Filesystem structure (NTFS) and data searching

The fsstat command displays file system information. Data of particular interest in the output of this command vary depending on the file system being examined but may include volume names, data unit sizes, and statistical information about the state of the file system.

From the terminal use fsstat command to analyse disk and CBarrow.dd image.

What are the three main types of information stored in the MFT file? List them in the order they appear in the fsstat command.
1. Content Information Declustering Information Filesystem Information Metacontent Information Metadata Information Sector Deallocation Information System Restore Information Volume Information
2. Content Information Declustering Information Filesystem Information Metacontent Information Metadata Information Sector Deallocation Information System Restore Information Volume Information
3. Content Information Declustering Information Filesystem Information Metacontent Information Metadata Information Sector Deallocation Information System Restore Information Volume Information

The NTFS file system views each file (or directory) as a set of file attributes. Elements such as the file's name, its security information, and even its data, are all file attributes. Each attribute is identified by an attribute type code and, optionally, an attribute name.

What is the attribute type code of the $FILE_NAME attribute?

What is a size of the cluster?

Based on the output of the fsstat command, how many files, directories are stored in the MFT file?

The istat command displays information about a specific metadata structure. In general, any of the information listed as being contained in a metadata structure (ownership, time information, block allocations, etc.) will be displayed.

Each entry in the MFT table has assigned MFT record number. To view file.s metadata information you need to specify MFT record number at the end istat command.

Refer to following website for more information regarding Metadata Stored in the Master File Table

Use istat command to view metadata of the $Boot file (MFT record nr. 7)

What is the size of the $BOOT file?

How many clusters will be allocated to the $Boot file?

Which cluster(s) is assign to the $BOOT file (provide your answer as range eg. x-y)
-

What is so special about $BOOT file?
Nothing special, just a file system metadata file. It is required to boot the operating system Contains the boot sector of the file system Stores information regarding boot sequence of the PC

Use istat command to view metadata structure of the MFT record nr. 14197

what is the name of the file?

what is the size of the file?

How many clusters are assigne to the file?

What is the number of the first cluster and the last cluster?
First:
Last:

The icat command streams the data unit referenced by the specified meta data address. In other words, it opens the named image(s) and copies the file with the specified inode number to standard output.

Use icat command to view inode 14197 (Hint: use hex editor to view the output)

why the output from the icat command was so big? the content of the file was shown the metadata of the file was shown the metadata and the file content was shown it was a standard output

what is the hex value of the first two bytes of the file? Use format 0xABCD
Hex:

What does it mean? (Hint - Google it!)
Signature of an html file Signature of a gif file Signature of a jpg file Executable file Internal metadata of the windows registry It is part of the recycle bin Part of a partition table cluster

icat command can be used to view attribute values of the file.

Refer to the output of the istat command for the inode 14197.

what is the attribute code for the $FILE_NAME attribute?
Code:

Execute the following commands:

  icat -o 63 /images/CBarrow.dd 14197-48-2 | xxd 	
  icat -o 63 /images/CBarrow.dd 14197-48-3 | xxd 	

where 14197 is an inode and 48-2 and 48-3 are the $FILE_NAME attributes

why there are two $FILE_NAME attributes
Because the filename has an extension Because of the square brackets One is a backup One is a thumbnail image of the other one There is only one attribute Because the name of the file is longer than 8 characters The file is a soft link

The ifind command finds the metadata structure referenced by the provided file name or the metadata structure that references the provided data unit address.

-d data_unit Finds the meta data structure that has allocated a given data unit (block, cluster, etc.)

Execute the ifind command with "-d 397185" argument.

Does the inode number match the file in MFT? yes no

The fls command lists file names (deleted and allocated). By default it does not traverse the entire file system so you will only see the root directory of the volume being examined. This is one of the commands we can use to generate a bodyfile for timeline generation using the mactime command. A simple .fls image. will produce a terse directory listing of the root directory of the file system.

Use the fls command to list directories in CBarrow.dd image.

what is the inode number of the Documents and Settings directory?
Inode:

The ffind command finds file names that reference the provided metadata number.

Execute the ffind command for inode 14510

What is a file name of inode 14510?
Filename:

Search through the CBarrow.dd file and look for all occurances of the word "bomb".

To do this use the blkls command, and pipe the answer to grep. This command take a long time so for experimentation purposes save the output to a file. Try:

/usr/local/bin/blkls -e -f ntfs -o 63 -i raw /images/CBarrow.dd |  grep -ba bomb | cut -d: -f1 > /home/caine/bsearch

Remember the offset, and you need to use "-b" to allow grep to search binary information, and "-a" to give a byte offset into the file. Note all byte offsets saved to this file need to have 63 added to them.

Look at the offset in the last line of /home/caine/bsearch (remember to add 63). Now use ifind with this offset. What is the inode and data attribute code for this offset.
--

Use this answer in the ffind command to find the filename

Use the istat command to find the metadata for this file. Save the output of istat for this file in /home/caine/bmeta.