Help me Obi Wan Kanobi, you are my only help.
On a more serious note, I am onto my final assignment for one of my first introductory units into Computer Forensics.
Task We are given an Image (Assignment2.dd) we are to analyse it and see what evidence we can find.
Scope Corporate - it is believed that a user has been storing and transferring images of Meerkats (yep…thats right), you have been contact by the company to analyse the harddrive image and provide the necessary evidence.
So, saying I am a noob at this is a completely true. I have been going over notes and forums to see where I am going wrong, or not understanding. The lecturer has advised that for this assignment we are to use the CAINE live CD as the forensic PC and use any tools or skills to obtain the evidence.
So, with hashes in place and yes correct, I have done a hex dump of the .dd to see what OS and partitions are available, this is what I got
now this is where i dont really understand the reading of the hex to how I should apply it to getting the partition info.
none the less through countless hours of playing and troubleshooting i cant get any further..so with an sfdisk lookup i return this…
and now I am completely lost.
Any assistance would be wonderful and I am smashing the F5 waiting for your infinite wisdom…
Many thanks and beers in advanced.
Andrew Chapman
Student, Perth. Western Australia
Andrew,
If this hex dump is showing the first sector in your dd image then you have an image of an individual NTFS partition because this is not the Master Boot Record, it is instead the Volume Boot Record for a single partition. I am assuming then that you are not going to find any other partitions.
You might want to do some keyword searches in unicode such as 'meerkat' or '.jpg' to find MFT entries for picture files relating to Meerkats. Other than that I'm not sure because I don't know the tools available on that boot disk. I'm not sure whether you have the The Sleuth Kit or other tools on there for more graphical analysis.
Good Luck!
Since the first sector of "assignment2.dd" is a bootsector, it is evident that the image is that of a partition or volume.
The F8 at offset 0x15 confirms that it is a volume on hard disk media.
The 3F00 at offset 0x18 means that it is a 63 sectors media.
The FF00 at ofset 0x1A meansa that it's 255 heads.
All of the above is a good hint that it is a hard disk partition.
The 3F000000 at 0X1C tells you that this is the first partition on a "normal" hard disk (63 sectors before).
Data at 0x28
89B67F0000 means that it is 8369801 sectors in size
8369801x512=4285338112 bytes, i.e. about 4 Gb
The size seems like matching cylinder boundary in CHS address.
8369801+1+63=8369865
8369865/63=132855
132855/255=521
i.e. 521/255/63
The $MFT at sector 04 at offset 0x030 is "abnormal". 😯
The $MFTmirror at 68FB07 (523112) at offset 0x38 seem more "plausible".
If I were you, I would append that image to a 63 (blank) sectors file, then run TESTDISK on it.
Or write to the PT of the first sector of the newly created file, (starting from offset 0x1BE) the correct PT DATA
8001010007FEBF083F0000008AB67F
and the magic bytes 55AA at offset 0x01FE
and only THEN run sfdisk on it.
jaclaz
Try running
Use the physical location to find the $mft file extent entry (data run) for the image taking the 63 reserved sectors of the master boot record into account.
This should identify the $mft entries for the images and once decoded you will have the file names and other attributes.
It is a bit long-winded but a good excercise!
Of course you may also be able to use the bootsector backup that is to be found somewhere and hopefully intact in your image. Details of how to do this are
You could try just running a search for the image header in HEX, Off the top of my head I think the first 4 byes would be FF D8 FF E0 (or Yoya in funkly ascii characters. This should pop up the appearance of any images of this pesky Meerkats D
Good luck!