LAB 1: Recovery of deleted file from Image created using FTK Imager

In this lab, students are required to create partitions in USB storage with different filesystems (e.g.
FAT, FAT32, NTFS). Copy files (e.g. PDF and JPG files) into these partitions. Then, create image
before and after file deletions in these partitions using FTK Imager.
Open the after deletion image in FTK Imager in order to get information of any of the deleted file
(i.e. PDF or JPG). Using this information, use the codes at the appendix and then recover the deleted
file.

LAB 1 ACTIVITIES

1. [MANAGE PARTITION] You are to create at least THREE (3) partitions in your USB storage
with minimum of 40MB size.
2. [MANAGE PARTITION] Each partition should be formatted with FAT, FAT32 and NTFS.
3. [WINDOW EXPLORER] Copy PDF and JPG files into these 3 partitions.
4. [FTK Imager] Image these partitions for each of the partition 2 times, 1 BEFORE deletion
(e.g. named is as “B4-40MB-FAT-DEL” for FAT image) and 1 AFTER deletion (e.g. named is as
“AFTER-40MB-FAT-DEL” for FAT image) using FTK imager.
5. [FTK Imager] Add Evidence Item in FTK Imager
a. File -> Add Evidence Item -> “Please select source evidence type” -> Image file ->
Choose image file (refer to FIGURE 1 to FIGURE 6).
b. Choose one of the deleted files (in the Root) and get theproperties of few
deleted images e.g. Start cluster, Start sector, File size. (NOTE: 1 sector =
512 Bytes, 1 cluster = 2 x sectors = 1024 Bytes)

Assume that these information is obtained:

File Size = 33,808
Start Cluster = 10
Start Sector = 16,444

Calculating the offset of the beginning position of the deleted JPG using Start Sector:
If the Start Sector = 16,444, it means that the starting position (offset) of
the deleted image is from 16,444 x 512 (sector) = 8,419,328.

Calculating the offset of the end position of the deleted JPG using offset from the
calculation above (17, 309, 696).
8, 419,328 Offset of the starting position of deleted JPG
+ 33,808 File Size
---------------
8, 453,136 Offset of the end position of deleted JPG
==========

1
NOTE: When image is created using FTK Imager, you can change the default size 1500MB (or 1.5GB)
of the image to any size. If the default size is used, multiple image files will be created of size 1.5GB
each if the size of the storage to be image is bigger. These multiple size images can be combined into
a single image file by using ForensicImager tool. This tool also can convert .E01 (Encase format) to
RAW (dd) format.

QUESTIONS FOR THE LAB 1

1. If the deleted file has these information:

File Size = 2050 bytes

Start Cluster = 3

Start Sector = 12

a) Assume that 1 cluster has 4 sector, how many clusters are used?
b) How many sectors are used?
c) How much slack space available?

2. Discuss the pro and cons of SMALLER CLUSTER (e.g. FAT) vs. BIGGER CLUSTER (e.g. NTFS).

2
FIGURE 1: ”Add Evidence Item” in FTK Imager

FIGURE 2: Select source from Image File.

3
FIGURE 3: Browse for a raw (dd) image e.g. 60MB-FAT.001

FIGURE 4: Raw (dd) image is selected e.g. 60MB-FAT.001

4
FIGURE 5: The image is opened as evidence item in FTK Imager

FIGURE 6: This is one of the deleted JPG file in the image which is able to be viewed using FTK Imager

5
LAB 2: Lab activities on Master Boot Record (MBR)
These are some of the information that can help you in this week’s lab activity.

MBR is used during booting operation, where it contains the booting instruction (bootstrap code)
and also information for BIOS.

The basic structure of a hard disk is shown in FIGURE 1. Normally, there are 2 copies of File
Allocation Table (FAT). FAT1 is used during normal operation and FAT2 is the backup if FAT1 is
corrupted.

TABLE 1 contains the offset for useful data in MBR. Information such as Bytes per sector, Sector
per cluster are stored in the BIOS parameter block (BPB) of MBR. MBR is located at sector 0 and
uses only 1 sector. MBR ends with 0x55AA, which is also the signature used to denote MBR.

BIOS parameter block (BPB) in MBR is 25 characters long. The detailed structure is shown in TABLE

2. LAB 2 ACTIVITIES

1. Find the structure for MBR (refer to FIGURE 1, TABLE 1 and TABLE 2).
2. Find information in BIOS Parameter Block (BPB).
3. Write codes using C to view the metadata in MBR e.g. OEM name, bytes per sector, sector
per cluster etc. (refer to APPENDIX 1).

Sample information for BPB:

OEM Name: MSDOS5.0
Bytes per sector: 0x00 0x02 (Little-Endian)
Sector per cluster: 0x02 (Little-Endian)

0x00 0x02 in Little-Endian = 0x0200 = (0 x 163) + (2 x 162) + (0 x 161) + (0 x 160)

= 2 x 256 = 512

Assume that Bytes per sector is 0x00 0x02 in Big-Endian.

0x0002 = (0 x 163) + (0 x 162) + (0 x 161) + (2 x 160) = 2 x 1 = 2

4. Download and install Active@Disk Editor (refer to Figure 2). Explore on the usage of
Active@Disk Editor to view MBR structure easily by using its template.

QUESTIONS FOR THE LAB ACTIVITIES

1. What is the signature of MBR and at what offset?

2. What is the size of MBR?
3. What is the use of MBR?
4. What is the filesystem (i.e. FAT type) of your USB storage?
5. How many copies of FAT in your USB storage?
6. How many bytes per sector?
7. How many sectors per cluster?
8. Which sector is the FAT located?
9. What is the decimal value for 0x00 0x02 in Little-Endian?

6
10. What is the decimal value for 0x00 0x02 in Big-Endian?

7
FIGURE 1: The basic structure of hard disk

TABLE 1: The structure of MBR

TABLE 2: Field in BIOS Parameter Block in MBR

FIELD OFFSET OFFSET LENGTH

(Hex) (Decimal)
NOTE: Byte offset 0x0B in
Bytes Per Sector 0x0B 11 2
Sectors Per Cluster 0x0D 13 1 TABLE 1 is equal to
Reserved Sectors 0x0E 14 2 decimal 11 in TABLE 2,
FATs 0x10 16 1 which is the starting
Root Entries 0x11 17 2 offset for BPB.
Small Sectors 0x13 19 2
Media Descriptor 0x15 21 1
Sectors Per FAT 0x16 22 2
Sectors Per Track 0x17 24 2
Heads 0x19 26 2
Hidden Sectors 0x2B 28 4
Large Sectors 0x20 32 4

8
FIGURE 2: Active@Disk Editor interface

9
APPENDIX 1
1. #include <stdio.h>
2. #include <string.h>
3. #include <conio.h> // to use getch()
4. #include <stdlib.h> // to use exit()
5.
6. // NOTE: to print HEX values, better read using INT (integer) and print as %X
7. /*
8. Field Offset Length
9. ----- ------ ------
10. Bytes Per Sector 11 2
11. Sectors Per Cluster 13 1
12. Reserved Sectors 14 2
13. FATs 16 1
14. Root Entries 17 2
15. Small Sectors 19 2
16. Media Descriptor 21 1
17. Sectors Per FAT 22 2
18. Sectors Per Track 24 2
19. Heads 26 2
20. Hidden Sectors 28 4
21. Large Sectors 32 4
22. */
23.
24. main()
25. {
26. FILE* image;
27. FILE* MBR;
28. char filename1[100], filename2[100];
29. char mbr_oem1[9];
30. int mbr_signature2[2]; // to display as HEX
31. int mbr_bytesPerSector[2];
32. int mbr_sectorPerCluster;
33. long offset1_oem=3L, offset2_MBRsignature=510L, offset3_BytesPerSector=11L;
34. long offset4_SectorPerCluster=13L; // Long integer for big offset values
35.
36. strcpy(filename1,"d:\\TESTDF\\FAT-B4.001"); // image before deletion
37. strcpy(filename2,"d:\\TESTDF\\2-MBR.txt"); // output will be stored into this file
38.
39. image=fopen(filename1, "rb"); // open for reading binary
40. MBR=fopen(filename2, "wb"); // open for writing binary
41.
42. if (image==NULL) // if file NOT FOUND
43. {
44. printf("FAILED to open IMAGE");
45. getch();
46. exit(1);
47. }
48.
49. if (MBR==NULL)
50. {
51. printf("FAILED to open IMAGE");
52. getch();
53. exit(1);
54. }

10
55. // OEM - offset 3 (e.g. MSDOS5.0, NTFS)
56. fseek(image,offset1_oem,SEEK_SET); // jump to offset1 from BEGINNING of FILE
57. // SEEK_END is from end of file
58. fgets(mbr_oem1,9,image);
59. printf("\n(at offset 3 for 8 bytes) OEM Name = %s",mbr_oem1);
60. fprintf(MBR, "(at offset 3 for 8 bytes) OEM Name = %s",mbr_oem1);
61. fprintf(MBR, "\n");
62.
63. // Bytes per Sector – at offset 11
64. // jump to offset1 from BEGINNING of FILE
65. fseek(image,offset3_BytesPerSector,SEEK_SET);
66. mbr_bytesPerSector[0]=fgetc(image);
67. mbr_bytesPerSector[1]=fgetc(image);
68. printf("\n(at offset 11 for 2 bytes) Bytes Per Sector = 0x%X 0x%X ",
mbr_bytesPerSector[0], mbr_bytesPerSector[1]) ;
69. printf("\n >> LITTLE ENDIAN 0x00 0x02 is 0x0200 = 512");
70. fprintf(MBR,"(at offset 11 for 2 bytes) Bytes Per Sector = 0x%X 0x%X ",
mbr_bytesPerSector[0], mbr_bytesPerSector[1]) ;
71. fprintf(MBR, "\n >> LITTLE ENDIAN 0x00 0x02 is 0x0200 = decimal
512 bytes");
72.
73. // Sectors per Cluster - offset 13
74. // jump to offset1 from BEGINNING of FILE
75. fseek(image,offset4_SectorPerCluster,SEEK_SET); mbr_sectorPerCluster=fgetc(image);
76. printf("\n(at offset 13 for 1 byte) Sector per Cluster = 0x%X ", mbr_sectorPerCluster) ;
77. printf("\n >> 0x2 = 2 x Sector = 2 x 512 = 1024 bytes per cluster");
78. fprintf(MBR,"(at offset 13 for 1 byte) MSector per Cluster = 0x%X ",
mbr_sectorPerCluster);
79. fprintf(MBR, "\n >> 0x2 = 2 x Sector = 2 x 512 = 1024 bytes per cluster");
80.
81. // fflush(stdin); - not used now
82. // MBR Signature - offset 510-511. 2 bytes using Little Endian
83. fseek(image,offset2_MBRsignature,SEEK_SET);
84. mbr_signature2[0]=fgetc(image);
85. mbr_signature2[1]=fgetc(image);
86. printf("\n(at offset 510 for 2 bytes) MBR signature = %X %X ", mbr_signature2[0],
mbr_signature2[1]) ;
87. fprintf(MBR,"(at offset 510 for 2 bytes) MBR signature = %X %X ", mbr_signature2[0],
mbr_signature2[1]) ;
88.
89. fclose(image);
90. fclose(MBR);
91. }

11