COMPSCI 590K: Advanced Digital Forenics Systems | Spring 2020

Assignment 04: Filesystem Modification

This assignment is due by 9pm on Thursday, March 26. It must be submitted through Moodle.

In this assignment, you are going to demonstrate your understanding of the on-disk format of a simple filesystem (FAT16). In particular, you are going to modify an existing disk image by directly manipulating it.

You’ll need to download a copy of adams.dd, which you may remember from the first lecture. You will also likely want to have TSK installed, as well as have access to a hex editor.

You may recall you can use various tools from TSK to view its contents:

> fsstat adams.dd 
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT16

OEM Name: BSD  4.4
Volume ID: 0x36c013ef
Volume Label (Boot Sector): ADAMS      
Volume Label (Root Directory):
File System Type Label: FAT16   

Sectors before file system: 0

File System Layout (in sectors)
Total Range: 0 - 10238
* Reserved: 0 - 0
** Boot Sector: 0
* FAT 0: 1 - 20
* FAT 1: 21 - 40
* Data Area: 41 - 10238
** Root Directory: 41 - 72
** Cluster Area: 73 - 10238

METADATA INFORMATION
--------------------------------------------
Range: 2 - 163174
Root Directory: 2

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 1024
Total Cluster Range: 2 - 5084

FAT CONTENTS (in sectors)
--------------------------------------------
75-76 (2) -> EOF
3743-8792 (5050) -> EOF
> fls adams.dd 
r/r 3:	ADAMS       (Volume Label Entry)
d/d 5:	images
r/r 7:	Designs.doc
v/v 163171:	$MBR
v/v 163172:	$FAT1
v/v 163173:	$FAT2
V/V 163174:	$OrphanFiles
> istat adams.dd 7
Directory Entry: 7
Allocated
File Attributes: File, Archive
Size: 2585088
Name: DESIGNS.DOC

Directory Entry Times:
Written:	2008-08-28 16:10:28 (EDT)
Accessed:	2008-08-28 00:00:00 (EDT)
Created:	2008-08-28 16:10:28 (EDT)

Sectors:
3743 3744 3745 3746 3747 3748 3749 3750 
3751 3752 3753 3754 3755 3756 3757 3758 
...listing continues...

Now, you will demonstrate why a chain of custody is so important: You’re going to modify the image! I want you to do the following:

  • (50 points) First, rearrange DESIGNS.DOC. It currently starts at sector 3743 (which is cluster 1837, see the relevant lecture notes for help in how we computed this number) and is otherwise contiguous for 2525 clusters (5050 sectors). Move only its first cluster from its current (source) cluster to a target cluster. In particular, the target is the first cluster immediately following the file. In other words, move the contents of cluster 1837 to cluster 4362. Zero out the source cluster and otherwise mark it as unallocated in the filesystem metadata. And, modify all other relevant filesystem metadata structures, so that if the filesystem were mounted it would be valid (and the .DOC is not corrupted).

  • (10 points) Next, update its Written date to 2020-04-01. (If you are working in a group, also update its time to something you find amusing.)

What to submit

Write a short report describing what actions you took and why. Also include TSK output as above after your modifications. Wrap all this into a zip file, along with your modified adams.dd and submit it using Moodle.

As usual, group work is permissible. To make the assignment more interesting for a group, you might do something slightly more sophisticated. A relatively easy thing to do is to undelete the deleted file on the image. A more sophisticated option is to create a new directory and move the DOC into it – through direct manipulation, not by mounting the disk image. I don’t recommend attempting this with other filesystems; while it’s doable, the many details of NTFS or Ext2/3 will make it much more time-consuming. If you have other ideas get in touch to clear them with me first.

Menu