Posted: January 31st, 2022

Digital Forensics essay

Name: Student Number: U

Part I – File Tracking in FAT
Exercise 1
Review the following volume boot record:

Who Writes College Essays, Research Papers, and Dissertations For Students?

We handpick every writer with care, ensuring they bring the perfect mix of academic qualifications and writing skills for top-notch results in essays, research papers, and dissertation help. Each one has a university degree, more than a third with Masters certification; they’ve tackled tough tests and training to excel in thesis writing and research paper assignments at any time. They’ll team up with you diligently, keeping things easy and stress-free as they relate to being immediate students. That’s what makes us the best assignment help website for "help me write my essay, research paper, or dissertation" for college coursework. Trust our team—professional research essay writers and editors—to deliver your dissertation or thesis writing within your grading criteria and deadline.

1. What are the number sectors per cluster (Decimal) ? __________
2. What is the number of bytes per sector (Decimal) ? _________
3. What are the number bytes per cluster (Decimal) ? _________

Using the following directory of files, complete the file allocation table using EOF for the End of File marker.

File Name Size Starting Cluster
MYFILE1.PDF 8534 3
MYFILE2.MP3 2876 12
MYFILE3.XLS 764 15
MYFILE4.DOC 19754 16

File Allocation Table – insert pointers (hints are shown in red)

Do You Offer Thesis Writing and Dissertation Help In Any Citation Style?

No matter what citation style you need for your research paper or dissertation, our skilled writers have you covered! We provide thesis writing and dissertation help in formats like APA, AMA, MLA, Turabian, Harvard, IEEE, and more. We’re dedicated to customizing your order to the exact guidelines of your chosen style, ensuring it fits your unique academic needs—whether it’s a dissertation, research paper, or essay for a specific course. We’ve got the flexibility to make it work for you!

2 3 4 5 6 7 8 9
4 8
10 11 12 13 14 15 16 17
EOF
18 19 20 21 22 23 24 25
20 26
26 27 28 29 30 31 32 33
31
34 35 36 37 38 39 40 41
0

Exercise 2
Review the following volume boot record:

Can I Change Instructions for Dissertation Help or Thesis Writing After Ordering?

You can absolutely reach out to your academic writer using our simple, user-friendly chat feature. It’s there so you can add details, clarify instructions, or tweak adjustments for editing your research paper or dissertation according to your grading rubric—even after you’ve submitted "help me with thesis writing or dissertation help" and they’ve started working on your project.

1. What are the number sectors per cluster (Decimal) ?
2. What is the number of bytes per sector (Decimal) ? __________
3. What are the number bytes per cluster (Decimal) ?

In this scenario, files are not contiguous, and the file allocation table reflects bad clusters. Using the following directory of files, complete the file allocation table using EOF for the End of File marker.

File Name Size Starting Cluster
TEXT1.DOC 5478 3
TEXT2.DOC 4178 13
TEXT3.DOC 14846 8
TEXT4.DOC 15047 17
TEXT5.DOC 47 5
TEXT6.DOC 4097 22

File Allocation Table – insert pointers (hints are shown in red)

2 3 4 5 6 7 8 9
BAD 9
10 11 12 13 14 15 16 17
BAD BAD BAD 19
18 19 20 21 22 23 24 25
BAD 21

Part II – FAT Cluster Tracking

Open the disk image 4.2-Exercise.001 using FTK Imager.

1. What are the number sectors per cluster (Decimal) ?
2. What is the number of bytes per sector (Decimal) ? __________
3. What are the number bytes per cluster (Decimal) ?

Complete the following table for each directory entry in the disk image. Exclude any folders, but include their contents. Hints are shown in red.

Filename Actual File Size
(Bytes) Starting
Cluster
List the clusters
Employer_Status.pdf 4 - 14
15

algae.html 2249 25

30
2370
32
1706
sigmet.pdf
37

Part III – RAM Slack and Residual Slack

Open the disk image 4.2-Exercise.001 using FTK Imager.
Complete the following table. Hints are shown in red.

Filename Actual File Size
(Bytes) File Slack RAM Slack
Residual Slack
Employer_Status.pdf 129

311

hybrid_email.txt 3584

190

sigmet.pdf 41
512

Part IV – FAT File Recovery
Exercise 1

Start Active @ Disk Editor. Close the Getting Started screen if it appears. Select Add Disk Image and open the disk image 4.4-Exercise.001.

Select the volume NO NAME and then Open in Disk Editor

Examine the volume boot record.

1. What are the number sectors per cluster (Decimal) ?
2. What are the number of bytes per sector (Decimal) ?
3. What are the number bytes per cluster (Decimal) ?

Select the Navigate menu and then choose Root Directory.

The first directory entry lists a deleted file with the name åNE.TXT

4. What is its file size (Decimal)?
5. What is the first used cluster?
6. How many clusters are needed for the file?

Since the file was deleted, the first byte of the file was changed to å. Right-click on the first byte of the file, E5, and select Allow Edit Content.

In the left pane, double-click the value for the file name, and change the å to an underscore, _. The file name should now be _NE. Click Save and when prompted to confirm the changes, select Yes.

7. After editing the file name, what is the value for the file name in hex?

8. Provide a screen shot of the hex values of changed directory entry.

To “undelete” the file, the file allocation table needs to be updated to link the clusters of the file. Select the Navigate menu and then choose FAT1.

Using the information derived for the file from the directory entry of the file, edit the cluster(s) to reference the file. Navigate to FAT2 and do the same. Save your changes.

9. Provide a screen shot of the hex values of the updated FAT.

Following the same process, recover all other files in the image.

10. Following the same process, recover all other files in the image. Provide a screen shot of the hex values of the all the changed entries in the root directory

11. Provide a screen shot of the hex values of the completed file allocation table.

12. Mount the image in FTK Imager, highlight the root directory, and provide a screen shot of the root directory file list.

Exercise 2 (Two Parts)

Using Active @ Disk Editor, open the disk image 4.5-Exercise.001 and recover the 6 contiguous files. Remember to save your changes.

HINT – the template feature of Active @ Disk Editor will be VERY helpful with this exercise.

There are 3 basic ways to recover the images:
1. Manually. A manual recovery would require that you reassemble the Directory and the FAT tables based on available data. You should be able to view the images in FTK Imager afterwards.
2. Semi-Auto. Many tools and hex editors will allow you to highlight (or otherwise select) the clusters after you have identified them and perform a simple "save as a new file". You would then click on the new file and your image will appear. The copy of WinHex on your disk should have this feature available. You can also do this with a source code editor such as NotePad++.
3. Automatic - Many advanced tools will allow you to simply click a button to recover files from unallocated space. It is that simple. For example, try using Autopsy. Autopsy may be downloaded at:

http://www.sleuthkit.org/autopsy/

• Autopsy is free.
• Be sure to select the appropriate version, either the 32-bit (x86) version or the 64-bit (x64) version appropriate for your Windows installation.
• A version of Autopsy compiled for Mac OSX is available from Surmuri on their ISO for the latest release of Paladin.

Two Parts:

Part 1: Manually recover File1.JPG by reassembling the directory and the FAT tables.

All that you need to do is:

(1) open the existing image 4.5-Exercise.001 (as is) in a hex editor
(2) fill in the information for the 4.5-Exercise.001 directory and the FAT directly in the existing image itself
(3) save the changes and close the existing image
(4) load the image into FTK Imager.

A. Paste a screen capture of the reassembled directory entry here:

a. IMPORTANT: Before you save your directory, type your first name in ACSII on the line below the directory entry. Take the screenshot with your name in the directory. Afterwards, overwrite your name with the values of 0x00 or the correct values. Then save the directory. You will NOT receive credit unless your screen capture contains your first name.

B. Paste a screen capture of the one of the two reassembled FATs here:

a. IMPORTANT: Before you save your first FAT, type your first name in ACSII on the line below the FAT entry. Take the screenshot with your name in the FAT. Afterwards, overwrite your name with the values of 0x00 or the correct values. Then save the directory. You will NOT receive credit unless your screen capture contains your first name.

C. Paste a screen capture of the image as viewed in FTK Imager here. You must include enough of the surrounding Imager window so as to demonstrate that the image is being viewed from within FTK Imager. Your screen capture MUST display the Properties pane with the Starting Cluster and Starting Sector clearly displayed. You will NOT receive credit otherwise.

Part 2: Recover the remaining images and complete the table below. You may use either automated or semi-automated methodologies, or even manual methods if you like.

Please provide all answers in decimal or ASCII.

Complete the following table for each file. Hints are shown in red.

Filename and Extension Clusters Used File Size Description
FILE1.JPG 3-4 Sunset
Paste a copy of this photo below this table.
FILE2.BMP 93690 Paste a copy of this photo below this table.
FILE3.JPG Paste a copy of this photo below this table.
FILE4.GIF 29-37 Grapes
Paste a copy of this photo below this table.
FILE5.PNG 30581 Paste a copy of this photo below this table.
FILE6.JPG Sailboat
Paste a copy of this photo below this table.