Forensics with FTK Imager Part 2

In this blog I am going to show how the files are indexed in MFT file. The various important offset numbers in $MFT file. Also I will show how we can combine the fragments of the file(any file mp4,mp3,.exe,.apk,.txp,.ppt etc…) and combine them to form the source file again.

What is offset? Offset is just a position of the hexadecimal values in FTK Imager. Let’s see an example:

The above snapshot is the snapshot of 1st sector of the MFT file, which is of 512 bytes. The size of the sector is always 512 bytes. The size of the cluster changes, according to what you have chosen at the time of formatting the disk(min size of a cluster is 4096 bytes, also known as allocation unit size). That we have discussed in last blog. Above snap is the $MFT file’s 1st sector, and it will be same in everyone’s disk which is having NTFS file system.

IMPORTANT: The $MFT file is the index file, which stores the information regarding all the files and folders in the respective volume whose $MFT file it is. And the indexing is done in the form of records. Every file of that volume is having a record in $MFT file and these records are of 1024 bytes which are sequentially stored in the sectors of the volume. Remember that this $MFT is a file, stored sequentially and not broken into fragments unlike other files. Occupies all the clusters and doesn’t leave any RAM slack. 1024 bytes (2 sectors) are used to store the records as a security for if the size of file present in record increases in future then the record could be extended.

Now your question would be if the file is of 2GB then how its record would fit in 1024 bytes?
The answer is simple, the record of the files are stored in hexadecimal form, which stores the address of the cluster where that particular file is stored. So if in case that 2GB file is fragmented into 4 parts, and those 4 fragments are stored in different clusters, then the record will store the address of those 4 clusters in hexadecimal format. All this I will show practically in this blog.

The above two snapshots show the 1024 bytes(means 2 sectors) record of the $MFT file. In $MFT file the first record is always of $MFT file. The second sector is empty bcz the there are not many files in my logical volume to have more data in the records of $MFT. But yes the record will increase to another sector if I add more files in the volume that it is unable to map within 512 bytes.

The above two snapshots are showing the record of one of the tools of from Microsoft pslist.exe. If I search for this name in FTK imager like shown below:

Then there might be more than one entries, depending if this file is present in any folder or not. If the file is in folder, then definitely when you search, you will find one of the entries in the folder, because the folder is also indexed in $MFT file. So, the same name could be present in that record. But we are finding the record for this file, so make sure that at the beginning of the record of this file, there is File0 in the beginning. As you can see in the snapshot below:

Now let’s see the various offsets(the position), their hexadecimal values(what hexadecimal value is present at that position) and what does it means with respect to record:

IMPORTANT: Offset number always starts with 0 in a record and therefore goes till 511 in a sector. Also the Hexadecimal values might be changed in you device, so take the reference from the example I am using only for this blog and use it accordingly in your device. Also one more thing that the word Attribute will be used much in below table, which means that the information regarding the file is stored in various sections of record. Each section shows different information regarding the file. And these sections is known as Attributes.

In our case we have 0x41 then 1st part will have only 1 hexadcimal value(0x2C) and 2nd part will have 4 hexadecimal values(0xAB CA EC 04). From 1st part on interpretation we get 44 in unsigned integer.

From 2nd part on interpretation we get 82627243 signed integer. We use signed integer for 2nd part because sometimes the file is fragmented, and the relative cluster position is given by the 2nd part. So if it is in negative then it means that the fragment of the file is present in those number of clusters before the current cluster position you are on. If it is in positive then it means that the fragment of the file is present in those number of clusters after the current cluster position you are on.

But this file is not fragmented, as it is not that large. So we have the position of only one cluster. If there were fragments, then you will again do the same step with the hexadecimal value, break the following hexadecimal values in 2 parts and so on.
The value of first part is 44, but this is not the actual length, we have to convert this 44 in bytes. My cluster is of 4096 bytes. So I will multiply 4096 with 44, 4096x44=180224 bytes.

From the 2nd part you infer that the starting cluster of the file is 82627243 from the beginning of the volume cluster and from 1st part you infer that 180224 bytes from that cluster position are of this file(pslist.exe).

Click on NONAME[NTFS] you will be able to see the 0th cluster and 0th sector.

Click on 0th offset and press Ctrl+S to open Go to sector/cluster dialogue box. In the input box of cluster type 82627243 and press ok Then type 180224 as shown in below snapshot. Then your cursor will be positioned at the beginning of the cluster.

There press right click and select the option Set selection length. Then type 180224 as shown in below snapshot and press ok.

Right Click on the selected part and select the option Save Selection. As shown in below snapshot:

Fill the File Name with extension. In this case I will write the name pslist.exe in filename, choose the path where you want to store. Press enter. The same file will be saved there. Now I can run the file through command prompt. There will be no error, cz the file is same. If your file is fragmented then save the fragments in one directory and then run the command copy /b [fragments name separated by spaces] filename.extension. The fragments will be combined together and the same file will be ready to use again there.

To retrieve the deleted file, do the following:

In the snapshot below the file pslist.exe is deleted permanently from my logical volume. Click on it and export it to retrieve.

The file can only be retrieved until you have not written anything in that volume, once you install anything in that volume the deleted file cannot be retrieved again from FTK Imager.

Related posts:

Melepaskan Radheya

Saya capek memahami anak yang tak tahu siapa bapak kandungnya hingga dewasa. Saya capek mengasihi anak yang diminta mengerti ibunya meski ibunya mengkhianatinya. Saya capek mengagumi ksatria yang… Read more

3 healthcare and biotech blockchain companies to watch in 2018

In a previous article we presented the basics of cryptocurrency and blockchain. We admit, there is a lot of of hype behind cryptocurrencies causing large swings in market cap. However, there are some… Read more

Test an API of a microservice

Above mentioned microservices provides different services which ultimately drives to perform one complex business scenario through an application. A microservice can be a service provider to another… Read more