| 
  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Stop wasting time looking for files and revisions. Connect your Gmail, DriveDropbox, and Slack accounts and in less than 2 minutes, Dokkio will automatically organize all your file attachments. Learn more and claim your free account.

View
 

Assignment 2

Page history last edited by Patrick 2 months, 1 week ago

Objectives:

  1. Demonstrate your understanding of the FAT file system and its system components.
  2. Demonstrate your understanding of hashing.
  3. Demonstrate your understanding of how to recover a deleted file manually
  4. Demonstrate your understanding of how to byte swap.

 

 

Deliverables:

  1. Your .bash_history file after completing the assignment
    1. cat ~/.bash_history >> <firstname>.<lastname.bash.txt>
    2. Make sure to close all terminal windows before exporting your .bash_history file then reopen terminal to run the command 
  2. Answers to the questions, completed tables, and including images of recovered files.
    1. Save as <First>.<LastName>.2.{doc/pdf}
  3. Zip these two files together in to <first.last.2>.zip 
  4. Upload to Assignment dropbox

 

 

 

 

HINTS

Logical vs Physical Size

 

We're using a simple image for this assignment where the sectors are 512 bytes and each cluster is composed of one sector; however, that's not going to be the case for modern file systems. In order to know the physical size you need to know: how many clusters (blocks) are used for the file and how many sectors per cluster. With that information, you can determine the physical size of the file by using the logical size.

 

Example:

One sector is 512 bytes and each cluster is composed of 8 sectors to make a cluster size of 4096 bytes

 

If the logical size of a file is 16,732 bytes, we can calculate the physical size by (16732/4096) = 4.084. The file won’t fit entirely within 4 clusters so the file system will need to allocate a full additional cluster to hold that information making the physical size (4096 x 5) or 20480 bytes

 

 

Learn about Byte Swapping Through Reverse Engineering

 

Byte swap example for file1.png.

 

Let's reverse engineer our first file: file1.png.

 

Last line of the root directory entry for file1.png with the unswapped bytes in yellow:

 

434B 434B 0000 9479 434B 0300 A41E 0100

 

The known logical size of the file is 73380 bytes. Let's work backwards. 

 

Open your Windows (or Mac) calculator. 

Set it on ‘Programmer’s mode. 

Set it to Decimal and enter 73380

 

 

 

Here you can see decimal 73380 translates to hex 11EA4 (or 00011EA4 using 4 bytes). Look familiar? Let's look back at our root entry

 

A41E 0100 (Root entry) compared to 0001 1EA4 (Translated logical size). The size is the four byte value, read in two byte increments, in reverse order!

 

A4 1E 01 00 becomes 00 01 1E A4

 

I’ve provided you the starting offset in hex for the deleted files. All you need to do is to input that into the progammer’s calculator, convert the hex to Decimal, and that will be your starting offset or skip value in dd.

 

 

 

Files:

 

Comments (0)

You don't have permission to comment on this page.