If you can see this check that

Main Page

Filesystem structure and metadata - Part 1


Filesystem Structure and Metadata

User:
Password:

Objectives

This lab deals with searching for data at different layers of the file system categories. It will introduce you to additional tools and functionality within the Autopsy analysis suite, as well as command line searching tools.

The Sleuth Kit tools (Autopsy) are named in logical manner, which indicates the file system layer they operate upon and the type of output to be expected from them. The commands prefixes are as follow:

  mm*  : tools that operate on volumes (media management)
  fs*  : tools that operate on file system structures
  blk* : tools that operate at the data unit layer
  i*   : tools that operate at the metadata layer (inode)
  f*   : tools that operate at the file name layer

Question 1: Structure Analysis

Using the mmls command analyse /images/diskimg1.dd. Extract the sector offset information for the three partitions shown.

Metadata slotStart sector offset
00:00
00:01
01:00
Tests - not attempted
00:00 start offset UNTESTED
00:01 start offset UNTESTED
01:00 start offset UNTESTED

Question 2: FAT

The fsstat command displays file system information. Data of particular interest in the output of this command vary depending on the file system being examined but may include volume names, data unit sizes, and statistical information about the state of the file system.

From the terminal use fsstat command to analyse the first partition of diskimg1.dd. Use the offset information shown above, i.e.

$ fsstat -o 63 /images/diskimg1.dd

What are the three main types of information stored in the MFT file? List them in the order they appear in the fsstat command.
1.
2.
3.

Tests - not attempted
1. Information ok UNTESTED
2. Information ok UNTESTED
3. Information ok UNTESTED

What is the file system type label of the first partition? Match is CASE SENSITIVE!

Tests - not attempted
Partition 1 type label UNTESTED

What is the start and end sectors of the FAT tables FAT 0 and FAT 1. Remember to make these relative to the start of the disk, not the start of the partition.

FAT TableStart sectorEnd Sector
FAT 0
FAT 1
Tests - not attempted
FAT 0 start UNTESTED
FAT 1 end UNTESTED
FAT 1 start UNTESTED
FAT 1 end UNTESTED

Where does, in disk sectors, the root directory lie?
Start:
End:

Tests - not attempted
ROOT start UNTESTED
ROOT end UNTESTED

What is the cluster size in bytes?
Start:

Tests - not attempted
Cluster size UNTESTED

What is the size in clusters of the first file in the FAT table.
Start:

Tests - not attempted
Cluster size UNTESTED

Question 3: Files and Metadata

In this question we will look at the files and their associated metadata. This will use the fls, icat, and istat commands. The fls list files and directory information from an image, along with inode information. The icat command reads the contents of a file, and the istat command allows access to the file metadata.

Using fls on partition 1 of diskimg1.dd, identify the inode number for the file 'Tomas.jpg'.
Inode:

Tests - not attempted
thomas.jpg inode UNTESTED

Use the istat command to examine the inode for Tomas.jpg. Identify and calculate the following information:
File Size:
Created: Format as an ISO date with timezone, e.g. 2000-05-20 15:57:45 (GMT).
File Data First Sector:
Last Sector ALLOCATED:

Remember that there are four sectors to a cluster, so unneeded sectors left in a partially used cluster are still counted when calculating the last sector allocated.

Tests - not attempted
File size ok UNTESTED
File created ok UNTESTED
File start sector UNTESTED
File end sector UNTESTED

What is the first two bytes of the file Tomas.jpg? Write in lower case using the format 0xffff.
Signature:

Tests - not attempted
File signature UNTESTED

What is the last two bytes of the file Tomas.jpg? Write in lower case using the format 0xffff.
Tail Signature:

Tests - not attempted
File tail signature UNTESTED

What does it mean? (Hint - Google it!)

Tests - not attempted
Hex signifies what? UNTESTED

How many bytes of slackspace does this file have?
Bytes of slackspace:

Tests - not attempted
Bytes specified are correct UNTESTED

Examine the slackspace of the file Tomas.jpg. Find a hidden message and complete the sentence below:
Sentence: This is a in slackspace

Tests - not attempted
Message reads ok UNTESTED

Question 4: Manual Verification of Metadata

Most of the forensic tools are able to read and present metadata information regarding files and directories. In case of file system corruption or just data verification it is essential that you can manually verify metadata information stored in the file system.

For the purpose of this exercise you will be opening a record in the Root Directory of the FAT filesystem in partition 1, and then verifying the metadata for the associated file.

To complete the task you need to recall the FAT directory structure, shown below.

Starting ByteByte LengthContents
0 8Filename
8 3Extension
111File attribute
121Case
131Creation time (ms)
142Creation time (hrs+mins)
162Creation date
182Last Accesed date
202Reserved
222Last Modification time
242Last Modification date
262Starting Cluster
284File size

The File Attributes are an OR of the following information:

FlagDescription
0000 0001 (0x01)Read-only
0000 0010 (0x02)Hidden file
0000 0100 (0x04)System file
0000 1000 (0x08)Volume label
0000 1111 (0x0f)Long file name
0001 0000 (0x10)Directory
0010 0000 (0x20)Archive

If the first byte of a FAT entry is 0xe5 then this indicates that the entry has been deleted.

Recall from earlier the location, in disk sectors, where the root directory lies?
Start:
End:

Tests - not attempted
ROOT start UNTESTED
ROOT end UNTESTED

Using dd and xxd, scan the first root directory sector and discover the offset for the file SECRETS.TXT. Format it in three digit hex, e.g. 0x000.
Offset:

Tests - not attempted
Offset of secret.txt UNTESTED

The creation time, held in the FAT record for SECRETS.TXT starts at offset 13. The first byte is the ms part of the time, so for simplicity focus on the two bytes starting at offset 14 (which relates to hours, minutes, and seconds). For example, if the 2 native bytes at offset 14 were : 0x9140
Big endian is 0x4091.
In Binary this is 0100000010010001.
Bits 0-4 are seconds/2: 10001 = 17, then *2 is 34 seconds.
Bits 5-10 are Minutes: 000100 = 4 minutes.
Bits 11-15 are Hours: 01000 = 8 hours.
So the creation time is 08:04:34

What is the hex native endian creation time (at offset 14) of SECRETS.TXT? Format as 0x0000.
Native endian:

Tests - not attempted
Correct bytes UNTESTED

What is the hex big endian creation time of SECRETS.TXT? Format as 0x0000.
Big endian:

Tests - not attempted
Big endian UNTESTED

What is the binary big endian creation time of SECRETS.TXT? Format as 10000000000 with no leading zeros.
Big endian binary:

Tests - not attempted
Big endian UNTESTED

What is the creation time in hr:mn:sc?
Creation Time:

Tests - not attempted
Big endian UNTESTED

Dates are similar in procedure to convert, except that: Day is bits 0-4
Month is bits 5-8
Year is bits 9-15 + 1980

What is the creation day of SECRETS.TXT in the format 1 JAN 2012.
Creation Date:

Tests - not attempted
Day correct UNTESTED
Month correct UNTESTED
Year correct UNTESTED

What is the last access date of SECRETS.TXT in the format 1 JAN 2012.
Accessed Date:

Tests - not attempted
Day correct UNTESTED
Month correct UNTESTED
Year correct UNTESTED

In decimal, what is the starting cluster shown in this fat entry?

Just for information... this cluster number, if you wish to convert it into a partition sector number, is first added to the Total Cluster Range low boundary as reported by fsstat. It is then multiplied by the blocks per cluster (e.g. 4), then the Cluster Area low boundary is added.

Tests - not attempted
Starting Cluster UNTESTED

What is the file size in bytes?

Tests - not attempted
Starting Cluster UNTESTED

Verify your findings using fls to locate the inode number of SECRETS.TXT, then using istat to access the inode information. Prove you have done this by entering the inode number and the Written time (in the format "00:00:00").
Inode number:
Written time:

Tests - not attempted
Inode correct UNTESTED
Time correct UNTESTED


Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7a | 7b | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2017 Gordon Russell. All rights reserved.