0

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

CST 2580 Coursework 1 Report

Disk Acquisition & Analysis

Aditya Rayan - M00910825

ADITYA RAYAN – M00910825

 1

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

TABLE OF CONTENTS
1. Drive Imaging ………………………………………………………………………………. 2
2. Master Boot Record ….…………………………………………………………………….. 13
3. Volume Boot Record ….……………………………………………………………………. 14
4. FAT Data Structures ….……………………………………………………………………. 17
5. Directory Entries …………………………………………………………………………... 19
6. File Content & Extraction ………………………………………………………………… 22
7. Bibliography ……………………………………………………………………………….. 24

ADITYA RAYAN – M00910825

 2

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

DRIVE IMAGING
a) Provide a detailed list of the steps you took to ensure that the image was
acquired correctly and follows best practice.
- Source Evidence Type:
Choose Physical Drive to image a device in its entirety.

ADITYA RAYAN – M00910825

 3

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

- Source Drive Selection:

We then choose the drive that corresponds to the flash drive from among the
physical drives that are currently visible to us based on our selection of physical
drive.

- Create Image:
This is where you may specify the location of the image's creation.

ADITYA RAYAN – M00910825

 4

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

- Select Image Type:

This indicates the kind of image file that will be produced; the other three options
are meant to be used with a particular forensics program, while Raw is an exact
replica of the original, uncompressed bit by bit. Typically, we work with the
EnCase forensic image file format known as Raw or E01. In this instance, Raw is
being used.

ADITYA RAYAN – M00910825

 5

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

- Evidence Item Information:

To help with documenting the evidence item you are about to create, you can enter
important details here. When the image is finished, this data will be saved as a
component of the image summary information.

ADITYA RAYAN – M00910825

 6

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

- Select Image Destination:

We'll navigate to the created folder on the C: drive and give the image a file name.
The size of each fragment that results from dividing a larger image file into smaller
portions is indicated by the image fragment size. From 0 (no compression) to 9
(maximum compression, which results in a slower image creation process),
compression indicates the degree of compression of the image file. Compression
for unprocessed raw images is always 0. To start the image creation process, click
Finish. A dialog box will appear and remain visible throughout the image creation
process. Regardless of the number of files currently stored on the device, it will
take the same amount of time because it is a bit-by-bit image of the device.

ADITYA RAYAN – M00910825

 7

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

- Drive/Image Verify Results:

When the image is finished, this popup window will show the image file name, the
number of sectors, the MD5 and SHA1 hash values that were calculated (before
the image was created) and reported (after the image was created), along with a list
of any bad sectors. No matter what kind of image you create, the hash values
should always match as part of the hash verification process, which is a crucial step
in ensuring a valid image.

ADITYA RAYAN – M00910825

 8

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

ADITYA RAYAN – M00910825

 9

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

b) Insert a scanned copy of the acquisition form that was used and ensure it is
accurate and complete.

ADITYA RAYAN – M00910825

 10

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

c) Using the image summary that was produced by FTK Imager, verify that
the image has been created correctly.
- Image Summary:
When the image is finished, click the Image Summary button to view an overview
of the created image that includes the information you entered about the evidence
item, the drive, the hash verification information, and so on. A text file containing
this data is also saved.

ADITYA RAYAN – M00910825

 11

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

ADITYA RAYAN – M00910825

 12

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

d) Explain why imaging is such an important process in a digital incident

scene investigation.
Imaging is a critical process in the field of cybersecurity. An "image" or forensic
duplicate of digital storage media is created to ensure that digital evidence is
preserved in its original form. This technique is essential for retrieving and
examining information from various electronic devices, supporting the
understanding of cyber events, from complex assaults to information leaks.
Investigators can create a clear chain of custody for legal purposes, reconstruct
timelines of events, and carry out comprehensive digital forensic analyses by
imaging a system to capture its current state. Furthermore, imaging helps with the
incident response by enabling quick assessment of the incident's extent and
efficient prevention strategy implementation. The careful application of imaging in
digital investigations also contributes to cybersecurity defense enhancement,
regulatory standard compliance, and threat intelligence generation.

ADITYA RAYAN – M00910825

 13

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

MASTER BOOT RECORD

a) Locate the Master Boot Record (MBR) and determine how many
partitions are stored on the device?

We have located the Master Boot Record (MBR) and we have only 1 active
partition.
b) Locate the Master Boot Record (MBR) and determine how many
partitions are stored on the device?

Bytes: 12 - 15 = 0* 00 B0 03 00
Reverse Endian = 0* 3 B0
Decimal = 944
Size in bytes: Size in sectors* Bytes per sector
944 * 512 = 483,328 bytes
c) What is the offset address for the start of this partition?

Bytes: 0* 80 00 00 00
Reverse Endian = 0* 80
Decimal = 128
Offset address calculation: Start of LBA* bytes per sector

ADITYA RAYAN – M00910825

 14

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

128* 512 = 65,536

Hex conversion = 10000
VOLUME BOOT RECORD
a) Determine the number of bytes per sector
Finding and identifying the VBR and VBR signature:

Search for the file system signature at the start of the partition. The signature is
usually found in the first few bytes of the VBR for FAT file systems. This signature
in this instance is "EB 3C 90" in hexadecimal, indicating that it is a FAT 16 file
system.

ADITYA RAYAN – M00910825

 15

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

Identifying Bytes Per Sector Information:

Inspect Bytes 11–12 in the VBR; these are listed as "00 02".
Reverse Endian = 0* 0200
Decimal = 512 bytes per sector
b) Determine the number of sectors per cluster

Inspect Byte 13 within the Hex Editor window. The value was found to be 0* 04.
Decimal = 4 sectors per cluster
c) Determine the number of reserved sectors

Inspect Bytes 14–15 in the VBR; these are listed as "08 00".
Reverse Endian = 0* 0008
Decimal = 8 reserved sectors

ADITYA RAYAN – M00910825

 16

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

d) Determine the number of FAT’s

Inspect Byte 16; the value is listed as 0* 02.

Decimal = 2 FATs
e) Determine the maximum number of entries allowed in the root directory

Inspect Bytes 17–18 in the VBR; these are listed as "00 02".
Reverse Endian = 0* 0200
Decimal = 512 entries
f) Determine the number of sectors per FAT

Inspect Bytes 22–23 in the VBR; these are listed as "EC 00".
Reverse Endian = 0* EC
Decimal = 236 sectors per FAT

ADITYA RAYAN – M00910825

 17

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

FAT DATA STRUCTURES

a) FAT 1:
Starting Byte Offset = Reserved Sectors × Bytes per Sector
= 8 × 512 = 4096 bytes
So, the starting byte offset of FAT 1 is 4096 bytes.
Hexadecimal Value: 0 x 1000
b) FAT 2:
Since there are two FATs, the starting byte offset of FAT 2 can be calculated by
adding the size of FAT 1.
Starting Byte Offset = Starting Byte Offset of FAT 1 + (Sectors per FAT × Bytes
per Sector)
= 4096 + (2 × 236 × 512)
= 4096 + 241664 = 245760 bytes
So, the starting byte offset of FAT 2 is 245760 bytes.
Hexadecimal Value: 0 x 3C000
c) Root Directory:
The root directory follows the FATs, so we need to add the size of both FATs.
Starting Byte Offset = Starting Byte Offset of FAT 2 + (Root Directory Entries ×
Bytes per Directory Entry)
= 245760 + (512 × 32)
= 245760 + 16384 = 262144 bytes
So, the starting byte offset of the root directory is 262144 bytes.
Hexadecimal Value: 0 x 40000

ADITYA RAYAN – M00910825

 18

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

d) Cluster 2:
Starting Byte Offset = (Cluster Number − 2) × (Sectors per Cluster × Bytes per
Sector) + (Reserved Sectors + FAT Copies × Sectors per FAT × Bytes per Sector)
= (2−2) × (4 × 512) + (8 + 2 × 236 × 512)
= 0 + (8 + 241664) = 241672 bytes
So, the starting byte offset of cluster 2 would be 241,672 bytes.
Hexadecimal Value: 0x3AC28

ADITYA RAYAN – M00910825

 19

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

DIRECTORY ENTRIES
a) Select one directory entry that is an allocated file and larger than one
cluster. Provide a screenshot of the hexadecimal output.

b) What is the filename of the entry?

CHART.PNG
c) On what date and time was this file created?
Time:

Extracted bytes: 0 x 894C

Reversed Endian: 0 x 4C89
Convert 0 x 4C89 to binary: 0100110010001001

HH MM SS
01001 100010 01
09 36 19
So, the creation time would be 09:34:01 in HH:MM:SS format.

ADITYA RAYAN – M00910825

 20

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

Date:

Extracted Bytes: 0 x 6D57

Reverse Endian: 0 x 576D
Convert 0 x 576D to binary: 0101011101101101

YY MM DD
101011 1011 01101
43+1980 11 13
2023 11 13
So, the creation date would be 2023:11:13 (13th November 2023) in
YY:MM:DD format.

ADITYA RAYAN – M00910825

 21

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

Verification:

ADITYA RAYAN – M00910825

 22

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

FILE CONTENT & EXTRACTION

a) Calculate the absolute offset address for the start of and the end of the file
content, verify your answers.
4496 + 208 – 1 = 4703 absolute offset address

ADITYA RAYAN – M00910825

 23

CST 2580 – DIGITAL INCIDENT SCENE INVESTIGATION

b) Verify the allocated clusters for the file in the FAT and show all of the
cluster chains related to the file.
The groups that make up the chain are marked as allocated in the FAT, where the
matching markers for FAT 1 and FAT 2 are set at 0x1000 and 0x3c000,
respectively, indicating their use in file data organization and storage inside the file
system order.
c) Use two methods that can be used to extract the file content. Verify that
both of the files are exactly the same.
The File Copy/Export method and the Disk Imaging/Forensic Imaging method are
two ways to extract file content.
In the File Copy/Export method, using the "Save" or "Export" features of the
application, users can copy the contents of the file to a new location after opening
the file with the appropriate program or file viewer. The original file structure and
metadata are preserved by this simple, user-friendly method. It might not be the
best option, though, for low-level operations or extracting particular sections of a
file.
On the other hand, the Disk Imaging/Forensic Imaging technique involves creating
an image or bit-by-bit copy of the whole storage medium, including unallocated
space, file system structures, and file content. Once the image has been created,
users can use specialized tools or scripts to analyze it and extract the desired file
content. This method captures the entire state of the storage medium, making it
especially useful for forensic analysis and data recovery. For straightforward file
extraction requirements, it might be deemed unnecessary and necessitates
additional storage space for the image.

ADITYA RAYAN – M00910825

 24

BIBLIOGRAPHY
- Carrier, Brian. File System Forensic Analysis. Addison-Wesley Professional,
2005

ADITYA RAYAN – M00910825