, what this means
 is that this byte will be for the

0:07:47.140000 --> 0:08:12.640000
 number of runs, and this byte
 for the first cluster number.

0:08:12.640000 --> 0:08:15.420000
 Don't forget that this
 is in Littleandian.

0:08:15.420000 --> 0:08:19.360000
 If we had more than 1 byte, we
 would have to swap these bytes.

0:08:19.360000 --> 0:08:30.420000
 Now, let's call our calculator.

0:08:30.420000 --> 0:08:34.560000
 The 0, 1 is already known, so we don't
 have to convert it, but let's go

0:08:34.560000 --> 0:08:36.920000
 ahead and convert the 24.

0:08:36.920000 --> 0:08:42.120000
 We need to convert the 24 from Hex to
 decimal, which is 36 decimal bytes.

0:08:42.120000 --> 0:08:46.720000
 Now, let's go back to WinHacks.

0:08:46.720000 --> 0:08:50.540000
 For the value we just converted, it
 is in cluster numbers, so we need

0:08:50.540000 --> 0:08:56.020000
 to multiply this by 8, because our
 cluster number is using 8 sectors.

0:08:56.020000 --> 0:08:58.200000
 This gives us 288.

0:08:58.200000 --> 0:09:03.140000
 So, if we go here and select the file
 AB, we can see that the file's first

0:09:03.140000 --> 0:09:09.500000
 sector is 288, meaning we were able to
 identify this file's exact location.

0:09:09.500000 --> 0:09:13.600000
 Let's do the same with file CD.

0:09:13.600000 --> 0:09:15.740000
 Let's select it, and right-click.

0:09:15.740000 --> 0:09:20.620000
 Then, choose Navigation, and
 go to Seek File Record.

0:09:20.620000 --> 0:09:24.460000
 We already know that our data attributes
 start with 80, so here is our

0:09:24.460000 --> 0:09:29.380000
 data attribute, and the size is
 72 in decimals and 48 in Hex.

0:09:29.380000 --> 0:09:36.980000
 Let's start selecting our bytes.

0:09:36.980000 --> 0:09:43.680000
 Now, we can see that this here
 represents the data runs.

0:09:43.680000 --> 0:09:48.680000
 Let's go ahead and select them, and
 then select Copy as Hex values.

0:09:48.680000 --> 0:09:55.100000
 Let's paste these values
 into Notepad.

0:09:55.100000 --> 0:10:01.960000
 Here we have one byte that we'll be
 holding our first cluster number.

0:10:01.960000 --> 0:10:08.060000
 We have this one byte here, which is
 the number of clusters used by this

0:10:08.060000 --> 0:10:13.780000
 file. It is clear that we have only
 one cluster, but let's go ahead and

0:10:13.780000 --> 0:10:25.400000
 convert it. So, we have 25, and if
 we convert it to decimal, it's 37.

0:10:25.400000 --> 0:10:30.640000
 And, if we multiply it
 by 8, then we get 296.

0:10:30.640000 --> 0:10:37.920000
 Here, we can see that
 it's also 296.

0:10:37.920000 --> 0:10:40.640000
 So, why did we multiply it by 8?

0:10:40.640000 --> 0:10:44.100000
 Because, as mentioned earlier, this
 gives us the cluster number, as the

0:10:44.100000 --> 0:10:46.280000
 cluster number is using 8 sectors.


0:10:46.280000 --> 0:10:51.100000
 Let's go ahead and calculate
 another file, the MFT.

0:10:51.100000 --> 0:10:58.540000
 So, how can we identify the
 location of the file?

0:10:58.540000 --> 0:11:00.220000
 It's the same as we did earlier.

0:11:00.220000 --> 0:11:04.940000
 The MFT is a file, so let's right-click,
 select Navigation, and select

0:11:04.940000 --> 0:11:07.380000
 Navigate. Then go to
 Seek File Record.

0:11:07.380000 --> 0:11:11.700000
 We are already here.

0:11:11.700000 --> 0:11:16.840000
 Now, let's go to the Data section,
 which is right here, and select it.

0:11:16.840000 --> 0:11:28.160000
 This one is different.

0:11:28.160000 --> 0:11:33.840000
 As we can see, we have these bytes,
 which represent our data run.

0:11:33.840000 --> 0:11:38.380000
 So, let's select these bytes, right
-click, choose Edit, and select Copy,

0:11:38.380000 --> 0:11:40.360000
 and go to Hex Values.

0:11:40.360000 --> 0:11:44.360000
 Let's go to our notepad
 so we can analyze it.

0:11:44.360000 --> 0:11:48.920000
 So, what we have here
 is the following.

0:11:48.920000 --> 0:11:54.900000
 Here, we have two bytes, which represent
 our first cluster number, and

0:11:54.900000 --> 0:12:01.520000
 one byte, will represent how many
 clusters we have for this file.

0:12:01.520000 --> 0:12:04.860000
 Two means that these two bytes here
 are for the first cluster number,

0:12:04.860000 --> 0:12:08.860000
 since they are in Little Indian.

0:12:08.860000 --> 0:12:13.340000
 We have 52 and 55 for the
 first cluster number.

0:12:13.340000 --> 0:12:19.860000
 The one means we have
 40 in hexadecimal.

0:12:19.860000 --> 0:12:22.160000
 Now, let's go ahead
 and convert them.

0:12:22.160000 --> 0:12:27.760000
 Making sure the calculator is in hex,
 52, 55 converted to decimals is

0:12:27.760000 --> 0:12:30.020000
 to the first cluster number.

0:12:30.020000 --> 0:12:36.860000
 21,077. We now need to multiply this
 by 8, which gives us 168,616.

0:12:36.860000 --> 0:12:42.120000
 This is our first sector number.

0:12:42.120000 --> 0:12:49.840000
 Now, let's convert 40.

0:12:49.840000 --> 0:12:59.080000
 We get 64. So, we have 64
 clusters for this file.

0:12:59.080000 --> 0:13:04.040000
 Let's check it in WinHacks, and verify
 if our calculations are correct.

0:13:04.040000 --> 0:13:09.580000
 We can see in our file and WinHacks that
 16,86,16 is where the first sector

0:13:09.580000 --> 0:13:15.200000
 for the MFT starts, so our
 calculation is correct.

0:13:15.200000 --> 0:13:30.960000
 If we go ahead and multiply 64 by 4096,
 this gives us 262,144 in bytes.

0:13:30.960000 --> 0:13:36.600000
 And, if we divide it based on 1024,
 we get 256 kilobytes, which is the

0:13:36.600000 --> 0:13:40.320000
 same size we have here
 for this MFT file.

0:13:40.320000 --> 0:13:45.860000
 As you can see, it's very easy to calculate
 the clusters and the entries

0:13:45.860000 --> 0:13:49.620000
 for the data runs, especially if you
 know how the data is structured and

0:13:49.620000 --> 0:13:52.760000
 how it's actually stored
 on the disk.

0:13:52.760000 --> 0:13:56.240000
 Also, WinHacks makes these very easy
 to calculate because we don't need

0:13:56.240000 --> 0:13:58.100000
 to go through all the headache.

0:13:58.100000 --> 0:14:02.040000
 We can just simply select the file,
 right-click it, go to navigation,

0:14:02.040000 --> 0:14:04.420000
 and select list clusters.

0:14:04.420000 --> 0:14:08.280000
 Here we can see that the location is
 at cluster 36, and if we multiply

0:14:08.280000 --> 0:14:11.960000
 that by 8, it will give us 288.

0:14:11.960000 --> 0:14:16.800000
 It also tells us that it is using only
 one cluster and it's holding 4000

0:14:16.800000 --> 0:14:23.480000
 bytes. If we go through the same steps
 for file CD, its location is at

0:14:23.480000 --> 0:14:28.800000
 cluster 37, holds 4000 bytes,
 and is using a single cluster.

0:14:28.800000 --> 0:14:36.200000
 Let's do the same steps
 for a MFT as well.

0:14:36.200000 --> 0:14:40.120000
 Here's the first cluster
 number, 201077.

0:14:40.120000 --> 0:14:44.220000
 We also see that clusters
 were omitted.

0:14:44.220000 --> 0:14:50.980000
 This value here is the final cluster
 number, so we have from 201077 up

0:14:50.980000 --> 0:14:58.180000
 to 21140, and we have 64 clusters.


0:14:58.180000 --> 0:15:02.700000
 In this video, we did the calculation
 manually, should we not have WinHacks

0:15:02.700000 --> 0:15:05.940000
 available or need to perform
 this process manually.

0:15:05.940000 --> 0:15:10.420000
 We then used WinHacks to verify our calculations,
 as well as use its features

0:15:10.420000 --> 0:15:13.300000
 to do the same calculations
 automatically.

0:15:13.300000 --> 0:15:16.980000
 You can now experiment with these techniques
 and identify files regardless

0:15:16.980000 --> 0:15:21.080000
 of their location, sector, etc.

0:15:21.080000 --> 0:15:26.560000
 And this concludes our video lesson on
 Manually Analyzing File Data Runs.

0:15:26.560000 --> 0:15:27.400000
 Thank you for joining us.