INFR 4690: Lab 8

Examining NTFS File System

Objectives:

-   Extract Partition

-   Analyze Partition

-   Reading MFT Entries

This lab makes use of an image file different from the one used in Lab 3 and 6. Download it from the following URL: https://www.dropbox.com/s/3v2ynqwy9ymt9tf/thumbimage_ntfs.dd?dl=0

Deliverable:

-   You need to submit these lab activities/tasks through Canvas.

-   Submit a lab report (as pdf) for all tasks of this lab. Make sure that your report for each task includes:

o  Answers to specific sub-questions, if any.

o  Descriptions on how you accomplished the task (if needed).

o  The instructions/commands/code that you have used or written for doing the tasks.

o  Screenshot of executions.

Tasks:

1. Task 1: Extract Partition (0.5 pts)

Extract the partitions from the thumbimage_ntfs.dd disk image. Remember that you need to know the starting point and the length of the partition.

Write the command(s) used to extract the partition.

What is the files system type for the extracted partition?

2. Task 2: Analyze Partition (1 pts)

Now that we’ve extracted the partition, let’s collect some information about the partition.

Hint: To retrieve the details associated with a file system, you can use the “fsstat” command in TSK; to display the contents of a data unit (i.e., cluster), you can use the TSK tool “blkcat”.

What is the first cluster of the Master File Table?

What is the size of a cluster for this partition?

What is the size of each Master File Table entry in bytes?

What is this partition’s Volume Serial Number?

3. Task 3: Metadata and File Content Analysis (3.5 pts)

Locate the MFT entry, which represents a file named “canada.txt”, and answer the following questions.

Hint: For answering the following questions, you might need to know how ifind, istat, icat, blkcat works in TSK tool.

Write down the command used to view the contents of the MFT entry, which represents a file called “canada.txt”.

How many attributes are contained in this entry?

How many bytes are used by the second attribute?

What is the attribute type for the second attribute?

What is the size of content in the second attribute?

One of attributes in this MFT entry is $FILE_NAME. What is the length of the file name?

What is the attribute type for the last attribute?

Is the last attribute a resident one?

Bonus Opportunities. If you conduct this lab with python, you will get up-to 1% bonus marks to boost your grades.