$24
Objectives:
Become familiar with the WinHex forensics tool.
Use WinHex to explore the MFT and be able to analyze both resident and non-resident files.
Instructions: This lab is designed based on the hands-on projects provided by our textbook. We adopt the use of these hands-on projects in this computer forensics class with full respect to the contributions and copyright of the original textbook authors.
Part 1: Explore MFT of a file.
Create a text file named “forensicsclass.txt” and put it into your working directory.
In the file, type in “We will have a forensics class on Monday.”
Append an alternate data stream to the file using command “echo”. The hidden message is “If you study hard, then you are likely to succeed.”
Display the hidden message using command “more”.
Next, examine the metadata of the forensicsclass.txt file stored in the $MFT file. Start WinHex with the Run as administrator option. If you see an evaluation warning message, click OK.
As a safety precaution, click Options, Edit Mode from the menu. In the Select Mode dialog box, click Read-Only Mode (=write protected), as shown in Figure 2, and then click OK.
Figure 1
Click Tools, Open Disk from the menu. In the View Disk dialog box, click the drive where you saved forensicsclass.txt., and then click OK. If you’re prompted to take a new snapshot, click Take a new one. Depending on the size and quantity of data on your disk, it might take several minutes for WinHex to traverse all the files and paths on your disk drive.
Click Options, Data Interpreter from the menu. In the Data Interpreter Options dialog box, click the Win32 FILETIME (64 bit) check box, shown in Figure 3, and then click OK. The Data Interpreter should then have FILETIME as an addition display item.
Figure 2
Now you need to navigate to your working directory where you saved your forensicsclass.txt in WinHex. In the upper-right pane of WinHex, scroll down until you see your working directory. Double-click each folder in the path and then click the forensicsclass.txt file.
Figure 3
Click at the beginning of the record, on the letter F in FILE, and then drag down and to the right while you monitor the hexadecimal counter in the lower-right corner. For example, the start of attribute 0x10 is at offset 0x38 from the beginning of the MFT record. To find the start of attribute 0x10, drag the cursor until the counter reaches 38. When the counter reaches 38, release the mouse button.
You may find needed date and time from here Offset counter
Click here drag down until the offset counter shows the number you want
Figure 4
After dragging, release mouse button and click here to interpret the data follows
Move the cursor one position to the next byte and then you may start to analyze attribute 0x10. Recall what we learned in class, the file’s create date and time can be found at offset 0x18 to 0x1F from the beginning of attribute 0x10. Use similar method as in step 7 to find the file create date and time for forensicsclass.txt. Refer to your handout for the attribute details.
Start of attribute 0x10 File create date and time Offset counter =18
Figure 5
Repeat step 8 to analyze all attributes for file forensicsclass.txt and answer the following questions. Take screenshots to prove your answer for each question.
Questions for Part 1:
According to the data interpreter, what is the file create date and time for the file forensicsclass.txt? Take a screenshot to prove your answer.
What is the size of the MFT record?
What is the length of the header?
What is the file’s last modified date and time?
How many 0x30 attributes does this file have? Why?
What is the name of this file?
Is this file a resident file or nonresident file? Where can you find the evidence?
Did you find the hidden message in the file when you check the MFT record? Take a screenshot to show the hidden message.
How many 0x80 attributes does this file have? What is the possible reason?
Part 2: Analyze a given MFT record.
Given the MFT record below, please answer the questions from 11-16.
Questions for Part 2:
Is this file a resident file or nonresident file? Where can you find the evidence?
How many data runs does this file have?
What is the starting cluster address value for the first data run (LCN)? You don’t need to calculate the result if you provide a math expression.
How many clusters are assigned to the first data run?
Does this file have other data runs? If yes, what is the starting cluster address value for the second data run (LCN)? You don’t need to calculate the result if you provide a math expression.
How many clusters are assigned to the second data run?
Deliverable:
You need to submit a lab report to Canvas. Your lab report should answer questions for both parts. Use a screenshot to prove your answer when necessary. Include necessary narrative and analysis to make your report clear. All answers should be in big endian. You may provide Hexadecimal values directly. The report will be evaluated based on the correctness, completeness, clarity and quality of English writing.