- Create a NTFS file
Prior to Test, I made a NTFS file named ntfs.dd.
Procedures are as below.
(1) Create a File filled with zeros
# dd if=/dev/zero of=./ntfs.dd bs=1024000 count=10
10+0 records in
10+0 records out
10240000 bytes (10 MB) copied, 0.239294 s, 42.8 MB/s
(2) Identify loop device not to use
# losetup -a
# losetup -f
/dev/loop0
(3) Connect ntfs.dd and /dev/loop0
# losetup /dev/loop0 ntfs.dd
# losetup -a
/dev/loop0: [0803]:516098 (/test/ntfs.dd)
(4) format loop0 as NTFS
# mkfs.ntfs /dev/loop0
The partition start sector was not specified for /dev/loop0 and it could not be obtained automatically. It has been set to 0.
The number of sectors per track was not specified for /dev/loop0 and it could not be obtained automatically. It has been set to 0.
The number of heads was not specified for /dev/loop0 and it could not be obtained automatically. It has been set to 0.
Cluster size has been automatically set to 4096 bytes.
To boot from a device, Windows needs the 'partition start sector', the 'sectors per track' and the 'number of heads' to be set.
Windows will not be able to boot from this device.
Initializing device with zeroes: 100% - Done.
Creating NTFS volume structures.
mkntfs completed successfully. Have a nice day.
(5) Mount loop0 and Copy a file to test
# mount -o loop ./ntfs.dd ./NTFS/
# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda3 28755580 4829808 22465064 18% /
udev 513268 232 513036 1% /dev
none 513268 136 513132 1% /dev/shm
none 513268 348 512920 1% /var/run
none 513268 0 513268 0% /var/lock
none 513268 0 513268 0% /lib/init/rw
none 28755580 4829808 22465064 18% /var/lib/ureadahead/debugfs
/dev/sda1 233333 23889 197397 11% /boot
/dev/sdb1 206422036 191748 195744668 1% /cases
/dev/loop0 9996 2500 7496 26% /test/NTFS
# cp ~/Desktop/forensics.jpg ./NTFS/
# umount /dev/loop0
- NTFS Layout
VBR(Volume Boot Record) has a $MFT Offset.
- Tracking a NTFS
HexEditor shows file structure. there is the file inputed JPG.(forensics.jpg)
- VBR(Volume Boot Record)
VBR is first sector of volume. So searching is very easy.
VBR = MBR + reserved
VBR has a $MFT Offset by cluster, size of sector, size of cluster... etc.
For indicating a file like forensics.jpg, Tester go to $MFT.
Because $MFT has all attributes about files.
- MFT
I checked first cluster of MFT. it is 4. 4 is 4 cluster offset.
a sector is 512. a cluster is 4096. 4 cluster are 16384 => 0x4000.
In 0x4000
I can identify MFT record record signature. The Size of each record is 1024 => 0x400.
The Size of MFT is 0x010400 => 66560.
66560 / 1024 = 65. in other words, MFT has 65 record.
NTFS checks each record like 1024 -> 1024 -> 1024...... -> end of 1024.
- MFT Record of JPEG(forensics.jpg)
I searched for forensics.jpg at 0x14000 =>81920.
The Start offset of MFT is 0x4000. So 0x14000 - 0x4000 = 0x10000.
0x10000 => 65536 / 1024 = 64. forensics.jpg is record 64.
Each Record has a lot of attributes like MAC times, File Size, File offset.....ETC
The offset of forensics.jpg is 0x1A2. but this value must Multiply 0x1000.
0x1A2 * 0x1000 = 1A21000
The size of forensics.jpg is 5 Cluster
0x1A2000 + 0x5000(5 Cluster) = 1A7000
- DATA of JPEG(forensics.jpg)
0x1A2000 has JPEG header signature(FFD8). 0x1A6320 has JPEG footer signature(FFD9)
- Idendify a JPEG(forensics.jpg)
For identification of forensics.jpg, I used dd tool.
if => input
of => output
bs => block size (=block is cluster in unix)
skip => skip as much as block size.
bash-3.2# dd if=ntfs.dd of=forensics.jpg bs=4096 count=5 skip=418
5+0 records in
5+0 records out
20480 bytes transferred in 0.000217 secs (94394886 bytes/sec)
File : forensics.jpg
URL : http://pchs.peachschools.org/sites/pchs.peachschools.org/files/computer-forensics.jpeg
