Scribd
Upload
161 views18 pages

Usb Investigation 1

This document summarizes a file system investigation of a 1GB, 2 partition USB drive using Linux, WinHex and The Sleuth kit. The Sleuth kit was installed after determining additional files were needed. The master boot record showed the first partition starting at sector 8064 and being 987966 sectors in size, while the second started at sector 996030 and was 961857 sectors in size. Examination of the first partition boot sector revealed it used the FAT32 file system.

Uploaded by

Philemon Mapfumo
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
161 views18 pages

Usb Investigation 1

This document summarizes a file system investigation of a 1GB, 2 partition USB drive using Linux, WinHex and The Sleuth kit. The Sleuth kit was installed after determining additional files were needed. The master boot record showed the first partition starting at sector 8064 and being 987966 sectors in size, while the second started at sector 996030 and was 961857 sectors in size. Examination of the first partition boot sector revealed it used the FAT32 file system.

Uploaded by

Philemon Mapfumo
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 18

USB INVESTIGATION

This paper involves a file system exercise in which a 1GB, 2 Partition USB drive was investigated. In order to
carry out this investigation, Linux terminal, WinHex and The Sleuth kit were used. The Sleuth kit was first
downloaded, but as we did not have the necessary add-on files to run the sleuth kit, we had to install build-
essential which provided us with files such as g++ which is needed to run the sleuth kit.

Download and Installation of the SleuthKit.


mishy@mishy-laptop:~$ sudo apt-get install build-essential

mishy@mishy-laptop:~$ sudo tar –xvzf sleuthkit-3.0.0.tar.gz

mishy@mishy-laptop:~/cd sleuthkit-3.0.0/

mishy@mishy-laptop:~/sleuthkit-3.0.0$ ./configure

mishy@mishy-laptop:~/sleuthkit-3.0.0$ sudo make

mishy@mishy-laptop:~/sleuthkit-3.0.0$ sudo make install

FAT Boot Sector


Common structure used by all FAT versions [UTECH, n.d.]:

Bytes Content
0-2 Jump to bootstrap (E.g. eb 3c 90; on i86: JMP 003E NOP.
One finds either eb xx 90, or e9 xx xx.
The position of the bootstrap varies.)
3-10 OEM name/version (E.g. "IBM 3.3", "IBM 20.0", "MSDOS5.0",”MSWIN4.0”
Various format utilities leave their own name, like "CH-FOR18".
Sometimes just garbage. Microsoft recommends "MSWIN4.1".)
/* BIOS Parameter Block starts here */
11-12 Number of bytes per sector (512)
Must be one of 512, 1024, 2048, 4096.
13 Number of sectors per cluster (1)
Must be one of 1, 2, 4, 8, 16, 32, 64, 128.
A cluster should have at most 32768 bytes. In rare cases 65536 is OK.
14-15 Number of reserved sectors (1)
FAT12 and FAT16 use 1. FAT32 uses 32.
16 Number of FAT copies (2)
17-18 Number of root directory entries (224)
0 for FAT32. 512 is recommended for FAT16.
19-20 Total number of sectors in the filesystem (2880)
(in case the partition is not FAT32 and smaller than 32 MB)
21 Media descriptor type (f0: 1.4 MB floppy, f8: hard disk; see below)
22-23 Number of sectors per FAT (9)
0 for FAT32.
24-25 Number of sectors per track (12)
26-27 Number of heads (2, for a double-sided diskette)
28-29 Number of hidden sectors (0)
Hidden sectors are sectors preceding the partition.
/* BIOS Parameter Block ends here */
30-509 Bootstrap
510-511 Signature 55 aa

FAT16

FAT16 uses the above BIOS Parameter Block, with some extensions:

11-27 (as before)


28-31 Number of hidden sectors (0)
32-35 Total number of sectors in the filesystem
(in case the total was not given in bytes 19-20)
36 Logical Drive Number (for use with INT 13, e.g. 0 or 0x80)
37 Reserved (Earlier: Current Head, the track containing the Boot Record)
Used by Windows NT: bit 0: need disk check; bit 1: need surface scan
38 Extended signature (0x29)
Indicates that the three following fields are present.
Windows NT recognizes either 0x28 or 0x29.
39-42 Serial number of partition
43-53 Volume label or "NO NAME "
54-61 Filesystem type (E.g. "FAT12 ", "FAT16 ", "FAT ", or all zero.)
62-509 Bootstrap
510-511 Signature 55 aa

FAT32
FAT32 uses an extended BIOS Parameter Block:

11-27 (as before)


28-31 Number of hidden sectors (0)
32-35 Total number of sectors in the filesystem
36-39 Sectors per FAT
40-41 Mirror flags
Bits 0-3: number of active FAT (if bit 7 is 1)
Bits 4-6: reserved
Bit 7: one: single active FAT; zero: all FATs are updated at runtime
Bits 8-15: reserved
42-43 Filesystem version
44-47 First cluster of root directory (usually 2)
48-49 Filesystem information sector number in FAT32 reserved area (usually 1)
50-51 Backup boot sector location or 0 or 0xffff if none (usually 6)
52-63 Reserved
64 Logical Drive Number (for use with INT 13, e.g. 0 or 0x80)
65 Reserved - used to be Current Head (used by Windows NT)
66 Extended signature (0x29)
Indicates that the three following fields are present.
67-70 Serial number of partition
71-81 Volume label
82-89 Filesystem type ("FAT32 ")

Image 1 MASTER BOOT RECORD


Address in Boot Code
Hex

From here we
can see two

MBR
Signature
Image 1 shows the structure of the master boot record of the USB drive. From here we can see that this USB
device has two partitions. The size of the first partition is at Hex address 1CA to 1CD which is 3E130F00. As
this is a Little Endian we need to write them in the lease significant bit first. This will produce the Hex value
000F133E which converts into decimal 987966 sectors in size. The starting LBA address of partition 1 starts at
Hex address 1C6 to 1C9 which is 801F0000, least significant bit first is 00001F80 that converts in 8064
decimal. So the starting address of partition 1 is at address 8064. The size of the second partition is at Hex
address 1DA to 1DD which is 41AD0E00. This will produce the Hex value 000EAD41 which converts into
961857 sectors in size. The starting LBA address of partition 1 starts at Hex address 1D6 to 1D9 which is
BE320F00, least significant bit first is 000F32BE that converts in 996030 decimal. So the starting address of
partition 2 is at address 996030. The size of the USB device is the (reserve sectors + size of Partition 1 + size of
Partition 2) * 512 = (34 + 987966 + 961857) * 512 = 998326784 bytes (974929 Kbytes or 952MBytes).

Image 2
Image 2 showing that the USB drive does in fact have two partitions on a Linux ubuntu system.

FIRST PARTITION

File Output1
mishy@mishy-laptop:~$dd if=dev/sdb count=1 skip=8064 | xxd > First_Partition
0000000: eb58 904d 5344 4f53 352e 3000 0208 2200 .X.MSDOS5.0...".
0000010: 0200 0000 00f8 0000 3f00 ff00 801f 0000 ........?.......
0000020: 3e13 0f00 c303 0000 0000 0000 ed00 0000 >...............
0000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................
0000040: 8000 2960 6f58 6e50 6172 7431 0000 0000 ..)`oXnPart1....
0000050: 0000 4641 5433 3220 2020 33c9 8ed1 bcf4 ..FAT32 3.....
0000060: 7b8e c18e d9bd 007c 884e 028a 5640 b408 {......|.N..V@..
0000070: cd13 7305 b9ff ff8a f166 0fb6 c640 660f ..s......f...@f.
0000080: b6d1 80e2 3ff7 e286 cdc0 ed06 4166 0fb7 ....?.......Af..
0000090: c966 f7e1 6689 46f8 837e 1600 7538 837e .f..f.F..~..u8.~
00000a0: 2a00 7732 668b 461c 6683 c00c bb00 80b9 *.w2f.F.f.......
00000b0: 0100 e82b 00e9 4803 a0fa 7db4 7d8b f0ac ...+..H...}.}...
00000c0: 84c0 7417 3cff 7409 b40e bb07 00cd 10eb ..t.<.t.........
00000d0: eea0 fb7d ebe5 a0f9 7deb e098 cd16 cd19 ...}....}.......
00000e0: 6660 663b 46f8 0f82 4a00 666a 0066 5006 f`f;F...J.fj.fP.
00000f0: 5366 6810 0001 0080 7e02 000f 8520 00b4 Sfh.....~.... ..
0000100: 41bb aa55 8a56 40cd 130f 821c 0081 fb55 [email protected]
0000110: aa0f 8514 00f6 c101 0f84 0d00 fe46 02b4 .............F..
0000120: 428a 5640 8bf4 cd13 b0f9 6658 6658 6658 [email protected]
0000130: 6658 eb2a 6633 d266 0fb7 4e18 66f7 f1fe fX.*f3.f..N.f...
0000140: c28a ca66 8bd0 66c1 ea10 f776 1a86 d68a ...f..f....v....
0000150: 5640 8ae8 c0e4 060a ccb8 0102 cd13 6661 [email protected]
0000160: 0f82 54ff 81c3 0002 6640 490f 8571 ffc3 [email protected]..
0000170: 4e54 4c44 5220 2020 2020 2000 0000 0000 NTLDR .....
0000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001a0: 0000 0000 0000 0000 0000 0000 0d0a 5265 ..............Re
00001b0: 6d6f 7665 2064 6973 6b73 206f 7220 6f74 move disks or ot
00001c0: 6865 7220 6d65 6469 612e ff0d 0a44 6973 her media....Dis
00001d0: 6b20 6572 726f 72ff 0d0a 5072 6573 7320 k error...Press
00001e0: 616e 7920 6b65 7920 746f 2072 6573 7461 any key to resta
00001f0: 7274 0d0a 0000 0000 00ac cbd8 0000 55aa rt............U.
File ouput 1 shows the first sector /Fat structure of the first partition. As mentioned earlier, the LBA of the first
partition starts at sector 8064, this is why we skipped those sectors to get to the first partition. From this output
we can view important information about the partition. We can see the OEM Name as being MSDOS5.0. The
important information from the partition are the following:
BytesPerSector = 512 RootCluster = 237
SectorsPerCluster = 8 FSInfo = 1
ReservedSectorCount = 34 CopyBootSector = 6
NumberofFAT = 2 VolumeLabel = Part1
NumberOfRootDirectories is 0 for FAT32 FATType = FAT32
SectorsPerFAT = 963 BootSignature = 55AA
File output 2
mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=6 | xxd > BackUpBoot
0000000: eb58 904d 5344 4f53 352e 3000 0208 2200 .X.MSDOS5.0...".
0000010: 0200 0000 00f8 0000 3f00 ff00 801f 0000 ........?.......
0000020: 3e13 0f00 c303 0000 0000 0000 ed00 0000 >...............
0000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................
0000040: 8000 2960 6f58 6e55 5342 4452 4956 4520 ..)`oXnUSBDRIVE
0000050: 2020 4641 5433 3220 2020 33c9 8ed1 bcf4 FAT32 3.....
0000060: 7b8e c18e d9bd 007c 884e 028a 5640 b408 {......|.N..V@..
0000070: cd13 7305 b9ff ff8a f166 0fb6 c640 660f ..s......f...@f.
0000080: b6d1 80e2 3ff7 e286 cdc0 ed06 4166 0fb7 ....?.......Af..
0000090: c966 f7e1 6689 46f8 837e 1600 7538 837e .f..f.F..~..u8.~
00000a0: 2a00 7732 668b 461c 6683 c00c bb00 80b9 *.w2f.F.f.......
00000b0: 0100 e82b 00e9 4803 a0fa 7db4 7d8b f0ac ...+..H...}.}...
00000c0: 84c0 7417 3cff 7409 b40e bb07 00cd 10eb ..t.<.t.........
00000d0: eea0 fb7d ebe5 a0f9 7deb e098 cd16 cd19 ...}....}.......
00000e0: 6660 663b 46f8 0f82 4a00 666a 0066 5006 f`f;F...J.fj.fP.
00000f0: 5366 6810 0001 0080 7e02 000f 8520 00b4 Sfh.....~.... ..
0000100: 41bb aa55 8a56 40cd 130f 821c 0081 fb55 [email protected]
0000110: aa0f 8514 00f6 c101 0f84 0d00 fe46 02b4 .............F..
0000120: 428a 5640 8bf4 cd13 b0f9 6658 6658 6658 [email protected]
0000130: 6658 eb2a 6633 d266 0fb7 4e18 66f7 f1fe fX.*f3.f..N.f...
0000140: c28a ca66 8bd0 66c1 ea10 f776 1a86 d68a ...f..f....v....
0000150: 5640 8ae8 c0e4 060a ccb8 0102 cd13 6661 [email protected]
0000160: 0f82 54ff 81c3 0002 6640 490f 8571 ffc3 [email protected]..
0000170: 4e54 4c44 5220 2020 2020 2000 0000 0000 NTLDR .....
0000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001a0: 0000 0000 0000 0000 0000 0000 0d0a 5265 ..............Re
00001b0: 6d6f 7665 2064 6973 6b73 206f 7220 6f74 move disks or ot
00001c0: 6865 7220 6d65 6469 612e ff0d 0a44 6973 her media....Dis
00001d0: 6b20 6572 726f 72ff 0d0a 5072 6573 7320 k error...Press
00001e0: 616e 7920 6b65 7920 746f 2072 6573 7461 any key to resta
00001f0: 7274 0d0a 0000 0000 00ac cbd8 0000 55aa rt............U.
File output 2 shows the backup copy of the boot sector, this is located at sector 6.

File Output 3
mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=34 | xxd > FirstFAT
0000000: f8ff ff0f ffff ffff 0300 0000 0400 0000 ................
0000010: 0500 0000 0600 0000 0700 0000 0800 0000 ................
0000020: 0900 0000 ffff ff0f 0000 0000 ffff ff0f ................
0000030: ffff ff0f ffff ff0f ffff ff0f ffff ff0f ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
[Removed]
File output 3 shows a segment of the first copy of the FAT in Partition 1. The first copy of the FAT is located
just after the reserved sector count. Highlighted section shows the reserved section of the FAT, followed by
cluster 2.

File Output 4
mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=997 | xxd > SecondFAT
0000000: f8ff ff0f ffff ffff 0300 0000 0400 0000 ................
0000010: 0500 0000 0600 0000 0700 0000 0800 0000 ................
0000020: 0900 0000 ffff ff0f 0000 0000 ffff ff0f ................
0000030: ffff ff0f ffff ff0f ffff ff0f ffff ff0f ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
[Removed]
File output 4 shows a segment of the second copy of the FAT in Partition 1. This copy is located just after the
First FAT + reserved sectors. From above we can see that the size of the first FAT is 963 + 34 reserve sectors,
which is 997 where the second FAT is located.

File Output 5
The following output provided all the content of the FAT structure for the first partition of the USB drive. It
shows us OEM name, Volume Information, how the file system has been layed out, it also shows us where file
sectors start and end and also the location of the Root Directory, along with other information.
mishy@mishy-laptop:~$ sudo fsstat -f fat FullFirstPartition.dd
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT32

OEM Name: MSDOS5.0


Volume ID: 0x6e586f60
Volume Label (Boot Sector): Part1
Volume Label (Root Directory): Part1
File System Type Label: FAT32
Next Free Sector (FS Info): 2064
Free Sector Count (FS Info): 962120

Sectors before file system: 8064

File System Layout (in sectors)


Total Range: 0 - 987965
* Reserved: 0 - 33
** Boot Sector: 0
** FS Info Sector: 1
** Backup Boot Sector: 6
* FAT 0: 34 - 996
* FAT 1: 997 - 1959
* Data Area: 1960 - 987965
** Cluster Area: 1960 - 987959
*** Root Directory: 3840 - 3847
** Non-clustered: 987960 - 987965

METADATA INFORMATION
--------------------------------------------
Range: 2 - 15776102
Root Directory: 2

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 2 - 123251

FAT CONTENTS (in sectors)


--------------------------------------------
1960-2023 (64) -> EOF
2032-2039 (8) -> EOF
2040-2047 (8) -> EOF
2048-2055 (8) -> EOF
2056-2063 (8) -> EOF
2064-2071 (8) -> EOF
3840-3847 (8) -> EOF
3856-4407 (552) -> EOF
4408-4639 (232) -> EOF
4640-5199 (560) -> EOF
5200-5287 (88) -> EOF
5288-12031 (6744) -> EOF
12032-12039 (8) -> EOF
12040-27247 (15208) -> EOF
27248-27623 (376) -> EOF

The first Data Segment is located after the reserved sector and 2 FATs which would mean that it is located at
(34 + 963 + 963 = 1960) sector 1960 cluster 2. From investigation using WinHex the size of this file was
29.8KB which is 30515 Bytes. Because there are 4096 Bytes (512 BytesPerSector * 8 SectorsPerCluster ) per
cluster it was calculated that this file took up 8 clusters so the next file would be at cluster 11. From the Fat
Table the file was located and turned out to be the trash folder with deleted files. When files are deleted in
windows they are sent to the trash folder. Even though the files have been deleted they can still be accessed
from this folder when using special software. From cluster 16 to 236 are free from the FAT table.

From the boot sector we found out the RootDirectory is located at cluster 237. The size of this folder is 4KB
which is the size of one cluster. From the Fat Table we could see that cluster 238 was free and the next file
started at 239. The size of this file was 275KB and took up 68 clusters so the next file would be located at
cluster 308 and so on.

File Output 6
mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=3840 | xxd >Root_Dir
0000000: 5061 7274 3100 0000 0000 0008 0000 0000 Part1...........
0000010: 0000 0000 0000 0000 2100 0000 0000 0000 ........!.......
0000020: 4370 0074 0000 00ff ffff ff0f 0057 ffff Cp.t.........W..
0000030: ffff ffff ffff ffff ffff 0000 ffff ffff ................
0000040: 025f 0045 0078 0061 006d 000f 0057 7000 ._.E.x.a.m...Wp.
0000050: 6c00 6500 5b00 3100 5d00 0000 2e00 7000 l.e.[.1.].....p.
0000060: 0143 0068 0061 0070 0074 000f 0057 6500 .C.h.a.p.t...We.
0000070: 7200 5f00 3900 5f00 4600 0000 4100 5400 r._.9._.F...A.T.
0000080: 4348 4150 5445 7e31 5050 5420 0000 7a9e CHAPTE~1PPT ..z.
0000090: 9e39 9e39 0000 217f 7c39 ef00 004a 0400 .9.9..!.|9...J..
00000a0: e561 0074 0069 006f 006e 000f 0007 2e00 .a.t.i.o.n......
00000b0: 7000 6400 6600 0000 ffff 0000 ffff ffff p.d.f...........
00000c0: e544 0072 0069 0076 0065 000f 0007 4900 .D.r.i.v.e....I.
00000d0: 6e00 7600 6500 7300 7400 0000 6900 6700 n.v.e.s.t...i.g.
00000e0: e552 4956 4549 7e31 5044 4620 0000 7c9e .RIVEI~1PDF ..|.
00000f0: 9e39 9e39 0000 8581 7c39 3401 11c5 0100 .9.9....|94.....
0000100: 422e 0070 0064 0066 0000 000f 00a3 ffff B..p.d.f........
0000110: ffff ffff ffff ffff ffff 0000 ffff ffff ................
0000120: 0157 0069 006e 0068 0065 000f 00a3 7800 .W.i.n.h.e....x.
0000130: 2000 4d00 6100 6e00 7500 0000 6100 6c00 .M.a.n.u...a.l.
0000140: 5749 4e48 4558 7e31 5044 4620 0064 7d9e WINHEX~1PDF .d}.
0000150: 9e39 9e39 0000 da82 7c39 5101 b550 0400 .9.9....|9Q..P..
0000160: e545 004f 0044 002e 0078 000f 00f2 6c00 .E.O.D...x....l.
0000170: 7300 0000 ffff ffff ffff 0000 ffff ffff s...............
0000180: e54f 4420 2020 2020 584c 5320 0064 9c9e .OD XLS .d..
0000190: 9e39 9e39 0000 1367 4639 9701 00a2 0000 .9.9...gF9......
00001a0: 4249 5244 2020 2020 4a50 4720 0064 bb9e BIRD JPG .d..
00001b0: 9e39 9e39 0000 6d6f 2339 a201 0da0 3400 .9.9..mo#9....4.
00001c0: 412e 0054 0072 0061 0073 000f 00e4 6800 A..T.r.a.s....h.
00001d0: 2d00 3100 3000 3000 3000 0000 0000 ffff -.1.0.0.0.......
00001e0: 5452 4153 482d 7e31 2020 2010 0064 f758 TRASH-~1 ..d.X
00001f0: 9f39 9f39 0000 f758 9f39 0b00 0000 0000 .9.9...X.9......
0000200: e54e 5449 544c 7e31 2020 2010 0000 d79e .NTITL~1 .....
0000210: 9e39 9e39 0000 d79e 9e39 ed04 0000 0000 .9.9.....9......
0000220: 414e 0045 0057 0046 004f 000f 00dd 4c00 AN.E.W.F.O....L.
0000230: 4400 4500 5200 3200 0000 0000 ffff ffff D.E.R.2.........
0000240: 4e45 5746 4f4c 7e31 2020 2010 0000 e49e NEWFOL~1 .....
0000250: 9e39 9e39 0000 e49e 9e39 ed04 0000 0000 .9.9.....9......

File output 6 shows the root directory in Partition 1(Part 1 file attribute 08 means volume label). The location of
this directory was found in the information provided by FileOutput 1. From this image we can see another
directories, files and deleted files. Highlighted E5 values show files that have been deleted; deleted files are not
deleted from the drive but only mark with an E5 signature. These files are: DriveInvestigation.pdf and EOD.xls.
From the disk level these files cannot be seen and one would think they have actually been deleted. Highlighted
entries in yellow are the attributes of the various files. 0F entries means that the file is long entries (filename),
entries with file attribute 10 means that it is a directory and entries with file attribute 20 means that it is
archived. Other files in the root directory in order of clusters include: Chapter9FATExample[1].ppt,
winhexManual.pdf and BIRD.jpg. Files in the root directory appear in the order in which they are clustered i.e.
Chapter9_FAT.ppt starts at cluster 239 and takes up 68 clusters so drive investigation.pdf would occupy the
clusters after Chapter9_FAT.ppt.There is also a directory called NEWFOLDER2 and a deleted Directory called
NTITL. Highlighted entries in green are the start clusters of each of the files. For example the first cluster for
Chapter9_FAT.ppt is EF00 i.e. 0X00EF = 239, so the first cluster for that file is cluster 239. Values highlighted
in blue represent the size of each of those files. So the size of Chapter9_FAT.ppt would be 004A 0400 i.e.
0X00044A00 which is 281088bytes which takes up 68 clusters. .

File Output 7
mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=3856 | xxd >First_File
0000000: d0cf 11e0 a1b1 1ae1 0000 0000 0000 0000 ................
0000010: 0000 0000 0000 0000 3e00 0300 feff 0900 ........>.......
0000020: 0600 0000 0000 0000 0000 0000 0500 0000 ................
0000030: 2002 0000 0000 0000 0010 0000 2202 0000 ..........."...
0000040: 0100 0000 feff ffff 0000 0000 1902 0000 ................
0000050: 1a02 0000 1b02 0000 1c02 0000 2102 0000 ............!...
0000060: ffff ffff ffff ffff ffff ffff ffff ffff ................
0000070: ffff ffff ffff ffff ffff ffff ffff ffff ................
0000080: ffff ffff ffff ffff ffff ffff ffff ffff ................
0000090: ffff ffff ffff ffff ffff ffff ffff ffff ................
File output 7 shows the output of cluster 239 which is the file after the root directory,
Chapter9FATExample.ppt. From the root directory we saw that this was the first file in the directory followed
by the deleted file DriveInvestigation.pdf. The file signature of a .ppt file is D0CF 11E0.

Image 3
mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=4408 | xxd >Second_File

Image 3 shows the output of the second file of the root directory, DriveInvestigation.pdf. From the root
directory we could see that this file was actually deleted, but is retrievable as we can see. The file signature of
a .pdf is 2550 44 46.

Image 4
mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=4640 | xxd >Third_File

Image 4 shows the output of the third file of the root directory, winhexManual.pdf. We can see that the file
signature of image 3 and 4 are the same as they are both .pdf files.

Image 5
mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=5200 | xxd >Fourth_File
Image 5 shows the output of the fifth file of the root directory, EOD.xls. From the root directory we could see
that this file also had been deleted but is still viewable with low level programs. The file signature for an .xls
file is D0CF 11E0.

File Output 8
mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=5288 | xxd >Fifth_File
0000000: ffd8 ffe0 0010 4a46 4946 0001 0101 0060 ......JFIF.....`
0000010: 0060 0000 ffe1 49b8 4578 6966 0000 4949 .`....I.Exif..II
0000020: 2a00 0800 0000 1300 0f01 0200 1600 0000 *...............
0000030: f200 0000 1001 0200 2400 0000 0801 0000 ........$.......
0000040: 1201 0300 0100 0000 0100 4f4c 1a01 0500 ..........OL....
0000050: 0100 0000 2c01 0000 1b01 0500 0100 0000 ....,...........
0000060: 3401 0000 2801 0300 0100 0000 0200 2321 4...(.........#!
File output 8shows the output of the fifth file in the root directory, BIRD.JPG. We could prove that this was an
image file from the file signature, FFD8 FFE0. This file’s extension was changed to a .txt at disk level but when
analysed using winhex the file header did not change and came back as JFIF as we can see.

Image 7
mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=2032 | xxd >Trash

Image 7 shows the trash folder of partition one. The .trash-1000 folder is created when a USB or external hard
drive is attached to a Linux based system. This folder holds the files that have been deleted from the drive.

File Output 8
File output 8 we can see the output of the fls command which shows the long file names in the root directory.
Outputs with an asterisk mean that the file has been deleted as can also be seen in file output 6 with E5 hex
values.
mishy@mishy-laptop:~$ sudo fls -f fat FullFirstPartition.dd
r/r 30087: Chapter_9_FAT_Example[1].ppt
r/r * 30090: DriveInvestigation.pdf
r/r 30093: Winhex Manual.pdf
r/r * 30095: EOD.xls
r/r 30096: BIRD.JPG
d/d 30098: .Trash-1000
d/d * 30099: _NTITL~1
d/d 30101: NEWFOLDER2
v/v 15776099: $MBR
v/v 15776100: $FAT1
v/v 15776101: $FAT2
d/d 15776102: $OrphanFiles

File Output 9
mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=12032 | xxd >NEWFOLDER
0000000: 2e20 2020 2020 2020 2020 2010 0000 d79e . .....
0000010: 9e39 9e39 0000 d79e 9e39 ed04 0000 0000 .9.9.....9......
0000020: 2e2e 2020 2020 2020 2020 2010 0000 d79e .. .....
0000030: 9e39 9e39 0000 d79e 9e39 0000 0000 0000 .9.9.....9......
0000040: 4270 0064 0066 0000 00ff ff0f 00bd ffff Bp.d.f..........
0000050: ffff ffff ffff ffff ffff 0000 ffff ffff ................
0000060: 0143 0046 0050 0072 006f 000f 00bd 6600 .C.F.P.r.o....f.
0000070: 6500 7300 7300 6900 6f00 0000 6e00 2e00 e.s.s.i.o...n...
0000080: 4346 5052 4f46 7e31 5044 4620 0000 e19e CFPROF~1PDF ....
0000090: 9e39 9e39 0000 a0a2 6d39 ee04 aacc 7600 .9.9....m9....v.
00000a0: 4172 0065 0070 006f 0072 000f 0092 7400 Ar.e.p.o.r....t.
00000b0: 4100 6900 6400 2e00 7000 0000 6400 6600 A.i.d...p...d.f.
00000c0: 5245 504f 5254 7e31 5044 4620 0000 e49e REPORT~1PDF ....
00000d0: 9e39 9e39 0000 8aa2 6d39 5b0c 56ee 0200 .9.9....m9[.V...
00000e0: e566 0000 00ff ffff ffff ff0f 0054 ffff .f...........T..
00000f0: ffff ffff ffff ffff ffff 0000 ffff ffff ................
0000100: e573 0063 0061 0072 0079 000f 0054 6c00 .s.c.a.r.y...Tl.
0000110: 6100 7300 6500 7200 2e00 0000 6700 6900 a.s.e.r.....g.i.
0000120: e543 4152 594c 7e31 4749 4620 005c 0ca0 .CARYL~1GIF .\..
0000130: 9e39 9e39 0000 0da0 9e39 0000 0000 0000 .9.9.....9......
0000140: 4266 0000 00ff ffff ffff ff0f 0054 ffff Bf...........T..
0000150: ffff ffff ffff ffff ffff 0000 ffff ffff ................
0000160: 0173 0063 0061 0072 0079 000f 0054 6c00 .s.c.a.r.y...Tl.
0000170: 6100 7300 6500 7200 2e00 0000 6700 6900 a.s.e.r.....g.i.
0000180: 5343 4152 594c 7e31 4749 4620 005c 0ca0 SCARYL~1GIF .\..
0000190: 9e39 9e39 0000 749f 9e39 0200 4877 0000 .9.9..t..9..Hw..
00001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
File output 9 shows the contents of the directory NEWFOLDER2 in the root directory. NEWFOLDER2
contains: CFProfession.pdf, ReportAid.pdf and scarylaser.gif. Highlighted sections are file attributes, file sizes
and file start clusters, as also seen in file output 6. We can see that scarylaser.gif is the first file in the entire root
directory as it starts at cluster 2 (0X0200).
The same investigation was done on the second partition.

SECOND PARTITION
File Output 10
mishy@mishy-laptop:~$dd if=dev/sdb count=1 skip=996030 | xxd > Second_Partition
0000000: eb58 9050 4152 4147 4f4e 2300 0210 0100 .X.PARAGON#.....
0000010: 0200 0200 00f8 eb00 3f00 ff00 be32 0f00 ........?....2..
0000020: 41ad 0e00 8000 29d5 1cd5 1c50 6172 7432 A.....)....Part2
0000030: 0000 0000 0000 4641 5431 3620 2020 0000 ......FAT16 ..
0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000050: 0000 0000 0000 0000 0000 8cc8 8ed0 bcff ................
0000060: 7bfb 8ed8 8ec0 fcbf 2000 33c0 b915 00af {....... .3.....
0000070: 7505 af75 04e2 f847 4781 7dfe 00c0 720a u..u...GG.}...r.
0000080: e2ed 813e 0201 00c0 730f be88 7de8 3f00 ...>....s...}.?.
0000090: 33c0 cd16 3d00 3b75 f7be a77c bfa7 7eb9 3...=.;u...|..~.
00000a0: 7100 f3a5 e900 02bb 007c b901 00be e17e q........|.....~
00000b0: e81c 0033 c0cd 16b8 0102 33d2 50cd 1358 ...3......3.P..X
00000c0: cd13 72e3 813e fe7d 55aa 75db e931 fd50 ..r..>.}U.u..1.P
00000d0: 5351 ac3c 0075 0459 5b58 c3b4 0ecd 10eb SQ.<.u.Y[X......
00000e0: f10a 0d4e 6f6e 2d73 7973 7465 6d20 6469 ...Non-system di
00000f0: 736b 206f 7220 6469 736b 2065 7272 6f72 sk or disk error
0000100: 0a0d 496e 7365 7274 2044 4f53 2064 6973 ..Insert DOS dis
0000110: 6b65 7474 6520 616e 6420 7072 6573 7320 kette and press
0000120: 616e 7920 6b65 7920 2e2e 2e0a 0d00 0000 any key ........
0000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000180: 0000 0000 0000 0000 0a0d 506f 7373 6962 ..........Possib
0000190: 6c65 2062 6f6f 7420 5649 5255 5320 6465 le boot VIRUS de
00001a0: 7465 6374 6564 210a 0d50 7265 7373 203c tected!..Press <
00001b0: 4631 3e20 746f 2063 6f6e 7469 6e75 6500 F1> to continue.
00001c0: 0d0a 5057 2f44 4220 6279 204b 4952 2056 ..PW/DB by KIR V
00001d0: 2e20 2843 2920 5061 7261 676f 6e20 3139 . (C) Paragon 19
00001e0: 3937 2d31 3939 3900 0000 0000 0000 0000 97-1999.........
00001f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U.

File output 10 shows the first sector of the second partition. From this image we can view important
information about the partition. We can see the OEM Name as being PARAGON. This was the program used to
create the second partition. The important information from the partition are the following:
BytesPerSector = 512 TotalSectors = 961857
SectorsPerCluster = 16 ExtendedBootSig = 29
ReservedSectorCount = 1 VolumeLabel = Part2
NumberofFAT = 2 FATType = FAT16
NumberOfRootDirectories = 512 BootSignature – 55aa
SectorsPerFAT = 235

We can see that this is a FAT16 partition so information is retrieved differently from the first partition. We can
see that the default cluster size of the first partition was 4KB while the default cluster size for FAT16 is 8KB,
this shows that FAT16 wastes more space than FAT32. We also noticed that we had a backup boot sector for
the first partition but none for the second partition
File Output 11
mishy@mishy-laptop:~$sudo dd if=Seond_Partition count=1skip=1 | xxd > FAT1
0000000: f8ff ffff 0000 0400 0500 ffff ffff 0800 ................
0000010: 0900 0a00 0b00 0c00 0d00 0e00 0f00 1000 ................
0000020: 1100 1200 1300 1400 1500 1600 1700 1800 ................
0000030: 1900 1a00 1b00 1c00 1d00 1e00 1f00 2000 .............. .
0000040: 2100 2200 2300 2400 2500 2600 2700 2800 !.".#.$.%.&.'.(.
0000050: 2900 2a00 2b00 2c00 2d00 2e00 2f00 3000 ).*.+.,.-.../.0.
0000060: 3100 3200 3300 3400 3500 3600 3700 3800 1.2.3.4.5.6.7.8.
0000070: 3900 3a00 3b00 3c00 3d00 3e00 3f00 4000 9.:.;.<.=.>.?.@.
0000080: 4100 4200 4300 4400 4500 4600 4700 4800 A.B.C.D.E.F.G.H.
0000090: 4900 4a00 4b00 4c00 4d00 4e00 4f00 5000 I.J.K.L.M.N.O.P.
00000a0: 5100 5200 5300 5400 5500 5600 5700 5800 Q.R.S.T.U.V.W.X.
00000b0: 5900 5a00 5b00 5c00 5d00 5e00 5f00 6000 Y.Z.[.\.].^._.`.
00000c0: 6100 6200 6300 6400 6500 6600 6700 6800 a.b.c.d.e.f.g.h.
00000d0: 6900 6a00 6b00 6c00 6d00 6e00 6f00 7000 i.j.k.l.m.n.o.p.
00000e0: 7100 7200 7300 7400 7500 7600 7700 7800 q.r.s.t.u.v.w.x.
00000f0: 7900 7a00 7b00 7c00 7d00 7e00 7f00 8000 y.z.{.|.}.~.....
0000100: 8100 8200 8300 8400 8500 8600 8700 8800 ................
File Output 11 shows the First FAT of partition 2. The first FAT is located after the reserved sector count.

File Output 12
mishy@mishy-laptop:~$sudo dd if=Seond_Partition count=1skip=236 | xxd > FAT2
0000000: f8ff ffff 0000 0400 0500 ffff ffff 0800 ................
0000010: 0900 0a00 0b00 0c00 0d00 0e00 0f00 1000 ................
0000020: 1100 1200 1300 1400 1500 1600 1700 1800 ................
0000030: 1900 1a00 1b00 1c00 1d00 1e00 1f00 2000 .............. .
0000040: 2100 2200 2300 2400 2500 2600 2700 2800 !.".#.$.%.&.'.(.
0000050: 2900 2a00 2b00 2c00 2d00 2e00 2f00 3000 ).*.+.,.-.../.0.
0000060: 3100 3200 3300 3400 3500 3600 3700 3800 1.2.3.4.5.6.7.8.
0000070: 3900 3a00 3b00 3c00 3d00 3e00 3f00 4000 9.:.;.<.=.>.?.@.
0000080: 4100 4200 4300 4400 4500 4600 4700 4800 A.B.C.D.E.F.G.H.
0000090: 4900 4a00 4b00 4c00 4d00 4e00 4f00 5000 I.J.K.L.M.N.O.P.
00000a0: 5100 5200 5300 5400 5500 5600 5700 5800 Q.R.S.T.U.V.W.X.
00000b0: 5900 5a00 5b00 5c00 5d00 5e00 5f00 6000 Y.Z.[.\.].^._.`.
00000c0: 6100 6200 6300 6400 6500 6600 6700 6800 a.b.c.d.e.f.g.h.
00000d0: 6900 6a00 6b00 6c00 6d00 6e00 6f00 7000 i.j.k.l.m.n.o.p.
00000e0: 7100 7200 7300 7400 7500 7600 7700 7800 q.r.s.t.u.v.w.x.
00000f0: 7900 7a00 7b00 7c00 7d00 7e00 7f00 8000 y.z.{.|.}.~.....
0000100: 8100 8200 8300 8400 8500 8600 8700 8800 ................
File output 12 shows the second FAT of partition 2 which is located after the reserved sector and first FAT.

File Output 13
mishy@mishy-laptop:~$ sudo fsstat -f fat FullSecondPartition.dd FILE SYSTEM
INFORMATION
--------------------------------------------
File System Type: FAT16

OEM Name: PARAGON#


Volume ID: 0x1cd51cd5
Volume Label (Boot Sector): Part2
Volume Label (Root Directory): Part2
File System Type Label: FAT16

Sectors before file system: 996030

File System Layout (in sectors)


Total Range: 0 - 961856
* Reserved: 0 - 0
** Boot Sector: 0
* FAT 0: 1 - 235
* FAT 1: 236 - 470
* Data Area: 471 - 961856
** Root Directory: 471 - 502
** Cluster Area: 503 - 961846
** Non-clustered: 961847 - 961856

METADATA INFORMATION
--------------------------------------------
Range: 2 - 15382182
Root Directory: 2

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 8192
Total Cluster Range: 2 - 60085

FAT CONTENTS (in sectors)


--------------------------------------------
519-566 (48) -> EOF
567-582 (16) -> EOF
583-4390 (3808) -> EOF
4391-4566 (176) -> EOF
4567-4582 (16) -> EOF
4583-4598 (16) -> EOF
4599-4614 (16) -> EOF
4615-4630 (16) -> EOF

mishy@mishy-laptop:~$ sudo fls -f fat FullSecondPartition.dd > Files


r/r 6: Technology.odt
r/r * 8: mish_back.JPG
d/d * 9: _NTITL~1
d/d 11: NEWFOLDER
r/r 16: NEW TELLER CASH TRANSFER (final draft).doc
d/d 18: .Trash-1000
v/v 15382179: $MBR
v/v 15382180: $FAT1
v/v 15382181: $FAT2
d/d 15382182: $OrphanFiles
The above file output shows the files contained in Partition 2. We can see that the files mish_Back.jpg has been
deleted along with directory NTITL.

File Output 14
mishy@mishy-laptop:~$sudo dd if=Seond_Partition count=1skip=471 | xxd > RootDir
0000000: 5061 7274 3200 0000 0000 0008 0000 0000 Part2...........
0000010: 0000 0000 0000 0000 2100 0000 0000 0000 ........!.......
0000020: 4274 0000 00ff ffff ffff ff0f 0042 ffff Bt...........B..
0000030: ffff ffff ffff ffff ffff 0000 ffff ffff ................
0000040: 0154 0065 0063 0068 006e 000f 0042 6f00 .T.e.c.h.n...Bo.
0000050: 6c00 6f00 6700 7900 2e00 0000 6f00 6400 l.o.g.y.....o.d.
0000060: 5445 4348 4e4f 7e31 4f44 5420 0000 499e TECHNO~1ODT ..I.
0000070: 9e39 9e39 0000 ebb3 7e39 0300 fe44 0000 .9.9....~9...D..
0000080: e56d 0069 0073 0068 005f 000f 0035 6200 .m.i.s.h._...5b.
0000090: 6100 6300 6b00 2e00 4a00 0000 5000 4700 a.c.k...J...P.G.
00000a0: e549 5348 5f42 7e31 4a50 4720 0000 8a9e .ISH_B~1JPG ....
00000b0: 9e39 9e39 0000 ef5b 4d39 0700 64bb 1d00 .9.9...[M9..d...
00000c0: e54e 5449 544c 7e31 2020 2010 0000 4c9e .NTITL~1 ...L.
00000d0: 9e39 9e39 0000 4c9e 9e39 0600 0000 0000 .9.9..L..9......
00000e0: 414e 0045 0057 0046 004f 000f 00dd 4c00 AN.E.W.F.O....L.
00000f0: 4400 4500 5200 0000 ffff 0000 ffff ffff D.E.R...........
0000100: 4e45 5746 4f4c 7e31 2020 2010 0064 4c9e NEWFOL~1 ..dL.
0000110: 9e39 9e39 0000 4c9e 9e39 0600 0000 0000 .9.9..L..9......
0000120: 4464 006f 0063 0000 00ff ff0f 00a5 ffff Dd.o.c..........
0000130: ffff ffff ffff ffff ffff 0000 ffff ffff ................
0000140: 0366 0069 006e 0061 006c 000f 00a5 2000 .f.i.n.a.l.... .
0000150: 6400 7200 6100 6600 7400 0000 2900 2e00 d.r.a.f.t...)...
0000160: 0253 0048 0020 0054 0052 000f 00a5 4100 .S.H. .T.R....A.
0000170: 4e00 5300 4600 4500 5200 0000 2000 2800 N.S.F.E.R... .(.
0000180: 014e 0045 0057 0020 0054 000f 00a5 4500 .N.E.W. .T....E.
0000190: 4c00 4c00 4500 5200 2000 0000 4300 4100 L.L.E.R. ...C.A.
00001a0: 4e45 5754 454c 7e31 444f 4320 0000 9a9e NEWTEL~1DOC ....
00001b0: 9e39 9e39 0000 c862 cf32 f500 004c 0100 .9.9...b.2...L..
00001c0: 412e 0054 0072 0061 0073 000f 00e4 6800 A..T.r.a.s....h.
00001d0: 2d00 3100 3000 3000 3000 0000 0000 ffff -.1.0.0.0.......
00001e0: 5452 4153 482d 7e31 2020 2010 0064 0a59 TRASH-~1 ..d.Y
00001f0: 9f39 9f39 0000 0a59 9f39 0001 0000 0000 .9.9...Y.9......

File output 14 shows the root directory of the second partition. The root directory is located after the reserve
sector and 2 FATs. The first entry is volume name, Part2. From this we can see that the image mish_back.jpg
has been deleted.

Image 8 Partition 1

Image 9 Partition 2
Image 8 & 9 above shows the free space on Partition 1 and Partition 2. It also shows the volume slack where
some users may hide information.

File Output 15
mishy@mishy-laptop:~$ sudo dd if=BSNEW.dd of=/dev/sdb count=1
1+0 records in
1+0 records out
512 bytes (512 B) copied, 9.6666e-05 s, 5.3 MB/s

Image 10

Image 11

From the images 10 and 11 and file output 15 above, we can see that partition 2 has been removed. This was
done by zeroing out partition two as seen above and saving the result back to the USB drive. It now looks like
the USB drive only has one partition. This can be reverted by using the original image for the MBR with two
partitions and saving it to the USB drive, which was done.

References
[UTECH] University of Technology, Netherlands. Fat File system [Online]
Available at: http://www.win.tue.nl/~aeb/linux/fs/fat/fat-1.html 6-01-09 (lasted accessed)

You might also like