SANS Digital Forensics and Incident Response Blog: Author - Dave Hull

Sizing up the FAT

Another Tuesday, another FAT post. If you're just joining us, you can find the whole series of posts here.

Over the last month or two, we've been working with a FAT image that has been modified by the suspect in a case we're working. We have slowly been undoing the changes made by the suspect, one file at a time. We have one file left to make right so let's see what's going on with our third and final file. Recall the output from fls from previous posts:
fls ouput from usbkey.img
We've already recovered the first two files and adjusted the cluster chains in


A big FAT lie part 2

Last week we looked at the next file in our disk image (next file according to the output from fls). We saw that though the file was 15585 bytes, istat reported only a single sector for the file. Based on our cluster/sector size of 512 bytes, the file should have occupied 31 sectors (15585/512=30.439..., round up).

We theorized that we may have a broken or missing FAT cluster chain. Knowing the file should occupy 31 clusters, we used the blkstat command to carve out 31 clusters of data beginning at sector 834. We found only nulls.

At this point, most sane investigators probably would have reached for their favorite

...


A big FAT lie

In the last post in our quest to restore the tampered FAT file system to its untainted state, we rebuilt the cluster chain in the File Allocation Table so we could copy out the file from the mounted file system. Let's move on to the next file in our image.fls ouput from usbkey.img

Let's see about "cover page.jpg." For starters, let's copy the file out of the mounted file system:


2009 Forensics Summit reviews

For those who missed it, a quick post of the reviews of the 2009 SANS WhatWorks Summit in Forensics and Incident Response.

Craig Ball wrote, "The talented presenters didn't disappoint. The leading lights in forensics and information security shared their tips, tools and insights;" See his post at EDD Update for his full review.

Harlan Carvey said, "it was totally awesome and well worth every second I was there." All of Carvey's comments are over at his Windows Incident Response blog.

Chris Pogue wrote, "Being able to hear speakers like Harlan Carvey, Oive Carroll, Richard

...


Rebuilding FAT cluster chains

For those reading this entry and not familiar with the others in the series, a brief bit of background is in order. This post is the fourth in a series about the FAT file system. We have a disk image taken from a suspect's USB key, but some of the metadata has been modified to make getting at the evidence more difficult, though only slightly. We're attempting to undo the modifications our suspect has made and restore the image to its unaltered state.

I did a little digging over the weekend and discovered a couple links that may be of interest to those playing along at home. First, Mike Murr, of Code-X Technologies and Forensicblog.org, has covered some aspects concerning our image on his blog