antiforensics on MF...
 
Notifications
Clear all

antiforensics on MFT. NTFS partition

3 Posts
3 Users
0 Likes
306 Views
ANELKAOS
(@anelkaos)
Posts: 2
New Member
Topic starter
 

I'm looking for ways to recover an overwritten MFT. To summarize, I have one image of 2 disk
/dev/sda
/dev/sda1 ext3 1TB Debian
/dev/sdb iso9660? 1TB ?

I can see sdb as iso9660 that is weird.

I found the last command of the root user in the Debian system
$ sudo dd if=debian-9.4.0-amd64-netinst.iso of=/dev/sdb

Looks like sdb was overwrite for a few seconds by the *.iso. So, now I know why I saw iso9660. The timeline indicates this command was executed 10 seconds before disconnect the power.

I also found sdb1 was mounted as NTFS.
chkdsk can not see the MFT.
MFTCarver can not recover the MFT.

I read the following discouraging message, but it is very old
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=6425

My questions are
1. Do you know any open source tool to recover an overwritten MFT and the file names?
(I already tried MFTExtractor, Analyze-MFT and List-mft with no luck)

2. Can I correlate the data in sdb because I can fetch the same *.iso from the Debian servers?

 
Posted : 15/03/2018 9:49 am
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

An overwritten $MFT (like *any* overwritten data) is gone forever and cannot be retrieved.

BUT "normally" the $MFT is NOT at the beginning of a NTFS volume.

If the volume is anything bigger than around 5-6 Gb, the $MFT by default is placed on cluster 0xC0000 i.e. 786,432 thus, since (again "normally") the cluster size is 8 sectors, given that the device has 512 bytes sector, this means that the $MFT starts at offset (relative to the beginning of the partition/volume) 786432*4096=3,221,225,472.

You can easily check where the $MFT was before by analyzing the backup bootsector, that shouldn't have been overwritten.
(a NTFS file system on hard disk creates a backup bootsector as last sector of the partition - outside the volume but inside the partition).

The dd command that was executed should have altered the partition table [1] entry (00 ing it), so you should be not able to find it easily and confirm the offset, but you can carve the for a NTFS boosector.

Now the question is, was the time the dd ran enough to overwrite roughly 3 Gb of hard disk?

If yes, then the $MFT is gone. (

If not, then the $MFT is still there. )

Depending on a number of factors, if only a part of the $MFT has been overwritten, whatever remaining parts of the $MFT could be recoverable, but that would be a lot of work.

You can try using DMDE (although there exists a Linux version I never used it, the Windows GUI version works fine)
http//dmde.com/

Besides that, there are a number of tools by our friend Joachim Schicht dedicated to analyze the $MFT and other NTFS file system structure that may be useful
https://github.com/jschicht

jaclaz

[1] but still if you see the /sdb1 as NTFS, that didn't happen? ?

 
Posted : 15/03/2018 11:57 am
JaredDM
(@jareddm)
Posts: 118
Estimable Member
 

The beginning part of the MFT is typically around the 6-7Million sector range on most computers, so roughly 3Gb in on the disk. Assuming a write speed of 150Mb/s (probably was even slower) it's likely that only the first 1.5Gb was overwritten in 10 seconds. So it's unlikely that the MFT had much overwritten at all in that amount of time. Also, later parts of the MFT (which is prone to fragmentation) are often found later in the disk, sometimes around the 50% mark.

Just as a test, I know it's not forensically sound, but perhaps you could try some good data recovery software like R-Studio or Recovery Explorer to do a scan of the data and see if it's able to piece together a usable filesystem. It might not be data you can use in court, but at least you'll know if you're just spinning your wheels or if the filesystem can be reconstructed.

 
Posted : 15/03/2018 6:47 pm
Share:
Share to...