| 
  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Assignment 2

Page history last edited by Patrick 4 weeks ago

Objectives:

  1. Demonstrate your understanding of the FAT file system and its system components.
  2. Demonstrate your understanding of hashing.
  3. Demonstrate your understanding of how to recover a deleted file manually
  4. Demonstrate your understanding of how to byte swap.

 

 

Deliverables:

  1. Your .bash_history file after completing the assignment
    1. cat ~/.bash_history >> <firstname>.<lastname.bash.txt>
    2. Make sure to close all terminal windows before exporting your .bash_history file then reopen terminal to run the command 
  2. Answers to the questions, screenshots where requested, completed tables, and including images/screenshots of the recovered files.
    1. Save as <First>.<LastName>.2.{doc/pdf}
  3. Upload to the Assignment 2 box on Falcon Online

 

 

 

 

HINTS

Logical vs Physical Size

 

We're using a simple image for this assignment where the sectors are 512 bytes and each cluster is composed of one sector; however, that's not going to be the case for modern file systems. In order to know the physical size you need to know: how many clusters (blocks) are used for the file and how many sectors per cluster. With that information, you can determine the physical size of the file by using the logical size.

 

Example:

One sector is 512 bytes and each cluster is composed of 8 sectors to make a cluster size of 4096 bytes

 

If the logical size of a file is 16,732 bytes, we can calculate the physical size by (16732/4096) = 4084. The file won’t fit entirely within 4 clusters so the file system will need to allocate a full additional cluster to hold that information making the physical size (4096 x 5) or 20480 bytes

 

 

Learn about Byte Swapping Through Reverse Engineering

 

Byte swap example for 1testdd.txt.

 

Let's reverse engineer our first file: 1testdd.txt

 

Here's the last line of the root directory entry for 1testdd.txt with the unswapped bytes in yellow:

 

00002630: ce52 ce52 0000 b5a1 ce52 0300 2001 0000  .R.R.....R.. ...

 

The known logical size of the file is 288 bytes. Let's work backwards. 

 

Open your Windows (or Mac) calculator. 

Set to ‘Programmer’s mode. 

Set to Decimal and enter 288

 

 

 

Here you can see decimal 288 translates to hex 120 (or 00000120 using 4 bytes). Look familiar? Let's look back at our root entry

 

00002630: ce52 ce52 0000 b5a1 ce52 0300 2001 0000  .R.R.....R.. ...

 

2001 0000 (Root entry) compared to 0000 0120 (Translated logical size). The size is the four byte value, read in two byte increments, in reverse order!

 

20 01 00 00 becomes 00 00 01 20

 

I’ve provided you the starting offset in hex for all files. All you need to do is to input that into the programmers calculator, convert the hex to Decimal, and that will be your starting offset or skip value in dd.

 

 

 

Files:

 

Comments (0)

You don't have permission to comment on this page.