±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35974
New Yesterday: 1 Visitors: 166

±Latest Articles

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Videos

±Latest Jobs

Analysis of hidden data in the NTFS file system

Analysis of hidden data in the NTFS file system



Page: 3/8

Analysis techniques

Figure 3 shows the flow to analyse hidden data in volume slack.

Figure 3: Flow to analyse hidden data in volume slack

Analysis should start with chkdsk command in Windows to check the file system. If suspects manipulate the file system manually and forget any of the needed steps, errors might be generated by chkdsk and give some indication about hidden data. For example, it is discovered that if suspects simply change the number of sectors allocated to the file system in the $Boot file without appropriate change in the $Bitmap file, message "Correcting errors in the Volume Bitmap" would appear by chkdsk command.

Check the number of sectors allocated to the partition with mmls command. In this example, mmls command returns 6136830 as total sectors in /case1/wholeimage.
./mmls /case1/wholeimage -t dos

Check the number of sectors allocated to NTFS file system in that partition with fsstat command. In this example, fsstat shows 6136782 sectors are allocated to the file system.
./fsstat /case1/image1 -f ntfs

Create md5 checksum of boot sector and backup boot sector

dd if=/case1/image1 bs=512 count=1 skip=6136829 of=/case1/backupbootsector
dd if=/case1/image1 bs=512 count=1 of=/case1/bootsector
md5sum /case1/backupbootsector
md5sum /case1/bootsector

For Windows NT 4.0, 2000 and XP, if there are A sectors in the partition, A-1 sectors is allocated to NTFS and the last sector is used to store the backup boot sector (Carrier, 2005). As a result, it is uncommon to have more than 1 sector of volume slack or the boot sector is not identical with the backup boot sector. If any of these situations happen, further analysis must be carried out on the volume slack.

Due to volume slack has no cluster number, dcat cannot be used to view its content. Dd can be used to extract volume slack and hex editor used to view it content. The volume slack is then analysed with foremost and comeforth similar to analysis of faked bad sector. Keyword search can also be performed.

dd if=/case1/image1 bs=512 count=48 skip=6136782 of=/case1/volumeslack
hexedit /case1/volumeslack
foremost -c /etc/foremost.conf -v -o /forensic/recover2 /case1/volumeslack

Figure 4 shows the flow to analyse hidden data in file system slack

Figure 4: Flow to analyse hidden data in file system slack

Check the number of sectors allocated to the NTFS file system (A) and number of sectors per cluster (B)
./fsstat /case1/image1 -f ntfs

Calculate A/B. if the remainder is 0, there is no file system slack. Else, analyse the file system slack in the similar way to analysis of volume slack.






Previous Page Previous Page (2/8) - Next Page (4/8) Next Page