Usb Investigation 1

8/6/2019 Usb Investigation 1

1/18

USB INVESTIGATION

This paper involves a file system exercise in which a 1GB, 2 Partition USB drive was investigated. In order to

carry out this investigation, Linux terminal, WinHex and The Sleuth kit were used. The Sleuth kit was first

downloaded, but as we did not have the necessary add-on files to run the sleuth kit, we had to install build-

essential which provided us with files such as g++ which is needed to run the sleuth kit.

Download and Installation of the SleuthKit.

mishy@mishy-laptop:~$ sudo apt-get install build-essential

mishy@mishy-laptop:~$ sudo tar xvzf sleuthkit-3.0.0.tar.gz

mishy@mishy-laptop:~/cd sleuthkit-3.0.0/

mishy@mishy-laptop:~/sleuthkit-3.0.0$ ./configure

mishy@mishy-laptop:~/sleuthkit-3.0.0$ sudo make

mishy@mishy-laptop:~/sleuthkit-3.0.0$ sudo make install

FAT Boot Sector
mailto:mishy@mishy-laptop:~/sudo%20tar%20%E2%80%93xvzf%20sleuthkit.3.0.0.tar.gzmailto:mishy@mishy-laptop:~/cd%20sleuthkit-3.0.0/mailto:mishy@mishy-laptop:~/sleuthkit-3.0.0$%20./configuremailto:mishy@mishy-laptop:~/sleuthkit-3.0.0$mailto:mishy@mishy-laptop:~/sleuthkit-3.0.0$mailto:mishy@mishy-laptop:~/sudo%20tar%20%E2%80%93xvzf%20sleuthkit.3.0.0.tar.gzmailto:mishy@mishy-laptop:~/cd%20sleuthkit-3.0.0/mailto:mishy@mishy-laptop:~/sleuthkit-3.0.0$%20./configuremailto:mishy@mishy-laptop:~/sleuthkit-3.0.0$mailto:mishy@mishy-laptop:~/sleuthkit-3.0.0$


2/18

Common structure used by all FAT versions [UTECH, n.d.]:

Bytes Content0-2 Jump to bootstrap (E.g. eb 3c 90; on i86: JMP 003E NOP.

One finds either eb xx 90, or e9 xx xx.The position of the bootstrap varies.)

3-10 OEM name/version (E.g. "IBM 3.3", "IBM 20.0", "MSDOS5.0",MSWIN4.0Various format utilities leave their own name, like "CH-FOR18".Sometimes just garbage. Microsoft recommends "MSWIN4.1".)/* BIOS Parameter Block starts here */

11-12 Number of bytes per sector (512)Must be one of 512, 1024, 2048, 4096.

13 Number of sectors per cluster (1)Must be one of 1, 2, 4, 8, 16, 32, 64, 128.A cluster should have at most 32768 bytes. In rare cases 65536 is OK.

14-15 Number of reserved sectors (1)FAT12 and FAT16 use 1. FAT32 uses 32.

16 Number of FAT copies (2)17-18 Number of root directory entries (224)

0 for FAT32. 512 is recommended for FAT16.19-20 Total number of sectors in the filesystem (2880)

(in case the partition is not FAT32 and smaller than 32 MB)21 Media descriptor type (f0: 1.4 MB floppy, f8: hard disk; see below)

22-23 Number of sectors per FAT (9)0 for FAT32.

24-25 Number of sectors per track (12)26-27 Number of heads (2, for a double-sided diskette)28-29 Number of hidden sectors (0)

Hidden sectors are sectors preceding the partition./* BIOS Parameter Block ends here */

30-509 Bootstrap510-511 Signature 55 aa

FAT16

FAT16 uses the above BIOS Parameter Block, with some extensions:

11-27 (as before)28-31 Number of hidden sectors (0)32-35 Total number of sectors in the filesystem

(in case the total was not given in bytes 19-20)36 Logical Drive Number (for use with INT 13, e.g. 0 or 0x80)37 Reserved (Earlier: Current Head, the track containing the Boot Record)

Used by Windows NT: bit 0: need disk check; bit 1: need surface scan38 Extended signature (0x29)

Indicates that the three following fields are present.Windows NT recognizes either 0x28 or 0x29.

39-42 Serial number of partition43-53 Volume label or "NO NAME "54-61 Filesystem type (E.g. "FAT12 ", "FAT16 ", "FAT ", or all zero.)62-509 Bootstrap510-511 Signature 55 aa

FAT32


3/18

FAT32 uses an extended BIOS Parameter Block:

11-27 (as before)28-31 Number of hidden sectors (0)32-35 Total number of sectors in the filesystem36-39 Sectors per FAT40-41 Mirror flags

Bits 0-3: number of active FAT (if bit 7 is 1)Bits 4-6: reservedBit 7: one: single active FAT; zero: all FATs are updated at runtimeBits 8-15: reserved

42-43 Filesystem version44-47 First cluster of root directory (usually 2)48-49 Filesystem information sector number in FAT32 reserved area (usually 1)50-51 Backup boot sector location or 0 or 0xffff if none (usually 6)52-63 Reserved64 Logical Drive Number (for use with INT 13, e.g. 0 or 0x80)65 Reserved - used to be Current Head (used by Windows NT)66 Extended signature (0x29)

Indicates that the three following fields are present.67-70 Serial number of partition71-81 Volume label82-89 Filesystem type ("FAT32 ")

Image 1 MASTER BOOT RECORD


4/18

Image 1 shows the structure of the master boot record of the USB drive. From here we can see that this USBdevice has two partitions. The size of the first partition is at Hex address 1CA to 1CD which is 3E130F00. Asthis is a Little Endian we need to write them in the lease significant bit first. This will produce the Hex value000F133E which converts into decimal 987966 sectors in size. The starting LBA address of partition 1 starts atHex address 1C6 to 1C9 which is 801F0000, least significant bit first is 00001F80 that converts in 8064decimal. So the starting address of partition 1 is at address 8064. The size of the second partition is at Hexaddress 1DA to 1DD which is 41AD0E00. This will produce the Hex value 000EAD41 which converts into961857 sectors in size. The starting LBA address of partition 1 starts at Hex address 1D6 to 1D9 which isBE320F00, least significant bit first is 000F32BE that converts in 996030 decimal. So the starting address of

partition 2 is at address 996030. The size of the USB device is the (reserve sectors + size of Partition 1 + size ofPartition 2) * 512 = (34 + 987966 + 961857) * 512 = 998326784 bytes (974929 Kbytes or 952MBytes).

Image 2

Address in

Hex

Boot Code

From here we

can see two

MBR

Si nature


5/18

Image 2 showing that the USB drive does in fact have two partitions on a Linux ubuntu system.

FIRST PARTITION

File Output1mishy@mishy-laptop:~$dd if=dev/sdb count=1 skip=8064 | xxd > First_Partition0000000: eb58 904d 5344 4f53 352e 3000 0208 2200 .X.MSDOS5.0...".0000010: 0200 0000 00f8 0000 3f00 ff00 801f 0000 ........?.......

0000020: 3e13 0f00 c303 0000 0000 0000 ed00 0000 >...............0000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................0000040: 8000 2960 6f58 6e50 6172 7431 0000 0000 ..)`oXnPart1....0000050: 0000 4641 5433 3220 2020 33c9 8ed1 bcf4 ..FAT32 3.....0000060: 7b8e c18e d9bd 007c 884e 028a 5640 b408 {......|[email protected]: cd13 7305 b9ff ff8a f166 0fb6 c640 660f [email protected]: b6d1 80e2 3ff7 e286 cdc0 ed06 4166 0fb7 ....?.......Af..0000090: c966 f7e1 6689 46f8 837e 1600 7538 837e .f..f.F..~..u8.~00000a0: 2a00 7732 668b 461c 6683 c00c bb00 80b9 *.w2f.F.f.......00000b0: 0100 e82b 00e9 4803 a0fa 7db4 7d8b f0ac ...+..H...}.}...00000c0: 84c0 7417 3cff 7409 b40e bb07 00cd 10eb ..t.


6/18

mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=6 | xxd > BackUpBoot0000000: eb58 904d 5344 4f53 352e 3000 0208 2200 .X.MSDOS5.0...".0000010: 0200 0000 00f8 0000 3f00 ff00 801f 0000 ........?.......0000020: 3e13 0f00 c303 0000 0000 0000 ed00 0000 >...............0000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................0000040: 8000 2960 6f58 6e55 5342 4452 4956 4520 ..)`oXnUSBDRIVE0000050: 2020 4641 5433 3220 2020 33c9 8ed1 bcf4 FAT32 3.....0000060: 7b8e c18e d9bd 007c 884e 028a 5640 b408 {......|[email protected]: cd13 7305 b9ff ff8a f166 0fb6 c640 660f ..s......f...@f.

0000080: b6d1 80e2 3ff7 e286 cdc0 ed06 4166 0fb7 ....?.......Af..0000090: c966 f7e1 6689 46f8 837e 1600 7538 837e .f..f.F..~..u8.~00000a0: 2a00 7732 668b 461c 6683 c00c bb00 80b9 *.w2f.F.f.......00000b0: 0100 e82b 00e9 4803 a0fa 7db4 7d8b f0ac ...+..H...}.}...00000c0: 84c0 7417 3cff 7409 b40e bb07 00cd 10eb ..t. FirstFAT0000000: f8ff ff0f ffff ffff 0300 0000 0400 0000 ................0000010: 0500 0000 0600 0000 0700 0000 0800 0000 ................0000020: 0900 0000 ffff ff0f 0000 0000 ffff ff0f ................0000030: ffff ff0f ffff ff0f ffff ff0f ffff ff0f ................0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................

[Removed]File output 3 shows a segment of the first copy of the FAT in Partition 1. The first copy of the FAT is located

just after the reserved sector count. Highlighted section shows the reserved section of the FAT, followed bycluster 2.

File Output 4mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=997 | xxd > SecondFAT0000000: f8ff ff0f ffff ffff 0300 0000 0400 0000 ................0000010: 0500 0000 0600 0000 0700 0000 0800 0000 ................0000020: 0900 0000 ffff ff0f 0000 0000 ffff ff0f ................0000030: ffff ff0f ffff ff0f ffff ff0f ffff ff0f ................0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................

[Removed]

File output 4 shows a segment of the second copy of the FAT in Partition 1. This copy is located just after theFirst FAT + reserved sectors. From above we can see that the size of the first FAT is 963 + 34 reserve sectors,which is 997 where the second FAT is located.

File Output 5


7/18

The following output provided all the content of the FAT structure for the first partition of the USB drive. Itshows us OEM name, Volume Information, how the file system has been layed out, it also shows us where filesectors start and end and also the location of the Root Directory, along with other information.

mishy@mishy-laptop:~$ sudo fsstat -f fat FullFirstPartition.ddFILE SYSTEM INFORMATION--------------------------------------------File System Type: FAT32

OEM Name: MSDOS5.0Volume ID: 0x6e586f60Volume Label (Boot Sector): Part1Volume Label (Root Directory): Part1File System Type Label: FAT32Next Free Sector (FS Info): 2064Free Sector Count (FS Info): 962120

Sectors before file system: 8064

File System Layout (in sectors)

Total Range: 0 - 987965* Reserved: 0 - 33** Boot Sector: 0** FS Info Sector: 1** Backup Boot Sector: 6* FAT 0: 34 - 996* FAT 1: 997 - 1959* Data Area: 1960 - 987965** Cluster Area: 1960 - 987959*** Root Directory: 3840 - 3847** Non-clustered: 987960 - 987965

METADATA INFORMATION

--------------------------------------------Range: 2 - 15776102Root Directory: 2

CONTENT INFORMATION--------------------------------------------Sector Size: 512Cluster Size: 4096Total Cluster Range: 2 - 123251

FAT CONTENTS (in sectors)--------------------------------------------

1960-2023 (64) -> EOF2032-2039 (8) -> EOF2040-2047 (8) -> EOF2048-2055 (8) -> EOF2056-2063 (8) -> EOF2064-2071 (8) -> EOF3840-3847 (8) -> EOF3856-4407 (552) -> EOF4408-4639 (232) -> EOF4640-5199 (560) -> EOF5200-5287 (88) -> EOF5288-12031 (6744) -> EOF12032-12039 (8) -> EOF

12040-27247 (15208) -> EOF27248-27623 (376) -> EOF

The first Data Segment is located after the reserved sector and 2 FATs which would mean that it is located at(34 + 963 + 963 = 1960) sector 1960 cluster 2. From investigation using WinHex the size of this file was


8/18

29.8KB which is 30515 Bytes. Because there are 4096 Bytes (512 BytesPerSector * 8 SectorsPerCluster ) percluster it was calculated that this file took up 8 clusters so the next file would be at cluster 11. From the FatTable the file was located and turned out to be the trash folder with deleted files. When files are deleted inwindows they are sent to the trash folder. Even though the files have been deleted they can still be accessedfrom this folder when using special software. From cluster 16 to 236 are free from the FAT table.

From the boot sector we found out the RootDirectory is located at cluster 237. The size of this folder is 4KBwhich is the size of one cluster. From the Fat Table we could see that cluster 238 was free and the next file

started at 239. The size of this file was 275KB and took up 68 clusters so the next file would be located atcluster 308 and so on.

File Output 6mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=3840 | xxd >Root_Dir0000000: 5061 7274 3100 0000 0000 0008 0000 0000 Part1...........0000010: 0000 0000 0000 0000 2100 0000 0000 0000 ........!.......0000020: 4370 0074 0000 00ff ffff ff0f 0057 ffff Cp.t.........W..0000030: ffff ffff ffff ffff ffff 0000 ffff ffff ................0000040: 025f 0045 0078 0061 006d 000f 0057 7000 ._.E.x.a.m...Wp.0000050: 6c00 6500 5b00 3100 5d00 0000 2e00 7000 l.e.[.1.].....p.0000060: 0143 0068 0061 0070 0074 000f 0057 6500 .C.h.a.p.t...We.

0000070: 7200 5f00 3900 5f00 4600 0000 4100 5400 r._.9._.F...A.T.0000080: 4348 4150 5445 7e31 5050 5420 0000 7a9e CHAPTE~1PPT ..z.0000090: 9e39 9e39 0000 217f 7c39 ef00 004a 0400 .9.9..!.|9...J..00000a0: e561 0074 0069 006f 006e 000f 0007 2e00 .a.t.i.o.n......00000b0: 7000 6400 6600 0000 ffff 0000 ffff ffff p.d.f...........00000c0: e544 0072 0069 0076 0065 000f 0007 4900 .D.r.i.v.e....I.00000d0: 6e00 7600 6500 7300 7400 0000 6900 6700 n.v.e.s.t...i.g.00000e0: e552 4956 4549 7e31 5044 4620 0000 7c9e .RIVEI~1PDF ..|.00000f0: 9e39 9e39 0000 8581 7c39 3401 11c5 0100 .9.9....|94.....0000100: 422e 0070 0064 0066 0000 000f 00a3 ffff B..p.d.f........0000110: ffff ffff ffff ffff ffff 0000 ffff ffff ................0000120: 0157 0069 006e 0068 0065 000f 00a3 7800 .W.i.n.h.e....x.

0000130: 2000 4d00 6100 6e00 7500 0000 6100 6c00 .M.a.n.u...a.l.0000140: 5749 4e48 4558 7e31 5044 4620 0064 7d9e WINHEX~1PDF .d}.0000150: 9e39 9e39 0000 da82 7c39 5101 b550 0400 .9.9....|9Q..P..0000160: e545 004f 0044 002e 0078 000f 00f2 6c00 .E.O.D...x....l.0000170: 7300 0000 ffff ffff ffff 0000 ffff ffff s...............0000180: e54f 4420 2020 2020 584c 5320 0064 9c9e .OD XLS .d..0000190: 9e39 9e39 0000 1367 4639 9701 00a2 0000 .9.9...gF9......00001a0: 4249 5244 2020 2020 4a50 4720 0064 bb9e BIRD JPG .d..00001b0: 9e39 9e39 0000 6d6f 2339 a201 0da0 3400 .9.9..mo#9....4.00001c0: 412e 0054 0072 0061 0073 000f 00e4 6800 A..T.r.a.s....h.00001d0: 2d00 3100 3000 3000 3000 0000 0000 ffff -.1.0.0.0.......00001e0: 5452 4153 482d 7e31 2020 2010 0064 f758 TRASH-~1 ..d.X00001f0: 9f39 9f39 0000 f758 9f39 0b00 0000 0000 .9.9...X.9......

0000200: e54e 5449 544c 7e31 2020 2010 0000 d79e .NTITL~1 .....0000210: 9e39 9e39 0000 d79e 9e39 ed04 0000 0000 .9.9.....9......0000220: 414e 0045 0057 0046 004f 000f 00dd 4c00 AN.E.W.F.O....L.0000230: 4400 4500 5200 3200 0000 0000 ffff ffff D.E.R.2.........0000240: 4e45 5746 4f4c 7e31 2020 2010 0000 e49e NEWFOL~1 .....0000250: 9e39 9e39 0000 e49e 9e39 ed04 0000 0000 .9.9.....9......

File output 6 shows the root directory in Partition 1(Part 1 file attribute 08 means volume label). The location ofthis directory was found in the information provided by FileOutput 1. From this image we can see anotherdirectories, files and deleted files. Highlighted E5 values show files that have been deleted; deleted files are notdeleted from the drive but only mark with an E5 signature. These files are: DriveInvestigation.pdf and EOD.xls.

From the disk level these files cannot be seen and one would think they have actually been deleted. Highlightedentries in yellow are the attributes of the various files. 0F entries means that the file is long entries (filename),entries with file attribute 10 means that it is a directory and entries with file attribute 20 means that it isarchived. Other files in the root directory in order of clusters include: Chapter9FATExample[1].ppt,winhexManual.pdf and BIRD.jpg. Files in the root directory appear in the order in which they are clustered i.e.Chapter9_FAT.ppt starts at cluster 239 and takes up 68 clusters so drive investigation.pdf would occupy the


9/18

clusters after Chapter9_FAT.ppt.There is also a directory called NEWFOLDER2 and a deleted Directory calledNTITL. Highlighted entries in green are the start clusters of each of the files. For example the first cluster forChapter9_FAT.ppt is EF00 i.e. 0X00EF = 239, so the first cluster for that file is cluster 239. Values highlightedin blue represent the size of each of those files. So the size of Chapter9_FAT.ppt would be 004A 0400 i.e.0X00044A00 which is 281088bytes which takes up 68 clusters. .

File Output 7mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=3856 | xxd >First_File

0000000: d0cf 11e0 a1b1 1ae1 0000 0000 0000 0000 ................0000010: 0000 0000 0000 0000 3e00 0300 feff 0900 ........>.......0000020: 0600 0000 0000 0000 0000 0000 0500 0000 ................0000030: 2002 0000 0000 0000 0010 0000 2202 0000 ..........."...0000040: 0100 0000 feff ffff 0000 0000 1902 0000 ................0000050: 1a02 0000 1b02 0000 1c02 0000 2102 0000 ............!...0000060: ffff ffff ffff ffff ffff ffff ffff ffff ................0000070: ffff ffff ffff ffff ffff ffff ffff ffff ................0000080: ffff ffff ffff ffff ffff ffff ffff ffff ................0000090: ffff ffff ffff ffff ffff ffff ffff ffff ................

File output 7 shows the output of cluster 239 which is the file after the root directory,Chapter9FATExample.ppt. From the root directory we saw that this was the first file in the directory followed

by the deleted file DriveInvestigation.pdf. The file signature of a .ppt file is D0CF 11E0.

Image 3mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=4408 | xxd >Second_File

Image 3 shows the output of the second file of the root directory, DriveInvestigation.pdf. From the rootdirectory we could see that this file was actually deleted, but is retrievable as we can see. The file signature ofa .pdf is 2550 44 46.

Image 4mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=4640 | xxd >Third_File

Image 4 shows the output of the third file of the root directory, winhexManual.pdf. We can see that the filesignature of image 3 and 4 are the same as they are both .pdf files.

Image 5mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=5200 | xxd >Fourth_File


10/18

Image 5 shows the output of the fifth file of the root directory, EOD.xls. From the root directory we could seethat this file also had been deleted but is still viewable with low level programs. The file signature for an .xlsfile is D0CF 11E0.

File Output 8mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=5288 | xxd >Fifth_File0000000: ffd8 ffe0 0010 4a46 4946 0001 0101 0060 ......JFIF.....`0000010: 0060 0000 ffe1 49b8 4578 6966 0000 4949 .`....I.Exif..II0000020: 2a00 0800 0000 1300 0f01 0200 1600 0000 *...............

0000030: f200 0000 1001 0200 2400 0000 0801 0000 ........$.......0000040: 1201 0300 0100 0000 0100 4f4c 1a01 0500 ..........OL....0000050: 0100 0000 2c01 0000 1b01 0500 0100 0000 ....,...........0000060: 3401 0000 2801 0300 0100 0000 0200 2321 4...(.........#!

File output 8shows the output of the fifth file in the root directory, BIRD.JPG. We could prove that this was animage file from the file signature, FFD8 FFE0. This files extension was changed to a .txt at disk level but whenanalysed using winhex the file header did not change and came back as JFIF as we can see.

Image 7

mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=2032 | xxd >Trash

Image 7 shows the trash folder of partition one. The .trash-1000 folder is created when a USB or external harddrive is attached to a Linux based system. This folder holds the files that have been deleted from the drive.

File Output 8


11/18

File output 8 we can see the output of the fls command which shows the long file names in the root directory.Outputs with an asterisk mean that the file has been deleted as can also be seen in file output 6 with E5 hexvalues.mishy@mishy-laptop:~$ sudo fls -f fat FullFirstPartition.ddr/r 30087: Chapter_9_FAT_Example[1].pptr/r * 30090: DriveInvestigation.pdfr/r 30093: Winhex Manual.pdfr/r * 30095: EOD.xlsr/r 30096: BIRD.JPG

d/d 30098: .Trash-1000d/d * 30099: _NTITL~1d/d 30101: NEWFOLDER2v/v 15776099: $MBRv/v 15776100: $FAT1v/v 15776101: $FAT2d/d 15776102: $OrphanFiles

File Output 9mishy@mishy-laptop:~$sudo dd if=First_Partition count=1 skip=12032 | xxd >NEWFOLDER0000000: 2e20 2020 2020 2020 2020 2010 0000 d79e . .....

0000010: 9e39 9e39 0000 d79e 9e39 ed04 0000 0000 .9.9.....9......0000020: 2e2e 2020 2020 2020 2020 2010 0000 d79e .. .....0000030: 9e39 9e39 0000 d79e 9e39 0000 0000 0000 .9.9.....9......0000040: 4270 0064 0066 0000 00ff ff0f 00bd ffff Bp.d.f..........0000050: ffff ffff ffff ffff ffff 0000 ffff ffff ................0000060: 0143 0046 0050 0072 006f 000f 00bd 6600 .C.F.P.r.o....f.0000070: 6500 7300 7300 6900 6f00 0000 6e00 2e00 e.s.s.i.o...n...0000080: 4346 5052 4f46 7e31 5044 4620 0000 e19e CFPROF~1PDF ....0000090: 9e39 9e39 0000 a0a2 6d39 ee04 aacc 7600 .9.9....m9....v.00000a0: 4172 0065 0070 006f 0072 000f 0092 7400 Ar.e.p.o.r....t.00000b0: 4100 6900 6400 2e00 7000 0000 6400 6600 A.i.d...p...d.f.00000c0: 5245 504f 5254 7e31 5044 4620 0000 e49e REPORT~1PDF ....

00000d0: 9e39 9e39 0000 8aa2 6d39 5b0c 56ee 0200 .9.9....m9[.V...00000e0: e566 0000 00ff ffff ffff ff0f 0054 ffff .f...........T..00000f0: ffff ffff ffff ffff ffff 0000 ffff ffff ................0000100: e573 0063 0061 0072 0079 000f 0054 6c00 .s.c.a.r.y...Tl.0000110: 6100 7300 6500 7200 2e00 0000 6700 6900 a.s.e.r.....g.i.0000120: e543 4152 594c 7e31 4749 4620 005c 0ca0 .CARYL~1GIF .\..0000130: 9e39 9e39 0000 0da0 9e39 0000 0000 0000 .9.9.....9......0000140: 4266 0000 00ff ffff ffff ff0f 0054 ffff Bf...........T..0000150: ffff ffff ffff ffff ffff 0000 ffff ffff ................0000160: 0173 0063 0061 0072 0079 000f 0054 6c00 .s.c.a.r.y...Tl.0000170: 6100 7300 6500 7200 2e00 0000 6700 6900 a.s.e.r.....g.i.0000180: 5343 4152 594c 7e31 4749 4620 005c 0ca0 SCARYL~1GIF .\..0000190: 9e39 9e39 0000 749f 9e39 0200 4877 0000 .9.9..t..9..Hw..

00001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................

File output 9 shows the contents of the directory NEWFOLDER2 in the root directory. NEWFOLDER2contains: CFProfession.pdf, ReportAid.pdf and scarylaser.gif. Highlighted sections are file attributes, file sizesand file start clusters, as also seen in file output 6. We can see that scarylaser.gif is the first file in the entire rootdirectory as it starts at cluster 2 (0X0200).


12/18

The same investigation was done on the second partition.

SECOND PARTITION

File Output 10mishy@mishy-laptop:~$dd if=dev/sdb count=1 skip=996030 | xxd > Second_Partition0000000: eb58 9050 4152 4147 4f4e 2300 0210 0100 .X.PARAGON#.....0000010: 0200 0200 00f8 eb00 3f00 ff00 be32 0f00 ........?....2..0000020: 41ad 0e00 8000 29d5 1cd5 1c50 6172 7432 A.....)....Part2

0000030: 0000 0000 0000 4641 5431 3620 2020 0000 ......FAT16 ..0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000050: 0000 0000 0000 0000 0000 8cc8 8ed0 bcff ................0000060: 7bfb 8ed8 8ec0 fcbf 2000 33c0 b915 00af {....... .3.....0000070: 7505 af75 04e2 f847 4781 7dfe 00c0 720a u..u...GG.}...r.0000080: e2ed 813e 0201 00c0 730f be88 7de8 3f00 ...>....s...}.?.0000090: 33c0 cd16 3d00 3b75 f7be a77c bfa7 7eb9 3...=.;u...|..~.00000a0: 7100 f3a5 e900 02bb 007c b901 00be e17e q........|.....~00000b0: e81c 0033 c0cd 16b8 0102 33d2 50cd 1358 ...3......3.P..X00000c0: cd13 72e3 813e fe7d 55aa 75db e931 fd50 ..r..>.}U.u..1.P00000d0: 5351 ac3c 0075 0459 5b58 c3b4 0ecd 10eb SQ. to continue.

00001c0: 0d0a 5057 2f44 4220 6279 204b 4952 2056 ..PW/DB by KIR V00001d0: 2e20 2843 2920 5061 7261 676f 6e20 3139 . (C) Paragon 1900001e0: 3937 2d31 3939 3900 0000 0000 0000 0000 97-1999.........00001f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U.

File output 10 shows the first sector of the second partition. From this image we can view importantinformation about the partition. We can see the OEM Name as being PARAGON. This was the program used tocreate the second partition. The important information from the partition are the following:BytesPerSector = 512SectorsPerCluster = 16ReservedSectorCount = 1

NumberofFAT = 2NumberOfRootDirectories = 512SectorsPerFAT = 235

TotalSectors = 961857ExtendedBootSig = 29VolumeLabel = Part2FATType = FAT16BootSignature 55aa

We can see that this is a FAT16 partition so information is retrieved differently from the first partition. We cansee that the default cluster size of the first partition was 4KB while the default cluster size for FAT16 is 8KB,this shows that FAT16 wastes more space than FAT32. We also noticed that we had a backup boot sector forthe first partition but none for the second partition


13/18

File Output 11mishy@mishy-laptop:~$sudo dd if=Seond_Partition count=1skip=1 | xxd > FAT10000000: f8ff ffff 0000 0400 0500 ffff ffff 0800 ................0000010: 0900 0a00 0b00 0c00 0d00 0e00 0f00 1000 ................0000020: 1100 1200 1300 1400 1500 1600 1700 1800 ................0000030: 1900 1a00 1b00 1c00 1d00 1e00 1f00 2000 .............. .0000040: 2100 2200 2300 2400 2500 2600 2700 2800 !.".#.$.%.&.'.(.0000050: 2900 2a00 2b00 2c00 2d00 2e00 2f00 3000 ).*.+.,.-.../.0.0000060: 3100 3200 3300 3400 3500 3600 3700 3800 1.2.3.4.5.6.7.8.

0000070: 3900 3a00 3b00 3c00 3d00 3e00 3f00 4000 9.:.;[email protected]: 4100 4200 4300 4400 4500 4600 4700 4800 A.B.C.D.E.F.G.H.0000090: 4900 4a00 4b00 4c00 4d00 4e00 4f00 5000 I.J.K.L.M.N.O.P.00000a0: 5100 5200 5300 5400 5500 5600 5700 5800 Q.R.S.T.U.V.W.X.00000b0: 5900 5a00 5b00 5c00 5d00 5e00 5f00 6000 Y.Z.[.\.].^._.`.00000c0: 6100 6200 6300 6400 6500 6600 6700 6800 a.b.c.d.e.f.g.h.00000d0: 6900 6a00 6b00 6c00 6d00 6e00 6f00 7000 i.j.k.l.m.n.o.p.00000e0: 7100 7200 7300 7400 7500 7600 7700 7800 q.r.s.t.u.v.w.x.00000f0: 7900 7a00 7b00 7c00 7d00 7e00 7f00 8000 y.z.{.|.}.~.....0000100: 8100 8200 8300 8400 8500 8600 8700 8800 ................

File Output 11 shows the First FAT of partition 2. The first FAT is located after the reserved sector count.

File Output 12mishy@mishy-laptop:~$sudo dd if=Seond_Partition count=1skip=236 | xxd > FAT20000000: f8ff ffff 0000 0400 0500 ffff ffff 0800 ................0000010: 0900 0a00 0b00 0c00 0d00 0e00 0f00 1000 ................0000020: 1100 1200 1300 1400 1500 1600 1700 1800 ................0000030: 1900 1a00 1b00 1c00 1d00 1e00 1f00 2000 .............. .0000040: 2100 2200 2300 2400 2500 2600 2700 2800 !.".#.$.%.&.'.(.0000050: 2900 2a00 2b00 2c00 2d00 2e00 2f00 3000 ).*.+.,.-.../.0.0000060: 3100 3200 3300 3400 3500 3600 3700 3800 1.2.3.4.5.6.7.8.0000070: 3900 3a00 3b00 3c00 3d00 3e00 3f00 4000 9.:.;[email protected]: 4100 4200 4300 4400 4500 4600 4700 4800 A.B.C.D.E.F.G.H.

0000090: 4900 4a00 4b00 4c00 4d00 4e00 4f00 5000 I.J.K.L.M.N.O.P.00000a0: 5100 5200 5300 5400 5500 5600 5700 5800 Q.R.S.T.U.V.W.X.00000b0: 5900 5a00 5b00 5c00 5d00 5e00 5f00 6000 Y.Z.[.\.].^._.`.00000c0: 6100 6200 6300 6400 6500 6600 6700 6800 a.b.c.d.e.f.g.h.00000d0: 6900 6a00 6b00 6c00 6d00 6e00 6f00 7000 i.j.k.l.m.n.o.p.00000e0: 7100 7200 7300 7400 7500 7600 7700 7800 q.r.s.t.u.v.w.x.00000f0: 7900 7a00 7b00 7c00 7d00 7e00 7f00 8000 y.z.{.|.}.~.....0000100: 8100 8200 8300 8400 8500 8600 8700 8800 ................

File output 12 shows the second FAT of partition 2 which is located after the reserved sector and first FAT.

File Output 13mishy@mishy-laptop:~$ sudo fsstat -f fat FullSecondPartition.dd FILE SYSTEM

INFORMATION--------------------------------------------File System Type: FAT16

OEM Name: PARAGON#Volume ID: 0x1cd51cd5Volume Label (Boot Sector): Part2Volume Label (Root Directory): Part2File System Type Label: FAT16

Sectors before file system: 996030

File System Layout (in sectors)Total Range: 0 - 961856* Reserved: 0 - 0** Boot Sector: 0* FAT 0: 1 - 235* FAT 1: 236 - 470


14/18

* Data Area: 471 - 961856** Root Directory: 471 - 502** Cluster Area: 503 - 961846** Non-clustered: 961847 - 961856

METADATA INFORMATION--------------------------------------------Range: 2 - 15382182Root Directory: 2

CONTENT INFORMATION--------------------------------------------Sector Size: 512Cluster Size: 8192Total Cluster Range: 2 - 60085

FAT CONTENTS (in sectors)--------------------------------------------519-566 (48) -> EOF567-582 (16) -> EOF583-4390 (3808) -> EOF4391-4566 (176) -> EOF

4567-4582 (16) -> EOF4583-4598 (16) -> EOF4599-4614 (16) -> EOF4615-4630 (16) -> EOF

mishy@mishy-laptop:~$ sudo fls -f fat FullSecondPartition.dd > Filesr/r 6: Technology.odtr/r * 8: mish_back.JPGd/d * 9: _NTITL~1d/d 11: NEWFOLDERr/r 16: NEW TELLER CASH TRANSFER (final draft).doc

d/d 18: .Trash-1000v/v 15382179: $MBRv/v 15382180: $FAT1v/v 15382181: $FAT2d/d 15382182: $OrphanFiles

The above file output shows the files contained in Partition 2. We can see that the files mish_Back.jpg has beendeleted along with directory NTITL.

File Output 14mishy@mishy-laptop:~$sudo dd if=Seond_Partition count=1skip=471 | xxd > RootDir0000000: 5061 7274 3200 0000 0000 0008 0000 0000 Part2...........

0000010: 0000 0000 0000 0000 2100 0000 0000 0000 ........!.......0000020: 4274 0000 00ff ffff ffff ff0f 0042 ffff Bt...........B..0000030: ffff ffff ffff ffff ffff 0000 ffff ffff ................0000040: 0154 0065 0063 0068 006e 000f 0042 6f00 .T.e.c.h.n...Bo.0000050: 6c00 6f00 6700 7900 2e00 0000 6f00 6400 l.o.g.y.....o.d.0000060: 5445 4348 4e4f 7e31 4f44 5420 0000 499e TECHNO~1ODT ..I.0000070: 9e39 9e39 0000 ebb3 7e39 0300 fe44 0000 .9.9....~9...D..0000080: e56d 0069 0073 0068 005f 000f 0035 6200 .m.i.s.h._...5b.0000090: 6100 6300 6b00 2e00 4a00 0000 5000 4700 a.c.k...J...P.G.00000a0: e549 5348 5f42 7e31 4a50 4720 0000 8a9e .ISH_B~1JPG ....00000b0: 9e39 9e39 0000 ef5b 4d39 0700 64bb 1d00 .9.9...[M9..d...00000c0: e54e 5449 544c 7e31 2020 2010 0000 4c9e .NTITL~1 ...L.

00000d0: 9e39 9e39 0000 4c9e 9e39 0600 0000 0000 .9.9..L..9......00000e0: 414e 0045 0057 0046 004f 000f 00dd 4c00 AN.E.W.F.O....L.00000f0: 4400 4500 5200 0000 ffff 0000 ffff ffff D.E.R...........0000100: 4e45 5746 4f4c 7e31 2020 2010 0064 4c9e NEWFOL~1 ..dL.0000110: 9e39 9e39 0000 4c9e 9e39 0600 0000 0000 .9.9..L..9......0000120: 4464 006f 0063 0000 00ff ff0f 00a5 ffff Dd.o.c..........


15/18

0000130: ffff ffff ffff ffff ffff 0000 ffff ffff ................0000140: 0366 0069 006e 0061 006c 000f 00a5 2000 .f.i.n.a.l.... .0000150: 6400 7200 6100 6600 7400 0000 2900 2e00 d.r.a.f.t...)...0000160: 0253 0048 0020 0054 0052 000f 00a5 4100 .S.H. .T.R....A.0000170: 4e00 5300 4600 4500 5200 0000 2000 2800 N.S.F.E.R... .(.0000180: 014e 0045 0057 0020 0054 000f 00a5 4500 .N.E.W. .T....E.0000190: 4c00 4c00 4500 5200 2000 0000 4300 4100 L.L.E.R. ...C.A.00001a0: 4e45 5754 454c 7e31 444f 4320 0000 9a9e NEWTEL~1DOC ....00001b0: 9e39 9e39 0000 c862 cf32 f500 004c 0100 .9.9...b.2...L..00001c0: 412e 0054 0072 0061 0073 000f 00e4 6800 A..T.r.a.s....h.00001d0: 2d00 3100 3000 3000 3000 0000 0000 ffff -.1.0.0.0.......00001e0: 5452 4153 482d 7e31 2020 2010 0064 0a59 TRASH-~1 ..d.Y00001f0: 9f39 9f39 0000 0a59 9f39 0001 0000 0000 .9.9...Y.9......

File output 14 shows the root directory of the second partition. The root directory is located after the reservesector and 2 FATs. The first entry is volume name, Part2. From this we can see that the image mish_back.jpghas been deleted.

Image 8 Partition 1

Image 9 Partition 2


16/18

Image 8 & 9 above shows the free space on Partition 1 and Partition 2. It also shows the volume slack wheresome users may hide information.

File Output 15mishy@mishy-laptop:~$ sudo dd if=BSNEW.dd of=/dev/sdb count=11+0 records in1+0 records out512 bytes (512 B) copied, 9.6666e-05 s, 5.3 MB/s

Image 10

Image 11

From the images 10 and 11 and file output 15 above, we can see that partition 2 has been removed. This wasdone by zeroing out partition two as seen above and saving the result back to the USB drive. It now looks like


17/18

the USB drive only has one partition. This can be reverted by using the original image for the MBR with twopartitions and saving it to the USB drive, which was done.

References


18/18

[UTECH] University of Technology, Netherlands. Fat File system [Online]Available at: http://www.win.tue.nl/~aeb/linux/fs/fat/fat-1.html 6-01-09 (lasted accessed)
http://www.win.tue.nl/~aeb/linux/fs/fat/fat-1.html%206-01-09http://www.win.tue.nl/~aeb/linux/fs/fat/fat-1.html%206-01-09

Documents

Usb Investigation 1