Need help with my Assignment!

Yes, you are right, Sorry I'm too new to this haha.

Okay i have followed your step, but seems like something is not right here. please check out the image, i think there's something wrong with my ad1 file. because after i export it, the file became way smaller.

Let me know if there's something wrong or i'm on the right track, or else i'll get from my classmate an new copy of it. because i seems to have issue transferring the ad1 file earlier too.
https://imgur.com/a/XCmht

And how do i export ad2 on the folder also? because when i right click on "Nephalem[FAT32]" it still says "Export logical drive image ad1"

Sorry as I'm still very foreign to this software, its literally my first time using it. and our lecturer didn't quite told us what to do yet he just told us to use FTK imager for this ad1 and ad2 files and all of us has no clue what to do. and can we discuss this somewhere else if possible? maybe you can pass me your email or something we can discuss through email? Would really appreciate it. thanks!

for the second part, i plug in an thumbdrive of mine and it only shown Partition 1, there isn't seems to be child on the Partition 1 after i expand it. just an FAT32 file. and i right click it i can only find "Export Disk Image", there's no "Exporting Logical Drive AD1

Naah, the screenshot you posted was made at a time the "Partition 1" was selected.
As you can see in th e"pop-up" window, the image source is set to "Partition 1 [3827MB].

If you select and right click "\\.\Physicaldrive1", you will have "Export Disk Image", the top right pane will be empty and the bottom right entry will be a hex view (usually beginning with 33 C0 FA …

If you select "Partition 1" and right click you will have as well "Export Disk Image", the top right pane will be empty and the bottom right one will be an hex view starting with EB 58 90 … (as in your screenshot)

But if you select "NEPHALEM (FAT32)" and right click you will have "Export Logical Image (AD1).

When you select the "NEPHALEM (FAT32)" on the left, on the right top pane you will have
[root]
[unallocated space]
FAT1
FAT2
file system slack
reserved sector
VBR
And the bottom pane will be an hex view, most probably starting with 4E 45 50 48 41 4C 45 4D (aka "NEPHALEM" that is the label of that stick volume).

The \\.\PhysicalDrive is the actual "disk" (the whole thing)
The Partition1 is the partition that is "inside" the disk.
The NEPHALEM [FAT32] is the volume (or file system inside the partition).

You will need to become familiar with the concepts of disks (or physicaldrive), partitions (primary and extended), (logical) volumes, and file systems.

The concepts are not difficult, the issue is that there is a lot of confusion with the terminology used, the word "drive" is often used instead of disk (drive), what gets a drive letter in Windows is actually the volume, which may (or may not) be the same as the partition.

Cannot say if it helps or confuses you, but this is how my "mental map" of a disk like device is made
http//reboot.pro/topic/13676-the-boot-process-a-step-by-step-approach-to-booting/?p=123056

jaclaz

Yes, you are right, Sorry I'm too new to this haha.

Okay i have followed your step, but seems like something is not right here. please check out the image, i think there's something wrong with my ad1 file. because after i export it, the file became way smaller.

Let me know if there's something wrong or i'm on the right track, or else i'll get from my classmate an new copy of it. because i seems to have issue transferring the ad1 file earlier too.

Naah, you are on the right track, but you need some time to become familiar with the way things work, don't worry, everyone needs to start somewhere ) .

The AD format is not a "clone" of the source, it contains (hopefully) only the relevant parts.

So, the size depend on how much info is in the source.

Try again, make a new AD1 image of your USB stick, this time putting in the field "Image Fragment Size (MB)" a smaller number than 1500, let's say 200 (or fill up a bit more the stick).

As a side-side note it seems like USB stick is not particularly "healthy" given the amount of issues reported in the log.

The problem with going on non-public correspondence is twofold
1) that way what I suggest becomes "for your eyes only" and thus of no use to anyone else which may have your same (or similar) problems
2) there is still the issue about doing someone else's homework or the possible "cheating", this way the help or assistance I am giving you is "in the open" (though I wouldn't anyway do your homework privately) and what additional hints/suggestions I provide can be accessed by - among others - your teacher/professor and verified

jaclaz

Ok i have now tried with another flashdrive that i have. and i filed the "image fragment size" to 200, and it took longer to create the image this time, when it's done i check the folder there's lots of 'ad' files, from ad1 all the way to ad42. and the total size of everything is 8.14gb
here's the image
https://imgur.com/a/3wXxg
what should i do next? roll

And yes, i understand, lets just work here then! haha

Yes, you are right, Sorry I'm too new to this haha.

Okay i have followed your step, but seems like something is not right here. please check out the image, i think there's something wrong with my ad1 file. because after i export it, the file became way smaller.

Let me know if there's something wrong or i'm on the right track, or else i'll get from my classmate an new copy of it. because i seems to have issue transferring the ad1 file earlier too.

Naah, you are on the right track, but you need some time to become familiar with the way things work, don't worry, everyone needs to start somewhere ) .

The AD format is not a "clone" of the source, it contains (hopefully) only the relevant parts.

So, the size depend on how much info is in the source.

Try again, make a new AD1 image of your USB stick, this time putting in the field "Image Fragment Size (MB)" a smaller number than 1500, let's say 200 (or fill up a bit more the stick).

As a side-side note it seems like USB stick is not particularly "healthy" given the amount of issues reported in the log.

The problem with going on non-public correspondence is twofold
1) that way what I suggest becomes "for your eyes only" and thus of no use to anyone else which may have your same (or similar) problems
2) there is still the issue about doing someone else's homework or the possible "cheating", this way the help or assistance I am giving you is "in the open" (though I wouldn't anyway do your homework privately) and what additional hints/suggestions I provide can be accessed by - among others - your teacher/professor and verified

jaclaz

what should i do next? roll

Open the file part1.ad1 with a hex editor.
What do you see? (check the first two sectors)

Open the file part1.ad2 with a hex editor.
What do you see? (check the first two sectors)

Now remove from the evidence tree in FTK image everything.

Add (File->Add Evidence Item>Image file) the part1.ad1 in FTK.
Make a screenshot of what you see.

Remove again from the evidence tree everything.
Add only the part1.ad2.
Make a screenshot of what you see.

Remove again from the evidence tree in FTK image everything.

Rename the file part1.ad1 to part1.adx.
Add in FTK the part1.ad2 as evidence item.
What happens?

Now the questions you need to answer
1) What could be a good (logical, not necessarily technical) explanation of what you saw in the hex editor? (also at the light of the change in the field from 1500 to 200 and the generation of files up to ad42)
2) In what do the two FTK screenshots differ?
3) How would you describe the behaviour of the FTK imager when the evidence item "part1.ad1" is loaded compared to when the evidence item "part1.ad2 is loaded?
4) How would you explain the behaviour happening when part1.ad1 is renamed to part1.adx and you add part1.ad2 as an evidence item? (also at the light of what you saw in the hex editor)

jaclaz

Okay i have followed what you tasked me and here are the result when i use Winhex
https://imgur.com/a/xIFga
it shown ADSEGMENTEDFILE at the right

for the Image fragment Size, maybe what you are trying to do is, to get the smaller bits of the image file so that able to see what's inside? or to decrypt and get the main size of the file which is 8.14gb?

I'm really not sure what are the numbers and value that i saw in Winhex are. does they mean something? like Ascii characters? i tried comparing those using Ascii table but it doesn't add up and mean anything, please advise me.

what should i do next? roll

Open the file part1.ad1 with a hex editor.
What do you see? (check the first two sectors)

Open the file part1.ad2 with a hex editor.
What do you see? (check the first two sectors)

Now remove from the evidence tree in FTK image everything.

Add (File->Add Evidence Item>Image file) the part1.ad1 in FTK.
Make a screenshot of what you see.

Remove again from the evidence tree everything.
Add only the part1.ad2.
Make a screenshot of what you see.

Remove again from the evidence tree in FTK image everything.

Rename the file part1.ad1 to part1.adx.
Add in FTK the part1.ad2 as evidence item.
What happens?

Now the questions you need to answer
1) What could be a good (logical, not necessarily technical) explanation of what you saw in the hex editor? (also at the light of the change in the field from 1500 to 200 and the generation of files up to ad42)
2) In what do the two FTK screenshots differ?
3) How would you describe the behaviour of the FTK imager when the evidence item "part1.ad1" is loaded compared to when the evidence item "part1.ad2 is loaded?
4) How would you explain the behaviour happening when part1.ad1 is renamed to part1.adx and you add part1.ad2 as an evidence item? (also at the light of what you saw in the hex editor)

jaclaz

Okay i have followed what you tasked me and here are the result when i use Winhex
https://imgur.com/a/xIFga
it shown ADSEGMENTEDFILE at the right

Good ) .
Now what that might mean (in plain English)?

What is in the second sector (starting at offset 0x200) of the .ad1 file?
And what is in the second sector (starting at offset 0x200 of the .ad2 file?

What about the other tests

Now remove from the evidence tree in FTK image everything.

Add (File->Add Evidence Item>Image file) the part1.ad1 in FTK.
Make a screenshot of what you see.

Remove again from the evidence tree everything.
Add only the part1.ad2.
Make a screenshot of what you see.

Remove again from the evidence tree in FTK image everything.

Rename the file part1.ad1 to part1.adx.
Add in FTK the part1.ad2 as evidence item.
What happens?

Once completed the above, you should be able to answer to the given questions

Now the questions you need to answer
1) What could be a good (logical, not necessarily technical) explanation of what you saw in the hex editor? (also at the light of the change in the field from 1500 to 200 and the generation of files up to ad42)
2) In what do the two FTK screenshots differ?
3) How would you describe the behaviour of the FTK imager when the evidence item "part1.ad1" is loaded compared to when the evidence item "part1.ad2 is loaded?
4) How would you explain the behaviour happening when part1.ad1 is renamed to part1.adx and you add part1.ad2 as an evidence item? (also at the light of what you saw in the hex editor)

jaclaz

The "second sector (starting at offset 0x200)" is it this?
https://imgur.com/a/VAEZ4
the screenshot i highlighted in red

the other tests i have tried, renaming of ad1 to adx and also adding ad2 as evidence item
its on the screenshot here
https://imgur.com/a/xIFga

Q1 - I think, change the field from 1500 to 200 is to divide the ad1 file into segment, but i'm not sure whats the purpose.

Q2 - If from what i highlighted in red from the first imgur linked i shown is correct. ad1 is the logical image of the main image file while ad2 is the segmented file? so it means to say all the other files up to ad42 are segmented?

Q3 - Both of them seems to be the same on the way its loaded

Q4 - Before i change "part1.ad1" to "part1.adx", "part2.ad2" was shown "ADATA UFD"
but after i changed, "part2.ad2" became ASEGMENTEDFILE shown on FTK
screenshot here https://imgur.com/a/Wjs1o

Okay i have followed what you tasked me and here are the result when i use Winhex
https://imgur.com/a/xIFga
it shown ADSEGMENTEDFILE at the right

Good ) .
Now what that might mean (in plain English)?

What is in the second sector (starting at offset 0x200) of the .ad1 file?
And what is in the second sector (starting at offset 0x200 of the .ad2 file?

What about the other tests

Now remove from the evidence tree in FTK image everything.

Add (File->Add Evidence Item>Image file) the part1.ad1 in FTK.
Make a screenshot of what you see.

Remove again from the evidence tree everything.
Add only the part1.ad2.
Make a screenshot of what you see.

Remove again from the evidence tree in FTK image everything.

Rename the file part1.ad1 to part1.adx.
Add in FTK the part1.ad2 as evidence item.
What happens?

Once completed the above, you should be able to answer to the given questions

Now the questions you need to answer
1) What could be a good (logical, not necessarily technical) explanation of what you saw in the hex editor? (also at the light of the change in the field from 1500 to 200 and the generation of files up to ad42)
2) In what do the two FTK screenshots differ?
3) How would you describe the behaviour of the FTK imager when the evidence item "part1.ad1" is loaded compared to when the evidence item "part1.ad2 is loaded?
4) How would you explain the behaviour happening when part1.ad1 is renamed to part1.adx and you add part1.ad2 as an evidence item? (also at the light of what you saw in the hex editor)

jaclaz

The "second sector (starting at offset 0x200)" is it this?
https://imgur.com/a/VAEZ4
the screenshot i highlighted in red

Yep, that's it, and it is telling you that it is a "logical image" (though we already knew that as the .ad1 format is for logical images) and since you checked the .ad1 file of the original image of the assignment you can also see that the source for the image was a file
D\FORENSIC-IMAGES\jo19dd\jo19
So, this might be a meaningful difference, the .ad1 files have at offset 0x200 "ADLOGICALIMAGE" followed by something that is human readable and is evidently a path, whilst the .ad2 file at the same offset show only some apparently random binary data.

Q1 - I think, change the field from 1500 to 200 is to divide the ad1 file into segment, but i'm not sure whats the purpose.

Very good ) .
The purpose - just for the record - is (was) to be able to copy the files on limited size media (think of CDR or DVDR).
The idea is that the whole image is saved in segments (or parts) to be easier to be copied/stored (or sent/downloadef).
Another possible target, as an example, would be storage on a FAT32 filesystem where the single file size cannot exceed 2^32-1, i.e. roughly 4 GB.

Q2 - If from what i highlighted in red from the first imgur linked i shown is correct. ad1 is the logical image of the main image file while ad2 is the segmented file? so it means to say all the other files up to ad42 are segmented?

Almost but not quite.
More simply, the .ad1 is the first file in a set of files, with extension .ad followed by a number indicating the sequence of the file in the set.

Q3 - Both of them seems to be the same on the way its loaded

Good ) .

Q4 - Before i change "part1.ad1" to "part1.adx", "part2.ad2" was shown "ADATA UFD"
but after i changed, "part2.ad2" became ASEGMENTEDFILE shown on FTK
screenshot here https://imgur.com/a/Wjs1o

Not only, you also got a pop-up message to the effect of "Image Detection Failed" when you tried to open the .ad2 file at the time the .ad1 was renamed to .adx.

Let's sum together the results of tests #3 and #4
When the .ad1 files exists the .ad2 file looks exactly like the .ad1 file in FTK imager.
When the .ad1 file does not exist (as it is renamed to .adx) the .ad2 file throws an error and looks completely different in FTK imager, so next question.

5) How could this happen?
Again a "logical", "plain" explanation, rather than a "technical one", is welcome.

And time for next experiment.
Remove everything from the FTK evidence tree.
Rename back the .adx to .ad1.
Add the .ad42 (or the .ad31 or the .ad17) image to the evidence tree.
Select the "child item" (you remember, you will see on the top right pane [root], [unallocated space], etc.) , right click and "Export Logical Image (AD1).
Press the Add button, put *something* in the Evidence Item Information window, then go on, input a suitable destination path and a filename, I suggest "monolithic_test", and replace the 1500 in the "Image Fragment Size (MB)" field with a value higher than the sum of the sizes of all the 42 files you have now, let's say 20000.

Now ask to yourself, before pressing the Finish button, what would you expect to happen?
Press the "Finish" button, let the FTKimager do its thing, it will take a few minutes.
What actually happened?

jaclaz

Q5 - I think its because of the extension? to check the file if its able to load in other extension form, so apparently FTK is only able to read extension with ad, but not adx as it become "Detection fail"

For the experiment i followed your tasked and i selected unallocated space > Export logical image.
since we tried image fragment size the value was set at 200, the file was fragment and became smaller, so if its set to 20000 i assumed that it will become huge, but didn't know that it became a main file.
here is the screenshot of the result https://imgur.com/a/RXR9R
it became a main file which is 7.19gb

5) How could this happen?
Again a "logical", "plain" explanation, rather than a "technical one", is welcome.

And time for next experiment.
Remove everything from the FTK evidence tree.
Rename back the .adx to .ad1.
Add the .ad42 (or the .ad31 or the .ad17) image to the evidence tree.
Select the "child item" (you remember, you will see on the top right pane [root], [unallocated space], etc.) , right click and "Export Logical Image (AD1).
Press the Add button, put *something* in the Evidence Item Information window, then go on, input a suitable destination path and a filename, I suggest "monolithic_test", and replace the 1500 in the "Image Fragment Size (MB)" field with a value higher than the sum of the sizes of all the 42 files you have now, let's say 20000.

Now ask to yourself, before pressing the Finish button, what would you expect to happen?
Press the "Finish" button, let the FTKimager do its thing, it will take a few minutes.
What actually happened?

jaclaz

I would provide you an alternate explanation.

If the size in the field "Image Fragment Size" is big enough to contain all the data, only one file with extension .ad1 is created, i.e. there is only a fragment.

If the size in the field "Image Fragment Size" is not big enough to contain all the data, as many files as needed are created, everyone but the last being the size specified in"Image Fragment Size" (the last one will normally be smaller than that).

How could this happen?

How could the good guys at Access Data have implemented that?

Maybe they wrote a "descriptive" header for the first file.
Then started writing the actual data until the target file was exactly the given image fragment size,
Then created a "next" file, incrementing the number in the extension, writing a different "continuation" header and continued writing the data from the point they stopped writing it in the "previous" file, up to when they reached in this file the set size, and created a new "next" file, etc. until all data has been written.

The actual "descriptive" header (and the beginning of the data) is only in the first file of the set, the .ad1, so the FTKimager, no matter if you choose to add the file .ad2 (or .ad42) to the evidence tree will always look for a file with the same name in the same folder with extension .ad1.

When this file (same name, in the same folder as the selected one but with extension .ad1) is not found, FTK imager cannot recognize the file anymore (simply because one file of the set, actually the first and main one, is missing).

Does this sound as a logical explanation of the behaviours observed? wink

However, WHY did you select to make a logical image of just the "unallocated space"? ?
(that is one of the "nephews", not the "child" of the .ad file opened in FTK Imager)

If you had chosen the actual first child, you would have obtained a "monolithic" file containing all the data.

Maybe you want to try again, delete the monolithic-test.ad1 file and make it anew, this time selecting the right item, the result should be (roughly) 42*200=8,400 Mb or slightly less.

jaclaz