DCOM 150

Digital Forensics I

Lab Package # 3

Understanding File Systems - FAT

Part II

DCOM150 1 Fall2016
 Objective:

1. To examine unallocated and slack space in FAT file system.

Materials Needed:

Computer Forensics System

USB Disk

Procedures:

Note: You will be examining the files of same size that you used in a
previous project, Lab2B. The USB drive provided to you was
prepared with different cluster sizes for files and directory entries. You
will be comparing how the files are stored with different cluster sizes,
and will be examining unallocated space and slack space.

Part I Examining unallocated Space in FAT File Structure

1. Obtain an USB drive from your instructor and insert in the computer.

2. On your desktop, open My Computer icon to view the drive letter of your USB
drive. The drive letter will be under Devices with Removable Storage

3. Note down the drive letter of the usb drive. _____________

4. Run the WinHex program as an administrator.

5. The screen display will show similar to the diagram shown below.
DCOM150 2 Fall2016
6. Go to on the main menu Tools open Disk choose correct drive (
Logical drives).

7. When WinHex displays Take a new snap shot, choose OK.

8. USB drive content will display as shown.

In the bottom view, Sectors view is shown. To view the boot record
information, press white arrow button and choose Boot Sector
(Template).

DCOM150 3 Fall2016
9. The Boot Record (template) displays the physical structure or
geometry of the disk. Examine the information and answer the
following questions.

How many bytes per sector? 212

How many sectors per track? 63
What is the volume label? No
name
What is the file system ID? FAT16
In which sector is the boot record information E
stored? (hint: reserved sectors)
Sectors per cluster 4
Reserved sectors 6
Number of FATs? 2
How many sectors are reserved for FAT? 61

10. Finding the Metadata of directories and files:

DCOM150 4 Fall2016
Examining the File Allocation Table (FAT) Structure:

11. Examine and analyze the File Allocation Table (FAT) structure and
cluster chains by viewing different files in the disk directory.

Examine the hello.txt file and analyze the file information: Use Table 6
to get data.

Write down the cluster size: -----2048--------

What is the size of the file? 52 bytes

What is the starting cluster 2
number? (ID column)
How many clusters does this 1
file occupy?

Highlight Hello.txt right click on the mouse select

Navigation List clusters.

A window will pop up as shown below in the diagram.

Write down the cluster number listed in the popup window.

DCOM150 5 Fall2016
12. Highlight Hello.txt and view the cluster number occupied as shown in
the diagram below.

13. Move your cursor or go to Navigation and select 161 or cluster 2. Sector
160 occupied by Hello.txt

DCOM150 6 Fall2016
 Note sector 161 is allocated to hello.txt file. Move to sector 162 and 162
and you will view that these sectors are allocated to hello.txt file.

Explain why sectors 160, 161, 162 and 163 are allocated to hello.txt file
with a file size of 52Bytes?
Single cluster

14. Highlight file1.txt right click on the mouse

NavigationList clusters.

Write down all the cluster numbers occupied by the file1.txt file
beginning with the starting cluster number.
3

15. Go to Navigation and choose Seek FAT Entry.

In the previous lab2B, file1.txt occupied three clusters. What is the difference?
Explain your reason.
Size of the cluster in lab 3 is biggerdel

DCOM150 7 Fall2016
16. Close WinHex program.

Note: This part explains how a file system handles a deleted file.
You will be deleting a file and examining the characteristics
of the file system with a forensic software.

17. Open command prompt.

18. Type drive letter of USB disk and delete the file1.txt file.

19. Close command prompt window.

20. Run the WinHex program as an administrator.

21. The screen display will show similar to the diagram shown below.

22. Go to on the main menu Tools open Disk choose correct drive
(Logical drives).

23. When WinHex displays Take a new snap shot, choose OK.

24. USB drive content will display as shown

DCOM150 8 Fall2016
25. Examine the directory structure as shown in WinHex of file1.txt file.
Did anything change? Write your observation?

__________________File1.txt has a question

mark___________________________________

26. What hexa-decimal value replaces first character of the deleted file?E

27. Highlight file1.txt right click on the mouse

NavigationList clusters.

DCOM150 9 Fall2016
28. Write down all the cluster numbers occupied by the file1.txt file
beginning with the starting cluster number.
3

29. What is the difference between the listed clusters from procedure 24 after
the file was deleted and before the file was deleted?
The deleted file has an E, and a question mark.
___________________________________________________________

30. Go to Navigation menu and choose Seek FAT Entry and enter the starting
cluster number of file1.txt to view FAT table

Write your observation.

_______________Free________________________________________
___

31. Examining unallocated space

Highlight the file1.txt file (cluster 3 and sector 164) and view its
contents. Even though this file is not allocated by the FAT file system by a
cluster number (no cluster is allocated in File Allocation Table), you will be
able to view the contents of file1.txt file.

DCOM150 10 Fall2016
 Go to sector 165, 166 and 166 and write your observation.

Part II Examining Slack Space (Drive Slack)

This part of the lab, you will be examining slack space.

1. Close WinHex program.

Go to command prompt and copy Test.txt file to USB drive.

2. DIRE

DCOM150 11 Fall2016
4. Write down the file size

Examine the Test.txt file and analyze the file information:

Write down the cluster size: -----2048--------

What is the size of the file? 13 B

What is the starting cluster 3
number? (ID column)
How many clusters does this 1
file occupy?

Highlight Test.txt right click on the mouse select

Navigation List clusters.

5. Highlight Test.txt file and view the content.

DCOM150 12 Fall2016
5. Go to sector 164, 165, 166 and view the content and write your
observations.

Sector 164 has the new entry and sector 165 and 166 still have the old
entry.

7. Sector 165, 166 and 167 have remnants of file1.txt. What is this space
called?

_______________Slack
space___________________________________________

PART III Clean up

1. Power down the system.

2. Ensure your area is returned to normal conditions for the next class.

3. Return any materials to the instructor.

Obtain your instructors signature: ____________________

DCOM150 13 Fall2016
 Vocabulary Terms:

1. Clusters

2. Hex value for a deleted file

3. Drive Slack

4. Unallocated space

5. exFAT

DCOM150 14 Fall2016