Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • cfr105 Lnguyen Assignment10

    Загружено:

    api-374125044
    82 просмотров16 страниц
    This document analyzes the NTFS file structure of three files - Arcturus.txt, Duhr.txt, and Grumium.txt - stored on an NTFS partition. It examines the file record header, standard information attribute, filename attribute, data attribute, and run list of each file. The document then manually carves and merges the fragments of each file based on their run lists to reconstruct the original files and verifies that the merged file sizes match those listed in the $MFT.

    Исходное описание:

    Оригинальное название

    cfr105 lnguyen assignment10

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    This document analyzes the NTFS file structure of three files - Arcturus.txt, Duhr.txt, and Grumium.txt - stored on an NTFS partition. It examines the file record header, standard information attribute, filename attribute, data attribute, and run list of each file. The document then manually carves and merges the fragments of each file based on their run lists to reconstruct the original files and verifies that the merged file sizes match those listed in the $MFT.

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    82 просмотров16 страниц

    cfr105 Lnguyen Assignment10

    Загружено:

    api-374125044
    This document analyzes the NTFS file structure of three files - Arcturus.txt, Duhr.txt, and Grumium.txt - stored on an NTFS partition. It examines the file record header, standard information attribute, filename attribute, data attribute, and run list of each file. The document then manually carves and merges the fragments of each file based on their run lists to reconstruct the original files and verifies that the merged file sizes match those listed in the $MFT.

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 16

    Running head: NTFS FILE STRUCTURE 1

    Assignment 10: NTFS File Structure

    Livia Nguyen

    CFR105

    Professor: Frank Griffits

    July 14, 2017


    NTFS FILE STRUCTURE 2

    User created files on this partition.


    Arcturus.txt, Duhr.txt, Grumium.txt
    Arcturus.txt
    File Record Header

    Decimal Offset: 35884


    Byte: 2
    MFT Record: 23 00 = 0023 Hex = 35 Dec

    Standard Information Attribute

    Decimal Offset: 35920


    Byte: 8
    Hex: 93 0B 3C 6D 3B E1 CC 01 = 1CCE13B6D6C0B93
    Dec: 129,726,134,638,873,491
    NTFS FILE STRUCTURE 3

    Date Created:
    UTC: 2/1/2012 11:44:23 PM
    Local: 2/1/2012 4:44:23 PM
    Filename Attribute

    Decimal Offset: 36082


    Byte: 23
    Name: Arcturus.txt
    Data Attribute

    Decimal Offset: 36160


    Byte: File size = 8 Physical Size = 8 (Total=16)
    File Size: 0010000000000000 = 1000 hex = 4,096 bytes
    Physical Size: 0010000000000000 = 1000 hex =4,096 bytes

    Decimal Offset: 36176


    Byte: 3
    Start Cluster:
    Hex: FE 1F 03 = 31FFE
    Dec: 204,798
    NTFS FILE STRUCTURE 4

    Duhr.txt
    File Record Header

    Decimal Offset: 38956


    Byte: 2
    MFT Record Number: 26 00 = 0026 = 38

    Standard Information Attribute

    Decimal Offset: 28992


    Byte: 8
    Hex: F3 77 51 6D 3B E1 CC 01 = 1CCE13B6D5177F3
    Dec: 129,726,134,640,277,491
    NTFS FILE STRUCTURE 5

    Date Created:
    UTC: 2/1/2012 11:44:24 PM
    Local: 2/1/2012 4:44:24 PM
    Filename Attribute

    Decimal Offset: 39154


    Byte: 15
    Name: Duhr.txt
    Data Attribute

    Decimal Offset: 39224


    Byte: File size = 8 Physical Size = 8 (Total=16)
    File Size: 0020000000000000 = 2000 hex = 8,192 bytes
    Physical Size: 0020000000000000 = 2000 hex = 8,192 bytes

    Start Cluster:
    Hex: 26 B0 04 = 4B026
    Dec: 307,238
    NTFS FILE STRUCTURE 6

    Grumium.txt
    File Record Header

    Decimal Offset: 42028


    Byte: 2
    MFT Record Number: 29 00 = 0029 Hex = 41 Dec

    Standard Information Attribute

    Decimal Offset: 42064


    Byte: 8
    Hex: 73 36 47 70 40 E1 CC 01 = 1CCE14070473673
    Dec: 129,726,156,164,773,491
    NTFS FILE STRUCTURE 7

    Date Created:
    UTC: 2/2/2012 12:20:16 AM
    Local: 2/1/2012 5:20:16 PM
    Filename Attribute

    Decimal Offset: 42226


    Byte: 21
    Name: Grumium.txt
    Data Attribute

    Decimal Offset: 42296


    Byte: File size = 8 Physical Size = 8 (Total=16)
    File Size: 0010000000000000 = 1000 hex =4,096 bytes
    Physical Size: 0010000000000000 = 1000 hex =4,096 bytes

    Start Cluster:
    Hex: 81 96 04 = 49681
    Dec: 300,673
    NTFS FILE STRUCTURE 8

    Run List and Manual Data Carving


    Arcturus.txt
    Fragment 1

    31 3 represent the starting offset number and 1 represent the number of contiguous clusters in
    the run list.

    01 1 contiguous cluster = 512 bytes

    FE 1F 03 031FFE hex = 204,798 decimals or starting offset of the run list.

    Click Save Selection and save it as Arcturus-frag1.txt


    NTFS FILE STRUCTURE 9

    Fragment 2

    31 3 represent the starting offset number and 1 represent the number of contiguous clusters in
    the run list.

    07 7 contiguous clusters = 7 * 512 = 3584

    11 90 01 19011 hex = 102,417 decimals or starting offset of the run list.


    207,798+102,417=310,215

    Click Save Selection and save it as Arcturus-frag2.txt

    Duhr.txt
    Fragment 1

    31 3 represent the starting offset number and 1 represent the number of contiguous clusters in
    the run list.
    NTFS FILE STRUCTURE 10

    08 8 contiguous cluster = 8 * 512 = 4096 bytes

    26 B0 04 4B026 hex = 307,238 decimals or starting offset of the run list.

    Click Save Selection and save it as Duhr-frag1.txt

    Fragment 2

    11 1 represent the starting offset number and 1 represent the number of contiguous clusters in
    the run list.

    08 8 contiguous cluster = 8 * 512 = 4096 bytes


    NTFS FILE STRUCTURE 11

    10 16 decimals or starting offset of the run list. 307,238+16= 307,254

    Click Save Selection and save it as Duhr-frag2.txt

    Grumium.txt

    31 3 represent the starting offset number and 1 represent the number of contiguous clusters in
    the run list.

    08 8 contiguous cluster = 8 * 512 = 4096 bytes


    NTFS FILE STRUCTURE 12

    81 96 04 49681 hex = 300,673 decimals or starting offset of the run list.

    Click Save Selection and save it as Grumium.txt because there are no other fragment and this is
    the whole file.
    Result:
    Merged file fragment into one file using command prompt copy/b command.
    NTFS FILE STRUCTURE 13
    NTFS FILE STRUCTURE 14

    Verified File:
    After merging the file fragment into one, I verified the file size to make sure that it is exact same
    size as the file size number appear in the $MFT file.
    NTFS FILE STRUCTURE 15
    NTFS FILE STRUCTURE 16

    Reference
    Carrier, B. (2011). File System Forensic Analysis. Upper Saddle River, NJ: Addison-Wesley.

    NTFS - Attributes. (n.d.). Retrieved July 07, 2017, from https://flatcap.org/linux-

    ntfs/ntfs/attributes/index.html

    Вам также может понравиться