Assignment III:
~FAT File System~
Student number : Name :
Student number : Name :
Purpose: The purpose of this laboratory assignment is to better understand FAT file system concepts by seeing them on-disk. This lab will also give you additional experience with recognizing, interpreting, and following data structures in general.
Turn in: Please insert the screenshot (snippets preferred over entire window of the tool, e.g. hex editor) where instructed, rather than attaching photos of the screen. Use the screenshot tool to mark the key fields (e.g. hex data fields, addresses fields, etc.) in the screenshot. Number your answers, ensuring your numbering matches the question numbering!
Instructions:
Location: This lab is ideally completed in the Cyber Security Lab (CSL), but may be completed elsewhere with a sufficiently functioning hex editor (WinHex, HxD, FTK imager, etc.). The lab was built with WinHex and the lab workstations in mind. You will do all of this within your Forensics workstation (Virtual machines).
Required Materials: A virtual thumb drive created in the virtual machine. Note, you will be WIPING and reformatting the thumb drive for this lab. You will also need your textbook to reference data structure tables therein. When you use the virtual thumb drive, please follow the instruction carefully to avoid potential harm to your computer's data.
Media Preparation:
Wipe thumb drive via WinHex (optional, usually unnecessary).
Check virtual thumb drive in your Virtual machine
Start WinHex (The WinHex has been installed on the desktop of the virtual machine)
Tools Start Center Open Disk select the thumb drive under physical media (NOT logical drives) Make sure you select the correct media, else you wipe the wrong thing!
Options Edit Mode In-Place Edit Mode
Edit Select All
Edit Fill Block … Fill with \x00, 1 pass only
Return Edit Mode to “Read-Only” (Options Edit Mode Read-Only Mode)and close WinHex
Reformat the thumb drive with FAT32
Format the drive with FAT32
Default allocation size
Volume label enter your last name in english
Select quick format
Lab Steps & Questions:
Start WinHex
Tools Start Center Open Disk select the thumb drive under physical media (NOT logical drives) Make sure you select the correct media, else you wipe the wrong thing!
“Walk” the file system as directed below and by answering the questions listed. Use the data structure tables referenced below to assist you.
PART I – Reserved Area (Use Tables 10.1 and 10.3 on pgs 186 and 187)
Provide a screen shot of the first 100 bytes of the boot sector to support your answers below. NOTE: For all screen prints, include the offset column, the hex view (column), and the ASCII view (column).
1. OEM Name in ASCII
2. Bytes per sector in Hex
3. Bytes per sector in Decimal
4. Sectors per cluster in Hex
5. Sectors per cluster in Decimal
6. Number of sectors in Reserved area in Hex
7. Number of sectors in Reserved area in Decimal
8. Is/are there one FAT, or are there two mirrored FATs?
9. Size (in sectors) of each FAT in Hex
10. Size (in sectors) of each FAT in Decimal
11. Extent (starting cluster) of the root directory
12. Physical sector (LBA) of the start of the “FAT area.” Explain the basis for your answer.
13. Physical sector (LBA) of the start of the “Data Area.” Explain the basis for your answer, including showing any calculations.
Recall, the start of the “Data Area” is the location of the first addressable cluster, Cluster 2. Notice above, the root directory is assigned to Cluster 2. Go to the beginning of the Data Area you calculated above and verify your calculation is correct.
14. If you did it correctly, you will see your last name there. Why? (explain what your last name represents in this context, and why it is located here relative to the layout of a FAT partition, directory entry structures, etc.)
PART II – Directory Entry Structures (Text and Tables on pgs 191-198 will assist you)
In Explorer, browse the thumb drive, noticing nothing is on it.
Right-click in the empty browser pane and select New Text Document (create the file exactly this way), then hit Enter to accept the default file name rather than renaming it.
Go back to WinHex, “select View Refresh” and go to the physical sector containing the root directory (determined above).
Provide a screen shot of your root directory entry structure.
15. How many 32B directory entry structure entries do you see?
16. Explain what each entry is for (i.e., why each one exists relative to directory structure entry types). Include any ASCII or Unicode text contained in each entry, relative to its entry type.
Now rename the file to “New Text Document.txt”
In WinHex, select View Refresh.
Provide a new screen shot of your root directory entry structure.
17. How many 32B directory entry structure entries do you see now?
Explain what each entry is for (i.e., why each one exists relative to directory structure entry types). Include any ASCII or Unicode text contained in each entry, relative to its entry type.
Now rename New Text Document.txt to file1.txt
In WinHex, select View Refresh.
Provide a new screen shot of your root directory entry structure.
18. How many 32B directory entry structure entries do you see now?
Explain any new, additional entries, as well as what has changed in the entries, if anything, in the entries that existed before the file renaming.
PART III – FAT Table (Pages 190-191 of the Textbook will assist you)
Save the instructor provided “test13k.txt” file (referred to hereafter as “the file”) onto your thumb drive (The file is on the desktop of the VM)
Run “PassMark Fragger” (The PassMark fragger has been installed on the desktop of the virtual machine)
Select the file to fragment and click Analyze File
Now set Fragmentation Settings to: 3 fragments and ‘concentrated’ location on disk
Concentrated: Each fragment is within 25% of the previous fragment
Scattered: Each fragment is at least 25% away from the previous fragment
Random: Each fragment is assigned a random location anywhere on the disk
First Fit: Each fragment is assigned the first available space starting from beginning of the disk
Click Fragment
Provide a screen print of your fragmentation tool output after the fragmentation.
Now find the file PHYSICALLY and MANUALLY. Go to the root directory cluster, find the newly created file’s directory entry. Remember to Refresh the WinHex view when necessary.
19. Take a screen shot (aka capture, screen print) of the directory entry in WinHex. Highlight the entire entry using WinHex’s block highlighting capability.
20. What is the extent (starting cluster) of the newly created, fragmented file? Give your answer in Hex and Decimal. (Use Tables 10.5 in the textbook)
Go to the file’s respective FAT “cell” in the FAT table in the FAT area. Recall that since we’re talking about FAT32, then 32bits (or 4 bytes) are allowed/used for cluster addresses. Thus, the first four bytes correspond to cluster 0, the second four to cluster 1, and so on.
21. Take a screen shot of the FAT showing the file’s allocated clusters (multiple screen shots if necessary).
22. Identify the file fragmentation (extent of each fragment, length of each fragment, fragment order). For example, fill the following blanks in using decimal numbers:
Fragment __: Starts at cluster _______ and is ___ clusters long
Do this for each fragment. #21 above is screen shots. #22 is interpreting those screen shots.
Go to those locations and verify your answer above is correct. In other words, go to each fragment extent identified in #22 above, and verify your file data continues for the expected number of clusters. It will be hard for you to logically verify the cluster order, since your file content is random data. To go to the fragment extents, you will need to convert the cluster number to physical sector (aka LBA) address. Show your calculation process of the physical sector (aka LBA) for each fragment. The first formula on page 164 will help you do this. Provide a screen shot of physical sector of every fragment. Keep note of the physical sector starting address for each fragment to assist you with question #24 below.
Now delete the newly created, fragmented file.
23. What do you expect to happen to the file data, its directory entry, and the FAT as a result of the file deletion?
24. Looking at the disk physically, were your expectations correct? Provide the screens to verify your expectations above is correct.
NOTE: You will receive full credit for #24, even if your expectations were incorrect in #23. However, you should provide you explanation for what you saw/learned in #24.
求帮忙
