±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33512
New Yesterday: 0 Visitors: 208

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Need help with my Assignment!

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4  Next 
  

Re: Need help with my Assignment!

Post Posted: Thu Jan 18, 2018 12:02 pm

- Nephalem
https://imgur.com/a/tc3PI
Hi, this is what happened when i used it on FTK imager, I not sure what to do next


So, the file opened normally (there is no encryption). i.e. you can see the files inside the filesystem.

Now what is the problem?

What happens when you select "boot.ini" in the upper part of that view?

Does the bottom part look suddenly *like*?:
Code:
[boot loader]
Timeout=20
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

If Yes, good Smile , you have just viewed the contents of a human readable (plain text) file.

Now what you have in your hands?
Two files:
jo-2009-11-19.ad1
jo-2009-11-19.ad2

How could they have been generated?

Maybe - just maybe - they were created by FTK Imager (since at least the .ad1 file opens just fine with it).

Now, how could have been the FTK imager have been used?

Try this test with a small device, let's say a 4 Gb USB stick.
File->Add Evidence Item
Choose a Physical Drive, then select the correponding device (let's say \\.\PhysicalDrive3).
The item will be added to the tree on the left.
Now, expand it.
Try selecting \\.\PhysicalDrive3, and right click on it, among the choices you will see "Export Disk Image".
Now select the first child of \\.\PhysicalDrive3, this can be either an item named "Partition n" or the name/drive letter of the volume on the USB stick.
If the item is "Partition n" when you right click you have still ""Export Disk Image".
If the Item is the volume, when you right click you will have INSTEAD "Export Logical Image AD1".
Choose that, you will be prompted to Add a destination, click on Add, you will be prompted with inputting case number, etc., just type some values in the fields and go forward.
You are now prompted for a folder (on your local hard disk) to store the image and for a name to be given to the image.
Choose a suitable folder and filename (without extension).
If you look just below it there is a default setting "Image Fragment size (MB)" set to 1500.
Press Finish.
In a few minutes the image will have been created.
If you go with Explorer in the folder you chose as destination, you will find a file:
<name>.ad1 with size 1.572.864.000 bytes
and one or more files with increasing numbers in the extension, like:
<name>.ad2
<name>.ad3

Now you can remove from FTK Imager evidence tree the USB stick/PhysicalDrive and add to it the <name>.ad1 file.
It contents will be very similar to those of the USB Stick/PhysicalDrive seen before.
Now, remove from the evidence tree the <name>.ad1 file and add the <name>.ad2 file.

What has changed?

Now what can we learn from this experiment?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Need help with my Assignment!

Post Posted: Thu Jan 18, 2018 10:42 pm

Thanks!

for the first part Yes, the boot.ini looks exactly like what you shown

for the second part, i plug in an thumbdrive of mine and it only shown Partition 1, there isn't seems to be child on the Partition 1 after i expand it. just an FAT32 file. and i right click it i can only find "Export Disk Image", there's no "Exporting Logical Drive AD1

Please take look at the screenshot and advise me. Thanks for the guides
imgur.com/a/erseH

I have also generated an download link for the ADs files, hope you able to download it and guide me along.
dropmefiles.com/y1ywM



- jaclaz
- Nephalem
https://imgur.com/a/tc3PI
Hi, this is what happened when i used it on FTK imager, I not sure what to do next


So, the file opened normally (there is no encryption). i.e. you can see the files inside the filesystem.

Now what is the problem?

What happens when you select "boot.ini" in the upper part of that view?

Does the bottom part look suddenly *like*?:
Code:
[boot loader]
Timeout=20
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

If Yes, good Smile , you have just viewed the contents of a human readable (plain text) file.

Now what you have in your hands?
Two files:
jo-2009-11-19.ad1
jo-2009-11-19.ad2

How could they have been generated?

Maybe - just maybe - they were created by FTK Imager (since at least the .ad1 file opens just fine with it).

Now, how could have been the FTK imager have been used?

Try this test with a small device, let's say a 4 Gb USB stick.
File->Add Evidence Item
Choose a Physical Drive, then select the correponding device (let's say \\.\PhysicalDrive3).
The item will be added to the tree on the left.
Now, expand it.
Try selecting \\.\PhysicalDrive3, and right click on it, among the choices you will see "Export Disk Image".
Now select the first child of \\.\PhysicalDrive3, this can be either an item named "Partition n" or the name/drive letter of the volume on the USB stick.
If the item is "Partition n" when you right click you have still ""Export Disk Image".
If the Item is the volume, when you right click you will have INSTEAD "Export Logical Image AD1".
Choose that, you will be prompted to Add a destination, click on Add, you will be prompted with inputting case number, etc., just type some values in the fields and go forward.
You are now prompted for a folder (on your local hard disk) to store the image and for a name to be given to the image.
Choose a suitable folder and filename (without extension).
If you look just below it there is a default setting "Image Fragment size (MB)" set to 1500.
Press Finish.
In a few minutes the image will have been created.
If you go with Explorer in the folder you chose as destination, you will find a file:
<name>.ad1 with size 1.572.864.000 bytes
and one or more files with increasing numbers in the extension, like:
<name>.ad2
<name>.ad3

Now you can remove from FTK Imager evidence tree the USB stick/PhysicalDrive and add to it the <name>.ad1 file.
It contents will be very similar to those of the USB Stick/PhysicalDrive seen before.
Now, remove from the evidence tree the <name>.ad1 file and add the <name>.ad2 file.

What has changed?

Now what can we learn from this experiment?

jaclaz
 

Nephalem
Member
 
 
  

Re: Need help with my Assignment!

Post Posted: Fri Jan 19, 2018 7:32 am

- Nephalem

for the second part, i plug in an thumbdrive of mine and it only shown Partition 1, there isn't seems to be child on the Partition 1 after i expand it. just an FAT32 file. and i right click it i can only find "Export Disk Image", there's no "Exporting Logical Drive AD1

Naah, the screenshot you posted was made at a time the "Partition 1" was selected.
As you can see in th e"pop-up" window, the image source is set to "Partition 1 [3827MB].

If you select and right click "\\.\Physicaldrive1", you will have "Export Disk Image", the top right pane will be empty and the bottom right entry will be a hex view (usually beginning with 33 C0 FA ...

If you select "Partition 1" and right click you will have as well "Export Disk Image", the top right pane will be empty and the bottom right one will be an hex view starting with EB 58 90 ... (as in your screenshot)

But if you select "NEPHALEM (FAT32)" and right click you will have "Export Logical Image (AD1).

When you select the "NEPHALEM (FAT32)" on the left, on the right top pane you will have:
Code:
[root]
[unallocated space]
FAT1
FAT2
file system slack
reserved sector
VBR

And the bottom pane will be an hex view, most probably starting with 4E 45 50 48 41 4C 45 4D (aka "NEPHALEM" that is the label of that stick volume).

The \\.\PhysicalDrive is the actual "disk" (the whole thing)
The Partition1 is the partition that is "inside" the disk.
The NEPHALEM [FAT32] is the volume (or file system inside the partition).

You will need to become familiar with the concepts of disks (or physicaldrive), partitions (primary and extended), (logical) volumes, and file systems.

The concepts are not difficult, the issue is that there is a lot of confusion with the terminology used, the word "drive" is often used instead of disk (drive), what gets a drive letter in Windows is actually the volume, which may (or may not) be the same as the partition.

Cannot say if it helps or confuses you, but this is how my "mental map" of a disk like device is made:
reboot.pro/topic/13676.../?p=123056



jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Need help with my Assignment!

Post Posted: Fri Jan 19, 2018 9:02 am

Yes, you are right, Sorry I'm too new to this haha.

Okay i have followed your step, but seems like something is not right here. please check out the image, i think there's something wrong with my ad1 file. because after i export it, the file became way smaller.

Let me know if there's something wrong or i'm on the right track, or else i'll get from my classmate an new copy of it. because i seems to have issue transferring the ad1 file earlier too.
imgur.com/a/XCmht

And how do i export ad2 on the folder also? because when i right click on "Nephalem[FAT32]" it still says "Export logical drive image ad1"

Sorry as I'm still very foreign to this software, its literally my first time using it. and our lecturer didn't quite told us what to do yet he just told us to use FTK imager for this ad1 and ad2 files and all of us has no clue what to do. and can we discuss this somewhere else if possible? maybe you can pass me your email or something we can discuss through email? Would really appreciate it. thanks!


- jaclaz
- Nephalem

for the second part, i plug in an thumbdrive of mine and it only shown Partition 1, there isn't seems to be child on the Partition 1 after i expand it. just an FAT32 file. and i right click it i can only find "Export Disk Image", there's no "Exporting Logical Drive AD1

Naah, the screenshot you posted was made at a time the "Partition 1" was selected.
As you can see in th e"pop-up" window, the image source is set to "Partition 1 [3827MB].

If you select and right click "\\.\Physicaldrive1", you will have "Export Disk Image", the top right pane will be empty and the bottom right entry will be a hex view (usually beginning with 33 C0 FA ...

If you select "Partition 1" and right click you will have as well "Export Disk Image", the top right pane will be empty and the bottom right one will be an hex view starting with EB 58 90 ... (as in your screenshot)

But if you select "NEPHALEM (FAT32)" and right click you will have "Export Logical Image (AD1).

When you select the "NEPHALEM (FAT32)" on the left, on the right top pane you will have:
Code:
[root]
[unallocated space]
FAT1
FAT2
file system slack
reserved sector
VBR

And the bottom pane will be an hex view, most probably starting with 4E 45 50 48 41 4C 45 4D (aka "NEPHALEM" that is the label of that stick volume).

The \\.\PhysicalDrive is the actual "disk" (the whole thing)
The Partition1 is the partition that is "inside" the disk.
The NEPHALEM [FAT32] is the volume (or file system inside the partition).

You will need to become familiar with the concepts of disks (or physicaldrive), partitions (primary and extended), (logical) volumes, and file systems.

The concepts are not difficult, the issue is that there is a lot of confusion with the terminology used, the word "drive" is often used instead of disk (drive), what gets a drive letter in Windows is actually the volume, which may (or may not) be the same as the partition.

Cannot say if it helps or confuses you, but this is how my "mental map" of a disk like device is made:
reboot.pro/topic/13676.../?p=123056



jaclaz
 

Nephalem
Member
 
 
  

Re: Need help with my Assignment!

Post Posted: Fri Jan 19, 2018 9:43 am

- Nephalem
Yes, you are right, Sorry I'm too new to this haha.

Okay i have followed your step, but seems like something is not right here. please check out the image, i think there's something wrong with my ad1 file. because after i export it, the file became way smaller.

Let me know if there's something wrong or i'm on the right track, or else i'll get from my classmate an new copy of it. because i seems to have issue transferring the ad1 file earlier too.

Naah, you are on the right track, but you need some time to become familiar with the way things work, don't worry, everyone needs to start somewhere Smile .

The AD format is not a "clone" of the source, it contains (hopefully) only the relevant parts.

So, the size depend on how much info is in the source.

Try again, make a new AD1 image of your USB stick, this time putting in the field "Image Fragment Size (MB)" a smaller number than 1500, let's say 200 (or fill up a bit more the stick).

As a side-side note it seems like USB stick is not particularly "healthy" given the amount of issues reported in the log.

The problem with going on non-public correspondence is twofold:
1) that way what I suggest becomes "for your eyes only" and thus of no use to anyone else which may have your same (or similar) problems
2) there is still the issue about doing someone else's homework or the possible "cheating", this way the help or assistance I am giving you is "in the open" (though I wouldn't anyway do your homework privately) and what additional hints/suggestions I provide can be accessed by - among others - your teacher/professor and verified

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Need help with my Assignment!

Post Posted: Fri Jan 19, 2018 10:48 am

Ok i have now tried with another flashdrive that i have. and i filed the "image fragment size" to 200, and it took longer to create the image this time, when it's done i check the folder there's lots of 'ad' files, from ad1 all the way to ad42. and the total size of everything is 8.14gb
here's the image
imgur.com/a/3wXxg
what should i do next? Rolling Eyes

And yes, i understand, lets just work here then! haha

- jaclaz
- Nephalem
Yes, you are right, Sorry I'm too new to this haha.

Okay i have followed your step, but seems like something is not right here. please check out the image, i think there's something wrong with my ad1 file. because after i export it, the file became way smaller.

Let me know if there's something wrong or i'm on the right track, or else i'll get from my classmate an new copy of it. because i seems to have issue transferring the ad1 file earlier too.

Naah, you are on the right track, but you need some time to become familiar with the way things work, don't worry, everyone needs to start somewhere Smile .

The AD format is not a "clone" of the source, it contains (hopefully) only the relevant parts.

So, the size depend on how much info is in the source.

Try again, make a new AD1 image of your USB stick, this time putting in the field "Image Fragment Size (MB)" a smaller number than 1500, let's say 200 (or fill up a bit more the stick).

As a side-side note it seems like USB stick is not particularly "healthy" given the amount of issues reported in the log.

The problem with going on non-public correspondence is twofold:
1) that way what I suggest becomes "for your eyes only" and thus of no use to anyone else which may have your same (or similar) problems
2) there is still the issue about doing someone else's homework or the possible "cheating", this way the help or assistance I am giving you is "in the open" (though I wouldn't anyway do your homework privately) and what additional hints/suggestions I provide can be accessed by - among others - your teacher/professor and verified

jaclaz
 

Nephalem
Member
 
 
  

Re: Need help with my Assignment!

Post Posted: Fri Jan 19, 2018 11:34 am

- Nephalem

what should i do next? Rolling Eyes


Open the file part1.ad1 with a hex editor.
What do you see? (check the first two sectors)

Open the file part1.ad2 with a hex editor.
What do you see? (check the first two sectors)

Now remove from the evidence tree in FTK image everything.

Add (File->Add Evidence Item>Image file) the part1.ad1 in FTK.
Make a screenshot of what you see.

Remove again from the evidence tree everything.
Add only the part1.ad2.
Make a screenshot of what you see.

Remove again from the evidence tree in FTK image everything.

Rename the file part1.ad1 to part1.adx.
Add in FTK the part1.ad2 as evidence item.
What happens?

Now the questions you need to answer:
1) What could be a good (logical, not necessarily technical) explanation of what you saw in the hex editor? (also at the light of the change in the field from 1500 to 200 and the generation of files up to ad42)
2) In what do the two FTK screenshots differ?
3) How would you describe the behaviour of the FTK imager when the evidence item "part1.ad1" is loaded compared to when the evidence item "part1.ad2 is loaded?
4) How would you explain the behaviour happening when part1.ad1 is renamed to part1.adx and you add part1.ad2 as an evidence item? (also at the light of what you saw in the hex editor)

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 2 of 4
Go to page Previous  1, 2, 3, 4  Next