Hands-On Project 5-2:
In this project, you explore the MFT and learn how to locate date and time values in the metadata of a file you create. These steps help you identify previously deleted fragments of MFT records that you might find in unallocated disk space or in residual data in Pagefile.sys.
Procedure:
- Start Notepad, and create a text file with one or more of the following lines:
- A countryman between two lawyers is like a fish between two cats.
- A slip of the foot you may soon recover, but a slip of the tongue you may never get over.
- An investment in knowledge always pays the best interest.
- Drive thy business or it will drive thee.
- Save the file in your work folder as C5Prj02.txt , and exit Notepad. (If your work folder isn’t on the C drive, make sure you save the file on your C drive to have it entered in the $MFT files you copy later.)
- Next, review the material in “MFT and File Attributes,” paying particular attention to attributes 0x10 and 0x30 for file dates and times. The following charts show the offset byte count starting at position FILE of the file’s MFT record for the date and time stamps:
Next, you examine the metadata of the C5Prj02.txt file stored in the $MFT file. Follow these steps:
- Start WinHex with the Run as administrator option. If you see an evaluation warning message, click OK.
- As a safety precaution, click Options, Edit Mode from the menu. In the Select Mode (globally) dialog box, click Read-only Mode (=write protected), as shown in Figure 5-39, and then click OK.
- Click Tools, Open Disk from the menu. In the View Disk dialog box, click the C: drive (or the drive where you saved C5Prj02.txt), as shown in Figure 5-40, and then click OK. If you’re prompted to take a new snapshot, click Take new one. Depending on the size and quantity of data on your disk, it might take several minutes for WinHex to traverse all the files and paths on your disk drive.
- Click Options, Data Interpreter from the menu. In the Data Interpreter Options dialog box, click the Windows FILETIME (64 bit) check box, shown in Figure 5-41, and then click OK. The Data Interpreter should then have FILETIME as an additional display item.
- Now you need to navigate to your work folder (C:\Work\Chap05\Projects) in WinHex. In the upper-right pane of WinHex, scroll down until you see your work folder. Double-click each folder in the path (see Figure 5-42), and then click the C5Prj02.txt file.
- Drag from the beginning of the record, on the letter F in FILE, and then down and to the right while you monitor the hexadecimal counter in the lower-right corner. (Note: 50 hexadecimal bytes is the “position” for the first date and time stamp for this record, as described in the previous charts for 0x10 $Standard Information.) When the counter reaches 50 (see Figure 5-43), release the mouse button.
- Move the cursor one position to the next byte (down one line and to the left), and record the date and time of the Data Interpreter’s FILETIME values.
- Reposition the mouse cursor on the remaining offsets listed in the previous charts, and record their values.
- When you’re finished, exit WinHex and hand in the date and time values you recorded.
Hands-On Project 5-3:
In this project, you use WinHex to become familiar with different file types.
Procedure:
- Locate or create Microsoft Excel(.xlsx), Microsoft Word (.docx), .gif, .jpg, and .mp3 files. If you’re creating a Word document or an Excel spreadsheet, save it as a Word or Excel file.
- Start WinHex.
- Open each file type in WinHex. Record the hexadecimal codes for each file in a text editor, such as Notepad or WordPad. For example, for the Word document, record Word Header: 50 4B 03 04.
- Save the file, and then print it to give to your instructor.
Hands-On Project 5-4:
This project is a continuation of the in-chapter activity carried in class using OSForensics. The paralegal has asked you to see whether any passwords are listed in the images of Denise Robinson’s computer.
Procedure:
- Start OSForensics. If prompted to allow the program to make changes to your computer, click OK or Yes. In the OSForensics message box, click Continue Using Trial Version.
- Copy the InCh05.img file to your work folder. Mount the InCh05.img file as described in the in-chapter activity.
- In the main window, click Manage Case in the navigation bar on the left, if necessary. In the Select Case pane on the right, double-click InChap05 if a green checkmark isn’t displayed next to it.
- In the navigation bar on the left, click Passwords. In the pane on the right, click the Find Browser Passwords tab, if necessary. Click the Scan Drive button, and then click the drive letter for the InCh05.img mounted virtual drive.
- In the navigation bar on the left, click Retrieve Passwords. In the pane on the right, right-click the first item and click Export List to Case. In the Title text box, type Denise Robinson’s additional e-mail and password, and then click OK. Repeat this step for all browser passwords that were recovered.
- In the Passwords window, click the Windows Login Passwords tab. Click the Scan Drive button, and then click the drive letter for the InCh05.img mounted virtual drive.
- Click Retrieve Hashes, and then click Save to File. In the Save to dialog box, navigate to your work folder, type Denise-Robinson-WinPasswords in the File name text box, and then click Save.
- In the navigation bar on the left, click Manage Case. In the Manage Current Case pane on the right, click the Add Attachment button. Navigate to and click the Denise-Robinson-Win-Passwords file, and click Open. In the Export Title text box, type Denise-Robinson-WinPasswords, and then click Add.
- In the navigation bar at the top, click Generate Report. In the Export Report dialog box, click OK. If you get a warning message that the report already exists, click Yes to overwrite the previous report.
- Exit OSForensics, and print the report displayed in your Web browser. Turn the report in to your instructor