Digital Forensics s...
 
Notifications
Clear all

Digital Forensics student homework - Not asking for the answer.

5 Posts
3 Users
2 Likes
840 Views
DFsStudent
(@dfsstudent)
Posts: 3
New Member
Topic starter
 

Greetings.

Thank you for your time.

I've began studying forensics and I'm taking my first courses.

My teacher is using the book "Guide to Computer Forensics and Investigations" fifth edition.

I'm trying to see if there is something I'm missing because I've been trying to figure this out for about two weeks now.

Please don't provide steps to an answer, only a "Yes it can be done" will help me not feel like I'm trying something that is not possible.

Although I feel like...if someone says "Yes, it can be done" I'll feel like I cheated?...ugh...

But I've been reading from the book and from the web and have not figured it out.

I know at least a classmate is experiencing the same issue as me.

 

Our first homework involves this:

1. Using the OS Formatting a USB drive as FAT

2. Create a TXT file with random content

3. Delete the file

4. Using [email protected] Disk Editor - Edit the sector of the deleted file where the value E5 is by replacing the first letter of the filename with a valid ASCII character.

 

After step 4 the file is not usable at all. I cannot open it or copy it.

Inside [email protected] Disk Editor the values stored in the Root of the volume are exactly the same as they were before deleting the file. I can also follow the low word and high word links inside ADE and see the sectors with contents of the file.

The information about FAT in the book is only descriptive.

The exercises in the book use file recovery tools but the professor told us to learn how to recover files manually. I wrote an email to the professor but I'm awaiting for a response.

Things I've tried:

Reading from the book and the web

Tried different USB drives

I'm using VirtualBox, USB is working well from what I can tell, I don't see any errors connecting devices to the virtual machine.

I can use other forensic tools to extract the file to another device. If I do it that way I can actually use it normally with the OS.

Thanks for your time.

 

 
Posted : 04/04/2022 4:20 am
Topic Tags
C.R.S.
(@c-r-s)
Posts: 169
Estimable Member
 

Yes, it can be done. I remeber ADE being a bit sluggish, which could lead to mistakes. Maybe try a different editor and always unmount the volume.

 
Posted : 04/04/2022 5:55 pm
DFsStudent reacted
athulin
(@athulin)
Posts: 1141
Noble Member
 

Yes, it is possible to do that assignment. 

Guessing is poor practice ... but as to what goes wrong, it seems there's nothing actually wrong in step 1 - 3, or with the USB, or the OS as you tried it out with other tools without problems.  So it's step 4 you need to focus on.  And assuming that you have tried and tried again, without success, it's probably something you do that shouldn't be done, or something you didn't do that should be done.

I assume you have read the Help info that comes with Active Disk Editor?

 
Posted : 04/04/2022 6:50 pm
DFsStudent reacted
DFsStudent
(@dfsstudent)
Posts: 3
New Member
Topic starter
 

@c-r-s 

Thank you very much for your help.

I will find another option to work with.

 
Posted : 04/04/2022 9:02 pm
DFsStudent
(@dfsstudent)
Posts: 3
New Member
Topic starter
 

@athulin Thanks for your message. Yes, I did read the Help from ADE and also read the walkthrough PowerPoint presentation they have on their website.

I am basically following the same steps. I use the navigate button to go to the Root of the volume, use the FAT Directory Template Entry and look for the TXT file I deleted. Then I change the E5 entry for the first byte to the same value it was before the file was deleted.

I decided to boot a Parrot OS VM and I connected the USB drive to it and I opened the TXT file without issues.

At least now I know there is a problem with Windows.

So, I can tell the professor now that the file can be recovered in Linux at least.

Thanks all for your help.

 
Posted : 04/04/2022 9:19 pm
Share:
Share to...