If you can see this check that

Main Page

Filesystem structure and metadata - NTFS


Filesystem Structure and Metadata - NTFS

User:
Password:

Objectives

This lab deals specifically with NTFS, examining data at different layers of the file system categories.

Question 1: NTFS

Use /images/diskimg1.dd, and focus on partition 2 of this image file. In this NTFS partition, what is the cluster size in bytes?
Size:

Tests - not attempted
Cluster size UNTESTED

The NTFS file system views each file (or directory) as a set of file attributes. Elements such as the file's name, its security information, and even its data, are all file attributes. Each attribute is identified by an attribute type code and, optionally, an attribute name.

What is the attribute type code of the $FILE_NAME attribute?

Tests - not attempted
/home/caine/evidence exists UNTESTED

What is the first disk block (not partition block) of the MFT and the MFT Mirror.
MFT:
MFT Mirror:

Tests - not attempted
MFT Offset UNTESTED
Mirror Offset UNTESTED

Use fls to see the files in the NTFS partition, and obtain the inode number for $Boot. Then use that in the istat command to discover the allocated size in bytes of the $Boot file.
Size:

Tests - not attempted
$Boot Size UNTESTED

What is the first and last cluster number allocated to this file? This information is often found on the last line of the istat output as a list of numbers.
First:
Last:

Tests - not attempted
First cluster UNTESTED
Last cluster UNTESTED

What is so special about $BOOT file?

Tests - not attempted
$Boot is special UNTESTED

In the NTFS partition there are a number of directories. In the docs directory there is a file called fatcat.jpg. What is its inode number in the format 00-000-0?
Inode id:

Tests - not attempted
Correct inode UNTESTED

What is the size in bytes of the space allocated to store the file fatcat.jpg?
Size:

Tests - not attempted
fatcat Size UNTESTED

How many clusters are allocated to this file?
Total:

Tests - not attempted
Number of clusters UNTESTED

What is the first and last cluster number allocated to this file?
First:
Last:

Tests - not attempted
First cluster UNTESTED
Last cluster UNTESTED


Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7a | 7b | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2017 Gordon Russell. All rights reserved.