±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34601
New Yesterday: 4 Visitors: 136

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Need help with my Assignment!

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4 
  

Re: Need help with my Assignment!

Post Posted: Sun Jan 21, 2018 9:58 am

- Nephalem

because i tried it again and i got roughly the same size again, this 8.14gb this time.
am i doing something wrong here? Sad

No, now you are seemingly fine Smile .

8.14 GB is not roughly the same size as the 7.19 GB you had before, it seems a lot like the "whole thing".

As always happens there is possibly the usual confusion between GB (gigabytes) and GiB (gibibytes), traditionally a GB was made out of 1024 MB and one MB was made out of 1024 KB, and one KB was made out of 1024 bytes.
With the new SI standards those are called GiB, MiB and KiB, whilst a GB is made out of 1000 MB, a MB is made out of 1000 KB and a KB is made out of 1000 bytes.
Microsoft software still (IMHO more correctly from a historical/philosophical point of view) uses the 1024 multiplier.

So, you had before:
41*200 MB + (check the size of the .ad42 file) = 8,200+135=8,335 MB

And now you have:
8.14*1024= 8,335 MB

Give or take a few KB (you have 512 bytes more in each post .ad1 file for the header) the result makes sense, you can check the actual size in bytes, the sum of the set of files .ad1-.ad42 should be 41*512=20,992 bytes larger than the size of the "monolithic" .ad1.

In any case, if you now add to the evidence tree both the previous set of files and the newly created one, you should see exactly the same items in them.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Need help with my Assignment!

Post Posted: Sun Jan 21, 2018 10:19 am

Oh cause for the monolithic_test.ad1 it stated the file is 8.5gb, but when i right click properties it says 8.14gb. Laughing

erm for the task, i dont quite get it, you mean adding which both files to the evidence tree? the "monolithic_test.ad1" and which one? the original ad1 and ad2 of disk image that provided for this assignment? and after i did that what should i do next?


- jaclaz

8.14 GB is not roughly the same size as the 7.19 GB you had before, it seems a lot like the "whole thing".

As always happens there is possibly the usual confusion between GB (gigabytes) and GiB (gibibytes), traditionally a GB was made out of 1024 MB and one MB was made out of 1024 KB, and one KB was made out of 1024 bytes.
With the new SI standards those are called GiB, MiB and KiB, whilst a GB is made out of 1000 MB, a MB is made out of 1000 KB and a KB is made out of 1000 bytes.
Microsoft software still (IMHO more correctly from a historical/philosophical point of view) uses the 1024 multiplier.

So, you had before:
41*200 MB + (check the size of the .ad42 file) = 8,200+135=8,335 MB

And now you have:
8.14*1024= 8,335 MB

Give or take a few KB (you have 512 bytes more in each post .ad1 file for the header) the result makes sense, you can check the actual size in bytes, the sum of the set of files .ad1-.ad42 should be 41*512=20,992 bytes larger than the size of the "monolithic" .ad1.

In any case, if you now add to the evidence tree both the previous set of files and the newly created one, you should see exactly the same items in them.

jaclaz
 

Nephalem
Member
 
 
  

Re: Need help with my Assignment!

Post Posted: Sun Jan 21, 2018 10:58 am

- Nephalem
Oh cause for the monolithic_test.ad1 it stated the file is 8.5gb, but when i right click properties it says 8.14gb. Laughing

erm for the task, i dont quite get it, you mean adding which both files to the evidence tree? the "monolithic_test.ad1" and which one? the original ad1 and ad2 of disk image that provided for this assignment? and after i did that what should i do next?



No, I meant the "monolithic" and the set of files .ad1 to .ad42 you had before, to check that they contain exactly the same things (i.e. that when you created the monolithic image you selected the "right thing").

If you "right click" in Properties you should also see the exact size of a file in bytes, actually two of them, one being the actual size, and one the actual size on disk.

If you sum the size (in bytes) of each of the files in the .ad1 to .ad42 you should obtain a total the same size of the "monolithic" .ad1 file + 29992 bytes.

Now you should be able to make a new "monolthic" image out of the two (.ad1 and .ad2) files you had as assignment, which is one among the requests you made:
- Nephalem
... i was told that need to decrypt and combined the 2 files in order to get the original disk image file.


The decryption is not needed as the files are not encrypted.
The "combining" is what you asked next and that you have (or should have) now enough knowledge/experience to do.

From that to get the "original disk image file" there is a looong way still (provided that recreating the "original disk image" is actually required/was actually asked, which I doubt).

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Need help with my Assignment!

Post Posted: Sun Jan 21, 2018 12:27 pm

Okay for now, i have checked the Monolithic (8.14gb) file and i sums up the ad1 to ad41 to check, its the same.

Sorry but i'm still kinda confused on the second part you said, so now do i need to do the same thing for what i did previously on ad1 to the same to ad2? like create another monolithic file, and try to combine them together? and if its so, how to merge/combine the 2 monolithic files together?




- jaclaz
- Nephalem
Oh cause for the monolithic_test.ad1 it stated the file is 8.5gb, but when i right click properties it says 8.14gb. Laughing

erm for the task, i dont quite get it, you mean adding which both files to the evidence tree? the "monolithic_test.ad1" and which one? the original ad1 and ad2 of disk image that provided for this assignment? and after i did that what should i do next?



No, I meant the "monolithic" and the set of files .ad1 to .ad42 you had before, to check that they contain exactly the same things (i.e. that when you created the monolithic image you selected the "right thing").

If you "right click" in Properties you should also see the exact size of a file in bytes, actually two of them, one being the actual size, and one the actual size on disk.

If you sum the size (in bytes) of each of the files in the .ad1 to .ad42 you should obtain a total the same size of the "monolithic" .ad1 file + 29992 bytes.

Now you should be able to make a new "monolthic" image out of the two (.ad1 and .ad2) files you had as assignment, which is one among the requests you made:
- Nephalem
... i was told that need to decrypt and combined the 2 files in order to get the original disk image file.


The decryption is not needed as the files are not encrypted.
The "combining" is what you asked next and that you have (or should have) now enough knowledge/experience to do.

From that to get the "original disk image file" there is a looong way still (provided that recreating the "original disk image" is actually required/was actually asked, which I doubt).

jaclaz
 

Nephalem
Member
 
 
  

Re: Need help with my Assignment!

Post Posted: Mon Jan 22, 2018 2:47 am

- Nephalem
Okay for now, i have checked the Monolithic (8.14gb) file and i sums up the ad1 to ad41 to check, its the same.

Sorry but i'm still kinda confused on the second part you said, so now do i need to do the same thing for what i did previously on ad1 to the same to ad2? like create another monolithic file, and try to combine them together? and if its so, how to merge/combine the 2 monolithic files together?


You have tested that you can create a "monolithic" file out of a set of .ad files,
what you did till now is making a single .ad1 file with the same exact contents of the 42 files you generated earlier, the test has ended successfully.

You can do the same with the set of .ad files (.ad1 and .ad2) that came with the assignment.

You asked for that:
- Nephalem

I was given an disk image and asked to decrypt it to see what's inside, once i open the folder there's 2 files ad1 and ad2. and was given afew softwares to work with it, like OSforensics, Prodiscover, Winhex. i was told that need to decrypt and combined the 2 files in order to get the original disk image file.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Need help with my Assignment!

Post Posted: Mon Jan 22, 2018 10:27 am

Okay Thanks alot for your help throughout, really appreciate it. I'll try work on it and get back to you again. And sorry i might be asking some very easy questions or even things that i should already know, as its really my first time working something like this and using this software, hope you able to bear with me lol.

So technically i have already make the ad1 to "monolithic-test file" so i just need to proceed to do the same thing to ad2 right?
I tried repeat the same steps again to ad2. Add evidence > jo-2009-11-19.ad2 > plug in thumbdrive > Add physical drive > select FAT32, but at this point it still shows "Export Disk Image AD1" instead of AD2.
so do i still proceed everything as per normal? or by default it will shows AD1?

Update: i did continue and i realised that all the 42 ad files add up to be the same as the ad1 that i did previously (8.14gb), so the result:
the original AD1 file i make into monolithic is 8,514,961 kb
the original AD2 file i make into monolithic is 8,514,985 kb



- jaclaz


You have tested that you can create a "monolithic" file out of a set of .ad files,
what you did till now is making a single .ad1 file with the same exact contents of the 42 files you generated earlier, the test has ended successfully.

You can do the same with the set of .ad files (.ad1 and .ad2) that came with the assignment.

You asked for that:
- Nephalem

I was given an disk image and asked to decrypt it to see what's inside, once i open the folder there's 2 files ad1 and ad2. and was given afew softwares to work with it, like OSforensics, Prodiscover, Winhex. i was told that need to decrypt and combined the 2 files in order to get the original disk image file.


jaclaz
 

Nephalem
Member
 
 
  

Re: Need help with my Assignment!

Post Posted: Tue Jan 23, 2018 6:05 am

To further clear any possible remaining doubt, let's say that you have two files:
myniceimage.ad1
myniceimage.ad2
created by FTK imager.

When you click add to the evidence tree and select the myniceimage.ad1 file three things happen:
1) in the evidence tree a "new item" named myniceimage.ad1 appears
2) in the background all files named "myniceimage" are "virtually stitched together" (in this case only two, myniceimage.ad1 and myniceimage.ad2, in th eorder given by the number in the file extension)
3) the WHOLE contents of ALL the images with the name "myniceimage" are available as childs of the evidence item

When you click add to the evidence tree and select the myniceimage.ad2 file three things happen:
1) in the evidence tree a "new item" named myniceimage.ad2 appears
2) in the background all files named "myniceimage" are "virtually stitched together" (in this case only two, myniceimage.ad1 and myniceimage.ad2, in the order given by the number in the file extension)
3) the WHOLE contents of ALL the images with the name "myniceimage" are available as childs of the evidence item

So to all practical purposes there is NO ACTUAL DIFFERENCE - as long as all files belonging to a "set" are available - between selecting the .ad1, the .ad2 or the .adn file.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 4 of 4
Go to page Previous  1, 2, 3, 4