homepage
Open menu Go one level top
  • Train and Certify
    • Get Started in Cyber
    • Courses & Certifications
    • Training Roadmap
    • Search For Training
    • Online Training
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • NICE Framework
    • DoDD 8140
    • Specials
  • Manage Your Team
    • Overview
    • Security Awareness Training
    • Voucher Program
    • Private Training
    • Workforce Development
    • Skill Assessments
    • Hiring Opportunities
  • Resources
    • Overview
    • Reading Room
    • Webcasts
    • Newsletters
    • Blog
    • Tip of The Day
    • Posters
    • Top 25 Programming Errors
    • The Critical Security Controls
    • Security Policy Project
    • Critical Vulnerability Recaps
    • Affiliate Directory
  • Focus Areas
    • Blue Team Operations
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • SANS Community
    • CyberTalent
    • Work Study
    • Instructor Development
    • Sponsorship Opportunities
    • COINS
  • About
    • About SANS
    • Why SANS?
    • Instructors
    • Cybersecurity Innovation Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press Room
  • Log In
  • Join
  • Contact Us
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  1. Home >
  2. Blog >
  3. A big FAT lie
Dave Hull

A big FAT lie

July 21, 2009

In the last post in our quest to restore the tampered FAT file system to its untainted state, we rebuilt the cluster chain in the File Allocation Table so we could copy out the file from the mounted file system. Let's move on to the next file in our image.

Coverpage

Let's see about "cover page.jpg." For starters, let's copy the file out of the mounted file system:

copycoverfail.jpg

Well, what do you know? Our copy failed. This error message is remarkably similar to the one we saw in a previous post where we repaired the FAT Directory Entry, but still hadn't rebuilt the cluster chain in the FAT. Could it be the case that we have a missing cluster chain for this file? It's a possibility, let's investigate. Using the FAT Directory Entry 8, given to us by fls, we run the istat command and see the following:

Directory_entry

Right away we notice at least one odd thing about this file, possibly two. The most obvious thing is that the file size is 15585 bytes, yet we only see a single sector on the disk has been allocated. We already know from running fsstat against the image that our cluster size and sector size are both 512 bytes. Because we round up, our file of 15585 bytes should occupy 31 clusters (also sectors in this case), but we only have one listed. Ok, what next? Well, let's try carving out 31 clusters beginning at sector 834 and see what we get. We can do this using the blkstat (or dd) as follows:

blkcat

Did you catch the output from the command? It was 31 sectors of nulls. Don't believe me? Let's pipe the output to xxd and less:

output

I'll spare you the pages and pages of output, but I think you get the idea. There's no data at this location on the disk. What else could be wrong? Let's review what we know so far:

  • We have an allocated jpg file
  • The file is 15585 bytes or 31 clusters
  • istat reports a single cluster
  • There's no data at the cluster location
  • Remember we're dealing with a disk image that's been altered by our suspect. Think about physical evidence. Say a criminal is trying to hide some piece of physical evidence, might he lie about where that evidence is? What could be going on here and how might we find the true location of this file in the image without resorting to data carving using tools like foremost? Here's a big hint, go back and review the previous posts in this series. The answer is in there, at least twice. Let me repeat the question: How might we find the true location of this file in the image without resorting to data carving (i.e. no foremost like tools)? First person to answer that question in the comments wins a free copy of Harlan Carvey's new book, Windows Forensic Analysis DVD Toolkit, 2nd Edition courtesy of Syngress.


    Update: 07/21/2009 12:05 p.m. UTC

    There's been some conversation about this post on Twitter so I thought I'd provide some additional info here. Mark McKinnon adds "Another hint is that [you] need to look at what tool you are using and understand where that tool is getting its info."

    I haven't talked to Mark yet today, but let's consider his hint. Where does istat get it's information? Two places, some of it comes from the FAT Directory Entry and some comes from the FAT. Recall from previous posts that the former gives us the starting cluster and the latter contains the cluster chain that tells us where the file continues.

    Also, one reader commented that we may need to rebuild the cluster chain as we did with the previous file. When I informed them that we wouldn't need to do that in this case, they quickly replied, "Oh yes, the file is allocated."

    That's enough additional hints for now. Let me just say one more thing, at the risk of it costing me a fortune, I'm going to open up the award to international participants. That's right, I'll ship the book overseas, if I have to. Just don't tell my wife.

    Dave Hull, GCFA Silver #3368, is a technologist focusing on incident response, computer forensics and application security. He can be found on the web at TrustedSignal.com.

    Share:
    TwitterLinkedInFacebook
    Copy url Url was copied to clipboard
    Subscribe to SANS Newsletters
    Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kingdom of Saudi Arabia
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Macedonia
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia (Slovak Republic)
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Swaziland
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Yugoslavia
    Zambia
    Zimbabwe

    Tags:
    • Digital Forensics and Incident Response

    Related Content

    Blog
    SUMMIT_Free_SANS_2021_Summits_Teaser.jpg
    Digital Forensics and Incident Response, Cyber Defense Essentials, Industrial Control Systems Security, Purple Team, Blue Team Operations, Penetration Testing and Ethical Hacking, Cloud Security, Security Management, Legal, and Audit
    November 30, 2020
    Good News: SANS Virtual Summits Will Be FREE for the Community in 2021
    They’re virtual. They’re global. They’re free.
    Emily Blades
    read more
    Blog
    En.png
    Digital Forensics and Incident Response
    November 24, 2020
    SANS DFIR Presenta Nuevos Webcasts en Español
    SANS DFIR presenta sus nuevos episodios en Español! En este blog podrás ver todos los episodios con concluciones y con recursos para aprender DFIR
    SANS DFIR
    read more
    Blog
    shutterstock_1473864617.jpg
    Digital Forensics and Incident Response
    October 14, 2020
    Defense Spotlight: Finding Hidden Windows Services
    Attackers can make a Window services disappear from view. Fortunately these services can still be found, through unconventional discovery techniques.
    370x370_Joshua-Wright.jpg
    Joshua Wright
    read more
    • Register to Learn
    • Courses
    • Certifications
    • Degree Programs
    • Cyber Ranges
    • Job Tools
    • Security Policy Project
    • Posters
    • The Critical Security Controls
    • Focus Areas
    • Blue Team Operations
    • Cloud Security
    • Cybersecurity Leadership
    • Digital Forensics
    • Industrial Control Systems
    • Offensive Operations
    Subscribe to SANS Newsletters
    Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kingdom of Saudi Arabia
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Macedonia
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia (Slovak Republic)
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Swaziland
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Yugoslavia
    Zambia
    Zimbabwe
    • © 2021 SANS™ Institute
    • Privacy Policy
    • Contact
    • Twitter
    • Facebook
    • Youtube
    • LinkedIn