Week 3 - Extra-3 - MBR and NTFS File Systems Lab
Learning Objectives
- Select suitable forensic tools and techniques to capture, analyse, and preserve forensic evidence in each scenario.
Objectives of this Lab Session
- Investigate the structure of HDDs, SSDs, partitions, NTFS file systems, and Linux file systems.
- Analyse a physical drive and file system through a Hex Editor.
Task 1 - Background Questions
Answer the following questions in your own words.
- You may refer to Chapter 7 of the O’Reilly book: Cyber Forensics: From Data to Digital Evidence
- or research using other academic and online sources.
You may also include diagrams or images to support your answers.
| No. | Question | Your Answer |
|---|---|---|
| 1 | What is a disk drive track? | |
| 2 | What is a disk sector? | |
| 3 | What is a disk cluster? | |
| 4 | What does the Master Boot Record contain? | |
| 5 | Where does a Volume Boot Record (VBR) reside and what does it contain? | |
| 6 | Investigate and identify unused space on an SSD drive that could be used for hiding data. | |
| 7 | Research the NTFS log ($LogFile) and its role in logging file system activities, transactions, and metadata changes. | |
| 8 | List the main file systems used in the Windows operating system and discuss their limitations and advantages. |
Task 2 - NTFS Boot Record Lab
This information is located in the first sector of every partition.
All values except strings should be stored in little-endian- https://en.wikipedia.org/wiki/Endianness format (read right to left).
Steps
- Log in to your Windows PC or Windows VM.
- Run HxD as Administrator →
Tools → Open disk → Logical disks → Windows (C:). - Complete the “Hexadecimal Value” column in the table below.
Note: Record your findings in sperate document.
NTFS Boot Record Table
| Offset | Description | Size | Hexadecimal Value |
|---|---|---|---|
| 00h | Assembly code instructions to jump to boot code (mandatory in bootable partition) | 3 Bytes | |
| 03h | OEM name in ASCII | 8 Bytes | |
| 0Bh | Bytes per sector (512, 1024, 2048, or 4096) (Little Endian) | 2 Bytes | |
| 0Dh | Sectors per cluster (Power of 2, cluster size ≤ 32 KB) | 1 Byte | |
| 0Eh | Size of reserved area (Little Endian) | 2 Bytes | |
| 10h | Unused | 3 Bytes | |
| 13h | Number of sectors in partition smaller than 32MB (N/A for FAT32/NTFS) | 2 Bytes | |
| 15h | Media Descriptor (F8h for Hard Disks) (Little Endian) | 1 Byte | |
| 16h | Size of each FAT (0 for FAT32) | 2 Bytes | |
| 18h | Sectors per track in storage device (Little Endian) | 2 Bytes | |
| 1Ah | Number of heads in storage device (Little Endian) | 2 Bytes | |
| 1Ch | Number of hidden sectors in partition (Little Endian) | 4 Bytes | |
| 20h | Unused | 4 Bytes | |
| 24h | Unused (Little Endian) | 4 Bytes | |
| 28h | Partition size in sectors (Little Endian) | 8 Bytes | |
| 30h | Cluster containing the Master File Table (MFT) (Little Endian) | 8 Bytes | |
| 38h | $MFTMirr cluster number (backup of MFT) (Little Endian) | 8 Bytes | |
| 40h | Clusters per file record segment | 1 Byte | |
| 41h | Unused (Little Endian) | 3 Bytes | |
| 44h | Cluster per index buffer | 1 Byte | |
| 45h | Unused (Little Endian) | 3 Bytes | |
| 48h | Volume serial number (Little Endian) | 8 Bytes | |
| 50h | Checksum (unused, Little Endian) | 4 Bytes | |
| 54h | Executable code - bootstrap code | 426 Bytes | |
| 1FEh | Boot record signature (55h AAh) - Little Endian | 2 Bytes |
Boot Sector Notes
The information above is found in the first sector of the reserved region, known as the boot sector.
This sector is typically 512 bytes, though it may be longer depending on the media.
It generally includes:
- A 3-byte jump instruction to the bootstrap code
- An 8-byte ASCII OEM string
- A BIOS Parameter Block and Extended BIOS Parameter Block
- Boot code and end-of-sector signature
Complete the Following Table
| Description | Value |
|---|---|
| OEM | |
| Bytes per Sector | |
| Sectors per Cluster | |
| Sectors per Track | |
| Number of Heads | |
| Number of Hidden Sectors | |
| Total Sectors | |
| Cluster containing the Master File Table (MFT) |
Task 3 - Investigating GPT
- From a workstation in the Cyber Lab, run HxD as Administrator →
Tools → Open disk → Hard disk. - The GPT protective MBR is located at sector 0.
- Identify the last two bytes of this sector and record their hexadecimal values.
- The partition table (16 bytes) is located at offset 1BEh.
- Write down the hexadecimal values of these 16 bytes.
- Determine whether this partition is bootable. Explain your reasoning.
- Identify the next three bytes, which indicate the partition start (both hexadecimal and decimal values).
- The partition type is found at offset 1C2h. Identify both the hex value and the corresponding partition type.
- Determine the partition size.