Description

Disk Image Investigation
Adia Foster, Vicki McLendon, Mary Mitchell
Problem Description
During a forensics investigation, a laptop was collected for examination. Our team was given a disk image from the laptop and tasked with analyzing and recovering the digital artifacts contained on the device in order to determine if it contained proof of any illegal activity going on.
Technical Analysis and Recovery
Upon receiving the disk, our team started the analysis by using a Linux terminal and the fdisk command to determine the partition information of the disk (Figure 3). The disk was found to have three partitions. The first and third partitions were FAT16 partitions and the second was an NTFS partition.
For the first FAT16-PLANS partition, we used hexdump to look at the boot sector so we could obtain the necessary partition information we needed for the recovery process (Figure 4, Table 1). After examining the boot sector, we used hexdump again to analyze the first FAT area of the partition (Figure 5). Based on the results of this hexdump, we could determine that the data area offset for the partition was one cluster (8 sectors), which was indicated by the fifth and sixth bytes of the output. Additionally, the first FAT area revealed that there were four files on this partition as well as the clusters allocated for each file (Table 2). Finally, we used hexdump once again to look at the root directory of the partition (Figure 6). The root directory indicated that the files in the first partition were plans of some kind. It also contained the names (Email, Necklace, Dash, Gems), extensions (doc, pdf, jpg, pdf), attributes (archive), times (0:18:42, 0:02:06, 0:13:04, 0:13:04), dates (9/2/20), starting clusters (0x0003, 0x0006, 0x001c, 0x0028), and file sizes in bytes (11700, 86321, 46678, 901175) of each of the four files on the partition (Table 4). With this information we calculated the starting and ending byte offset of each file (Table 2) as well as their file sizes in sectors (Table 3). Using this information, the files could be recovered with the dd command in a Linux terminal (Table 5).
For the last partition/second FAT16-OBJECTIVE partition, hexdump was again used to obtain the partition information from the boot sector (Figure 7, Table 6). Upon retrieving the partition information we looked at the first FAT area which contained the data area offset (1 cluster), the number of files on the partition (4 files), and the clusters allocated for each file (Table 7). We then moved on to the root directory which indicated that the files on this partition contained information regarding some objective. It contained the names (Plan, History, Goal, Surveil), extensions (gpg), attributes (archive), times (23:59:50), dates (8/31/20), starting clusters (0x0003, 0x0004, 0x0068, 0x006b), and file sizes in bytes (7584, 1627994, 48660, 5702) of each of the four files (Table 9). This information allowed us to determine the starting and ending byte offsets for the files (Table 7) and the file sizes in sectors (Table 8). Finally, the files could be recovered by once again using the dd command in a Linux terminal (Table 10).
The second partition was an NTFS-INFO partition. It had the following attributes that are associated with each file: x10 is standard information, x30 is the file name, x50 is the security descriptor, and x80 is the data. The files found in this partition were Mystery.zip, Surveil.jpg, Surveil2.zip, and Encoding.pdf. Starting by using the fdisk -l command in terminal we were able to determine that the second partition was of type NTFS and that it starts at 514048. Using the Active Disk Editor software, we were able to see the file names. In conjunction with the given NTFS spreadsheet template we were able to calculate the starts of the files. Using the calculations from the spreadsheet, we were able to use the hexdump commands to confirm the information about the files and recover them with the dd commands. The commands used can be found in tables 14 and 15. For the zip files Surveil and Mystery, the password to unzip them was “G3tTh3G00dStuff!”.
Operational Analysis
Throughout the process of retrieving the files off the disk, our team noticed that some of the files had been deleted which could have been an attempt to hide the files. Additionally, as we began to examine the contents of each file we discovered that each of the zip files we had recovered in the second partition were password protected and those from the third partition were encrypted and required a password as well. In the Email document from the first partition we found a conversation between a John Disco and a Bill Taker where they disclosed that zip files could be opened with the following password: “G3tTh3G00dStuff!”. Once we were able to unzip the files, we found that the Mystery file contained hexadecimal text that decoded to the following plain text: “The password for GPG files is L3tsGetP@id!”. This allowed us to use the gpg command in Linux to decrypt the rest of the files in the third partition.
Once all the files were recovered, we determined that the ultimate objective of the users of the laptop was to steal the Hope Diamond from the Smithsonian in Washington D.C. and then sell it to one of their potential buyers.
HackTheBox Challenge
List of Figures
Figure 1: HackTheBox Challenge – Edit Macros menu

Figure 2: HackTheBox Challenge – Decode powershell command

Figure 3: Project1.dd – Disk Information

Figure 4: Partition 1 – FAT16 Boot Sector

Figure 5: Partition 1 – FAT16 1st FAT Area

Figure 6: Partition 1 – FAT16 Root Directory

Figure 7: Partition 3 – FAT16 Boot Sector

Figure 8: Partition 3 – FAT16 1st FAT Area

Figure 9: Partition 3 – FAT16 Root Directory

List of Tables
Table 1: Partition 1 – FAT16 Partition Information
Description Value Structure Start Location Size
Sectors Before Partition 2048 Boot Sector 0x1c 4
Bytes/Sec 512 Boot Sector 0xb 2
Sec/Cluster 8 Boot Sector 0xd 1
Reserved Sectors 8 Boot Sector 0xe 2
Sec/FAT 256 Boot Sector 0x16 2
Root Directory Sectors 32 Root Directory
Data Area Buffer 1 Cluster FAT
Table 2: Partition 1 – FAT16 Cluster and Byte Information
Clusters Byte Offset
Email.doc 0x0003 – 0x0005 1335296 – 1347584
Necklace.pdf 0x0006 – 0x001b 1347584 – 1437696
Dash.jpg 0x001c – 0x0027 1437696 – 1486848
Gems.pdf 0x0028 – 0x0105 1486848 – 2392064
Table 3: Partition 1 – FAT16 Location Information
Allocated
(Sectors) Start (Sectors) File Size (Sectors)
Sectors to
Partition 2048 0
Reserved
Sectors 8 2048
FAT #1 Length 256 2056
FAT #2 Length 256 2321
Root Directory
Length 32 2568
Data Area
Buffer 8 2600 Skip (Bytes) Count
(Bytes) Confirmation Command
Email 24 2608 23 1335296 11776 hexdump -C -s $(( 2608*512 )) -n $(( 1*512 )) Project1.dd
Necklace 176 2632 169 1347584 86528 hexdump -C -s $(( 2632*512 )) -n $(( 1*512 )) Project1.dd
Dash 96 2808 92 1437696 47104 hexdump -C -s $(( 2808*512 )) -n $(( 1*512 )) Project1.dd
Gems 1768 2904 1761 1486848 901632 hexdump -C -s $(( 2904*512 )) -n $(( 1*512 )) Project1.dd
Table 4: Partition 1 – FAT16 Root Directory Contents
(Cluster) # Clusters File
Length
(Sectors) File Size
(Bytes) File Size (Sectors) Status
Email docx Archive 0:18:42 9/2/20 0x0003 3 24 11700 23 Filename
Used, But
Deleted
Necklace pdf Archive 0:02:06 9/2/20 0x0006 22 176 86321 169 Normal File
Dash jpg Archive 0:13:04 9/2/20 0x001c 12 96 46678 92 Filename
Used, But
Deleted
Gems pdf Archive 0:13:04 9/2/20 0x0028 221 1768 901175 1761 Normal File
Table 5: Partition 1 – FAT16 File Recovery Commands
File Name Recovery Command
Email dd if=Project1.dd of=Email.docx bs=512 skip=2608 count=23
Necklace dd if=Project1.dd of=Necklace.pdf bs=512 skip=2632 count=169
Dash dd if=Project1.dd of=Dash.jpg bs=512 skip=2808 count=92
Gems dd if=Project1.dd of=Gems.pdf bs=512 skip=2904 count=1761
Table 6: Partition 3 – FAT16 Partition Information
Description Value Structure Start Location Size
Sectors Before Partition 1538048 Boot Sector 0x1c 4
Bytes/Sec 512 Boot Sector 0xb 2
Sec/Cluster 32 Boot Sector 0xd 1
Reserved Sectors 32 Boot Sector 0xe 2
Sec/FAT 192 Boot Sector 0x16 2
Root Directory Sectors 32 Root Directory
Data Area Buffer 1 Cluster FAT
Table 7: Partition 3 – FAT16 Cluster Information
Clusters Byte Offset
File1 0x0003 787726336 – 787742720
File2 0x0004 – 0x0067 787742720 – 789381120
File3 0x0068 – 0x006a 789381120 – 789430272
File4 0x006b 789430272 – 789446656
Table 8: Partition 3 – FAT16 Location Information
Allocated
(Sectors) Start (Sectors) File Size (Sectors)
Sectors to
Partition 1538048 0
Reserved
Sectors 32 1538048
FAT #1 Length 192 1538080
FAT #2 Length 192 1538272
Root Directory
Length 32 1538464
Data Area
Buffer 32 1538496 Skip (Bytes) Count (Bytes) Confirmation Command
Plan 32 1538528 15 787726336 7680 hexdump -C -s $(( 1538528*512 )) -n $(( 1*512 ))
Project1.dd
History 3200 1538560 3180 787742720 1628160 hexdump -C -s $(( 1538560*512 )) -n $(( 1*512 ))
Project1.dd
Goal 96 1541760 96 789381120 49152 hexdump -C -s $(( 1541760*512 )) -n $(( 1*512 ))
Project1.dd
Surveil 32 1541856 12 789430272 6144 hexdump -C -s $(( 1541856*512 )) -n $(( 1*512 ))
Project1.dd
Table 9: Partition 3 – FAT16 Root Directory Contents
(Cluster) # Clusters File Length
(Sectors) File Size
(Bytes) File Size (Sectors) Status
Plan gpg/ole2 Archive 23:59:50 8/31/20 0x0003 1 32 7584 15 Filename
Used, But
Deleted
History gpg/pdf Archive 23:59:50 8/31/20 0x0004 100 3200 1627994 3180 Normal File
Goal gpg/jpg Archive 23:59:50 8/31/20 0x0068 3 96 48660 96 Filename
Used, But
Deleted
Surveil gpg/jpg Archive 23:59:50 8/31/20 0x006b 1 32 5702 12 Normal File
Table 10: Partition 3 – FAT16 File Recovery Commands
File Name Recovery Command
Plan dd if=Project1.dd of=Plan.gpg bs=512 skip=1538528 count=15
History dd if=Project1.dd of=History.gpg bs=512 skip=1538560 count=3180
Goal dd if=Project1.dd of=Goal.gpg bs=512 skip=1541760 count=96
Surveil dd if=Project1.dd of=Surveil.gpg bs=512 skip=1541856 count=12
Table 11: Partition 2 – General NTFS Values
General NTFS Values
Description Value Structure Start Location Size
Bytes/Sec 512 MBR 0xB 2
Sec/Cluster 8 MBR 0xC 1
Reserved Sectors 0 MBR 0xD 2
Sectors Before Partition 514048 MBR ? 4
$MFT Cluster Start 4 MBR 0x30 8
$MFTMirr Cluster Start 6399 MBR 0x38 8
# System $MFT Records 39 MFT
$MFT Record Size 1024 MFT
Table 12: Partition 2 – NTFS Data Structure Locations
NTFS Data Stucture Locations
Allocated (Sectors) Start
Sectors to Partition 514048 0
$MFTMirr Start 51192 565240
$MFT Cluster Start 32
$MFT System Records 78 514080
File #1 $MFT Record 2 514208
File #2 $MFT Record 2 514210
File #3 $MFT Record 2 514212
File #4 $MFT Record 2 514214

Table 13: Partition 2 – NTFS $MFT Record Information
NTFS $MFT Record Information
Filename Ext Attributes In Use
(Head er) Non-Re sident
(0x80) Allocate d Size
(x30) Real
Size
(x80) 1st
Cluster
(x80 – 2) 1st
Sec tor 1st
Sector +
Disk
Offset #
Cluste rs
(x80) # Sec tors First
VCN
(x80) Last
VCN
(x80)
Mystery zip $STANDARD_I
NFORMATION
(x10)
$FILENAME
(x30)
$SECURITY_D
ESCRIPTOR
(x50)
$DATA (x80) Yes no 640
Surveill jpg $STANDARD_I
NFORMATION
(x10)
$FILENAME
(x30)
$SECURITY_D
ESCRIPTOR
(x50)
$DATA (x80) Yes Yes 12288 11602 16108 128
864 642912 3 24 0 2
Surveill2 zip $STANDARD_I
NFORMATION
(x10)
$FILENAME
(x30)
$SECURITY_D
ESCRIPTOR
(x50)
$DATA (x80) Yes Yes 12288 11179 20200 161
600 675648 3 24 0 2
Encoding pdf $STANDARD_I
NFORMATION
(x10)
$FILENAME
(x30) yes Yes 106496 10463
2 24296 194
368 708416 26 208 0 25

Table 14: Partition 2 – Confirmation Command
Confirmation Command

Surveil – hexdump Project1.dd -s $(( 642912*512 )) -n $(( 1*512 ))
hexdump Project1.dd -s $(( 675648*512 )) -n $(( 1*512 ))
hexdump Project1.dd -s $(( 708416*512 )) -n $(( 1*512 ))
Table 15: Partition 2 – Recovery Command
Recovery Command
dd if=Project1.dd of=Mystery.zip bs=1 skip=263274864 count=640 iflag=skip_bytes,count_bytes
dd if=Project1.dd of=Surveil.jpg bs=512 skip=642912 count=24
dd if=Project1.dd of=Surveil2.zip bs=512 skip=675648 count=24
dd if=Project1.dd of=Encoding.pdf bs=512 skip=708416 count=208