Avoiding Atrophy Forensics: File System Overview

$ mmls -B nps-2008-jean.E01
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Size Description
00: Meta 0000000000 0000000000 0000000001 0512B Primary Table (#0)
01: ----- 0000000000 0000000062 0000000063 0031K Unallocated
02: 00:00 0000000063 0020948759 0020948697 0009G NTFS (0x07)
03: ----- 0020948760 0020971519 0000022760 0011M Unallocated

In the last post we looked at the two unallocated spaces immediately preceding and following the 9GB NTFS partition located in slot 02. Now we are going to look at the NTFS partition itself. We want to see the contents of the NTFS file system. Using the fls command we can see the contents of the root directory of the NTFS file system like so:

$ fls -o63 nps-2008-jean.E01

r/r 4-128-4: $AttrDef

r/r 8-128-2: $BadClus

r/r 8-128-1: $BadClus:$Bad

r/r 6-128-1: $Bitmap

r/r 7-128-1: $Boot

d/d 11-144-4: $Extend

r/r 2-128-1: $LogFile

r/r 0-128-1: $MFT

r/r 1-128-1: $MFTMirr

r/r 9-144-17: $Secure:$SDH

r/r 9-144-16: $Secure:$SII

r/r 9-128-18: $Secure:$SDS

r/r 10-128-1: $UpCase

r/r 3-128-3: $Volume

r/r 7451-128-1: AUTOEXEC.BAT

r/r 3513-128-3: boot.ini

r/r 7450-128-1: CONFIG.SYS

d/d 3519-144-6: Documents and Settings

r/r 7452-128-1: IO.SYS

r/r 27624-128-3: IPH.PH

r/r 7453-128-1: MSDOS.SYS

r/r 3485-128-3: NTDETECT.COM

r/r 3481-128-3: ntldr

r/r 27-128-1: pagefile.sys

d/d 3999-144-6: Program Files

d/d 23827-144-1: RECYCLER

d/d 3522-144-6: System Volume Information

d/d 28-144-6: WINDOWS

d/d 32848: $OrphanFiles

The only option we are using with the fls command is the -o option for offset. The NTFS partitions starting offset is sector 63 as we saw earlier with the mmls command. The output shows us a few things including some files we would expect to see in a Windows XP root directory along with some that (if you are unfamiliar with forensics) we may not expect to see. The files we do not expect to see are the files that begin with the $. That is because these files are hidden SYSTEM files that are important to the systems ability to function.

The first file we want to look at is the $Boot file. This file contains the Volume Boot Record for this NTFS partition. Lets see if we can find it. Taking a closer look at the output from the fls command we can see some additional information about each file.

r/r 7-128-1: $Boot

The r/r and d/d is an indicator of whether we are looking at a Regular File listing or a Directory listing. There are a few other options for this output but they are not going to be relevant for what we are discussing at this time.

r/r 7-128-1: $Boot

The 7 is the $MFT (Master File Table) inode number for tracking the file. This will come in handy when analyzing the files later in the examination. The numbers will be discussed in a future post. These numbers as a whole are called the "Metadata Address."

r/r 7-128-1: $Boot

And this is obviously the file name. Once again the most important thing we can glean from this is the inode number. Using the inode number we can analyze the file itself. Because the $Boot file is a system file containing data that can only be viewed properly in the HEX we can use the icat command, inode number, and the hd hex editor to view the data.

$ icat -o63 nps-2008-jean.E01 7 | hd

00000000 eb 52 90 4e 54 46 53 20 20 20 20 00 02 08 00 00 |.R.NTFS .....|

00000010 00 00 00 00 00 f8 00 00 3f 00 ff 00 3f 00 00 00 |........?...?...|

00000020 00 00 00 00 80 00 80 00 d8 a6 3f 01 00 00 00 00 |..........?.....|

00000030 00 00 0c 00 00 00 00 00 6d fa 13 00 00 00 00 00 |........m.......|

00000040 f6 00 00 00 01 00 00 00 1f c2 4f 74 08 50 74 7e |..........Ot.Pt~|

00000050 00 00 00 00 fa 33 c0 8e d0 bc 00 7c fb b8 c0 07 |.....3.....|....|

00000060 8e d8 e8 16 00 b8 00 0d 8e c0 33 db c6 06 0e 00 |..........3.....|

00000070 10 e8 53 00 68 00 0d 68 6a 02 cb 8a 16 24 00 b4 |..S.h..hj....$..|

00000080 08 cd 13 73 05 b9 ff ff 8a f1 66 0f b6 c6 40 66 |...s......f...@f|

00000090 0f b6 d1 80 e2 3f f7 e2 86 cd c0 ed 06 41 66 0f |.....?.......Af.|

000000a0 b7 c9 66 f7 e1 66 a3 20 00 c3 b4 41 bb aa 55 8a |..f..f. ...A..U.|

000000b0 16 24 00 cd 13 72 0f 81 fb 55 aa 75 09 f6 c1 01 |.$...r...U.u....|

000000c0 74 04 fe 06 14 00 c3 66 60 1e 06 66 a1 10 00 66 |t......f`..f...f|

000000d0 03 06 1c 00 66 3b 06 20 00 0f 82 3a 00 1e 66 6a |....f;. ...:..fj|

000000e0 00 66 50 06 53 66 68 10 00 01 00 80 3e 14 00 00 |.fP.Sfh.....>...|

000000f0 0f 85 0c 00 e8 b3 ff 80 3e 14 00 00 0f 84 61 00 |........>.....a.|

00000100 b4 42 8a 16 24 00 16 1f 8b f4 cd 13 66 58 5b 07 |.B..$.......fX[.|

00000110 66 58 66 58 1f eb 2d 66 33 d2 66 0f b7 0e 18 00 |fXfX..-f3.f.....|

00000120 66 f7 f1 fe c2 8a ca 66 8b d0 66 c1 ea 10 f7 36 |f......f..f....6|

00000130 1a 00 86 d6 8a 16 24 00 8a e8 c0 e4 06 0a cc b8 |......$.........|

00000140 01 02 cd 13 0f 82 19 00 8c c0 05 20 00 8e c0 66 |........... ...f|

00000150 ff 06 10 00 ff 0e 0e 00 0f 85 6f ff 07 1f 66 61 |..........o...fa|

00000160 c3 a0 f8 01 e8 09 00 a0 fb 01 e8 03 00 fb eb fe |................|

00000170 b4 01 8b f0 ac 3c 00 74 09 b4 0e bb 07 00 cd 10 |.....<.t........|

00000180 eb f2 c3 0d 0a 41 20 64 69 73 6b 20 72 65 61 64 |.....A disk read|

00000190 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 00 | error occurred.|

000001a0 0d 0a 4e 54 4c 44 52 20 69 73 20 6d 69 73 73 69 |..NTLDR is missi|

000001b0 6e 67 00 0d 0a 4e 54 4c 44 52 20 69 73 20 63 6f |ng...NTLDR is co|

000001c0 6d 70 72 65 73 73 65 64 00 0d 0a 50 72 65 73 73 |mpressed...Press|

000001d0 20 43 74 72 6c 2b 41 6c 74 2b 44 65 6c 20 74 6f | Ctrl+Alt+Del to|

000001e0 20 72 65 73 74 61 72 74 0d 0a 00 00 00 00 00 00 | restart........|

000001f0 00 00 00 00 00 00 00 00 83 a0 b3 c9 00 00 55 aa |..............U.|

00000200 05 00 4e 00 54 00 4c 00 44 00 52 00 04 00 24 00 |..N.T.L.D.R...$.|

00000210 49 00 33 00 30 00 00 e0 00 00 00 30 00 00 00 00 |I.3.0......0....|

00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

00000250 00 00 00 00 00 00 eb 12 90 90 00 00 00 00 00 00 |................|

00000260 00 00 00 00 00 00 00 00 00 00 8c c8 8e d8 c1 e0 |................|

00000270 04 fa 8b e0 fb e8 03 fe 66 0f b7 06 0b 00 66 0f |........f.....f.|

00000280 b6 1e 0d 00 66 f7 e3 66 a3 4e 02 66 8b 0e 40 00 |....f..f.N.f..@.|

00000290 80 f9 00 0f 8f 0e 00 f6 d9 66 b8 01 00 00 00 66 |.........f.....f|

000002a0 d3 e0 eb 08 90 66 a1 4e 02 66 f7 e1 66 a3 52 02 |.....f.N.f..f.R.|

000002b0 66 0f b7 1e 0b 00 66 33 d2 66 f7 f3 66 a3 56 02 |f.....f3.f..f.V.|

000002c0 e8 71 04 66 8b 0e 4a 02 66 89 0e 22 02 66 03 0e |.q.f..J.f..".f..|

000002d0 52 02 66 89 0e 26 02 66 03 0e 52 02 66 89 0e 2a |R.f..&.f..R.f..*|

000002e0 02 66 03 0e 52 02 66 89 0e 3a 02 66 03 0e 52 02 |.f..R.f..:.f..R.|

000002f0 66 89 0e 42 02 66 b8 90 00 00 00 66 8b 0e 22 02 |f..B.f.....f..".|

00000300 e8 5f 09 66 0b c0 0f 84 57 fe 66 a3 2e 02 66 b8 |._.f....W.f...f.|

00000310 a0 00 00 00 66 8b 0e 26 02 e8 46 09 66 a3 32 02 |....f..&..F.f.2.|

00000320 66 b8 b0 00 00 00 66 8b 0e 2a 02 e8 34 09 66 a3 |f.....f..*..4.f.|

00000330 36 02 66 a1 2e 02 66 0b c0 0f 84 24 fe 67 80 78 |6.f...f....$.g.x|

00000340 08 00 0f 85 1b fe 67 66 8d 50 10 67 03 42 04 67 |......gf.P.g.B.g|

00000350 66 0f b6 48 0c 66 89 0e 62 02 67 66 8b 48 08 66 |f..H.f..b.gf.H.f|

00000360 89 0e 5e 02 66 a1 5e 02 66 0f b7 0e 0b 00 66 33 |..^.f.^.f.....f3|

00000370 d2 66 f7 f1 66 a3 66 02 66 a1 42 02 66 03 06 5e |.f..f.f.f.B.f..^|

00000380 02 66 a3 46 02 66 83 3e 32 02 00 0f 84 1d 00 66 |.f.F.f.>2......f|

00000390 83 3e 36 02 00 0f 84 c8 fd 66 8b 1e 36 02 1e 07 |.>6......f..6...|

000003a0 66 8b 3e 46 02 66 a1 2a 02 e8 bc 01 66 0f b7 0e |f.>F.f.*....f...|

000003b0 00 02 66 b8 02 02 00 00 e8 fe 07 66 0b c0 0f 84 |..f........f....|

000003c0 a8 09 67 66 8b 00 1e 07 66 8b 3e 3a 02 e8 31 06 |..gf....f.>:..1.|

000003d0 66 a1 3a 02 66 bb 20 00 00 00 66 b9 00 00 00 00 |f.:.f. ...f.....|

000003e0 66 ba 00 00 00 00 e8 d6 00 66 85 c0 0f 85 23 00 |f........f....#.|

000003f0 66 a1 3a 02 66 bb 80 00 00 00 66 b9 00 00 00 00 |f.:.f.....f.....|

00000400 66 ba 00 00 00 00 e8 b6 00 66 0b c0 0f 85 44 00 |f........f....D.|

00000410 e9 57 09 66 33 d2 66 b9 80 00 00 00 66 a1 3a 02 |.W.f3.f.....f.:.|

00000420 e8 bc 08 66 0b c0 0f 84 40 09 1e 07 66 8b 3e 3a |...f....@...f.>:|

00000430 02 e8 cd 05 66 a1 3a 02 66 bb 80 00 00 00 66 b9 |....f.:.f.....f.|

00000440 00 00 00 00 66 ba 00 00 00 00 e8 72 00 66 0b c0 |....f......r.f..|

00000450 0f 84 16 09 67 66 0f b7 58 0c 66 81 e3 ff 00 00 |....gf..X.f.....|

00000460 00 0f 85 0b 09 66 8b d8 68 00 20 07 66 2b ff 66 |.....f..h. .f+.f|

00000470 a1 3a 02 e8 f2 00 8a 16 24 00 b8 e8 03 8e c0 8d |.:......$.......|

00000480 36 0b 00 2b c0 68 00 20 50 cb 06 1e 66 60 66 8b |6..+.h. P...f`f.|

00000490 da 66 0f b6 0e 0d 00 66 f7 e1 66 a3 10 00 66 8b |.f.....f..f...f.|

000004a0 c3 66 f7 e1 a3 0e 00 8b df 83 e3 0f 8c c0 66 c1 |.f............f.|

000004b0 ef 04 03 c7 50 07 e8 0e fc 66 61 90 1f 07 c3 67 |....P....fa....g|

000004c0 03 40 14 67 66 83 38 ff 0f 84 4c 00 67 66 39 18 |.@.gf.8...L.gf9.|

000004d0 0f 85 33 00 66 0b c9 0f 85 0a 00 67 80 78 09 00 |..3.f......g.x..|

000004e0 0f 85 23 00 c3 67 3a 48 09 0f 85 1a 00 66 8b f0 |..#..g:H.....f..|

000004f0 67 03 70 0a e8 97 06 66 51 1e 07 66 8b fa f3 a7 |g.p....fQ..f....|

00000500 66 59 0f 85 01 00 c3 67 66 83 78 04 00 0f 84 07 |fY.....gf.x.....|

00000510 00 67 66 03 40 04 eb ab 66 2b c0 c3 66 8b f3 e8 |.gf.@...f+..f...|

00000520 6c 06 67 66 03 00 67 f7 40 0c 02 00 0f 85 34 00 |l.gf..g.@.....4.|

00000530 67 66 8d 50 10 67 3a 4a 40 0f 85 18 00 67 66 8d |gf.P.g:J@....gf.|

00000540 72 42 e8 49 06 66 51 1e 07 66 8b fb f3 a7 66 59 |rB.I.fQ..f....fY|

00000550 0f 85 01 00 c3 67 83 78 08 00 0f 84 06 00 67 03 |.....g.x......g.|

00000560 40 08 eb c2 66 33 c0 c3 67 80 7b 08 00 0f 85 1c |@...f3..g.{.....|

00000570 00 06 1e 66 60 67 66 8d 53 10 67 66 8b 0a 66 8b |...f`gf.S.gf..f.|

00000580 f3 67 03 72 04 f3 a4 66 61 90 1f 07 c3 66 50 67 |.g.r...fa....fPg|

00000590 66 8d 53 10 66 85 c0 0f 85 0a 00 67 66 8b 4a 08 |f.S.f......gf.J.|

000005a0 66 41 eb 11 90 67 66 8b 42 18 66 33 d2 66 f7 36 |fA...gf.B.f3.f.6|

000005b0 4e 02 66 8b c8 66 2b c0 66 5e e8 01 00 c3 06 1e |N.f..f+.f^......|

000005c0 66 60 67 80 7b 08 01 0f 84 03 00 e9 93 fb 66 83 |f`g.{.........f.|

000005d0 f9 00 0f 85 06 00 66 61 90 1f 07 c3 66 53 66 50 |......fa....fSfP|

000005e0 66 51 66 56 66 57 06 e8 91 04 66 8b d1 07 66 5f |fQfVfW....f...f_|

000005f0 66 5e 66 59 66 85 c0 0f 84 34 00 66 3b ca 0f 8d |f^fYf....4.f;...|

00000600 03 00 66 8b d1 e8 82 fe 66 2b ca 66 8b da 66 8b |..f.....f+.f..f.|

00000610 c2 66 0f b6 16 0d 00 66 f7 e2 66 0f b7 16 0b 00 |.f.....f..f.....|

00000620 66 f7 e2 66 03 f8 66 58 66 03 c3 66 5b eb 9f 66 |f..f..fXf..f[..f|

00000630 85 f6 0f 84 2b fb 66 51 66 57 06 67 66 0f b6 43 |....+.fQfW.gf..C|

00000640 09 66 85 c0 0f 84 20 00 66 d1 e0 66 2b e0 66 8b |.f.... .f..f+.f.|

00000650 fc 66 54 66 56 67 66 0f b7 73 0a 66 03 f3 66 8b |.fTfVgf..s.f..f.|

00000660 c8 f3 a4 66 5e eb 03 90 66 50 66 50 67 66 8b 03 |...f^...fPfPgf..|

00000670 66 50 67 66 8b 43 18 66 50 67 66 8b 56 20 66 85 |fPgf.C.fPgf.V f.|

00000680 d2 0f 84 0b 00 66 8b fe 1e 07 66 8b c2 e8 71 03 |.....f....f...q.|

00000690 66 8b c6 66 5a 66 59 66 42 66 51 66 56 e8 3f 06 |f..fZfYfBfQfV.?.|

000006a0 66 85 c0 0f 84 ba fa 66 5e 66 59 66 8b fe 1e 07 |f......f^fYf....|

000006b0 e8 4e 03 66 8b c6 66 8b d9 66 59 66 5a 66 51 66 |.N.f..f..fYfZfQf|

000006c0 56 66 d1 e9 e8 f8 fd 66 85 c0 0f 84 93 fa 66 5e |Vf.....f......f^|

000006d0 66 59 66 03 e1 07 66 5f 66 59 66 8b d0 66 58 66 |fYf...f_fYf..fXf|

000006e0 5b 66 8b da e9 f5 fe 06 1e 66 60 26 67 66 0f b7 |[f.......f`&gf..|

000006f0 5f 04 26 67 66 0f b7 4f 06 66 0b c9 0f 84 61 fa |_.&gf..O.f....a.|

00000700 66 03 df 66 83 c3 02 66 81 c7 fe 01 00 00 66 49 |f..f...f......fI|

00000710 66 0b c9 0f 84 17 00 26 67 8b 03 26 67 89 07 66 |f......&g..&g..f|

00000720 83 c3 02 66 81 c7 00 02 00 00 66 49 eb e2 66 61 |...f......fI..fa|

00000730 90 1f 07 c3 06 1e 66 60 66 b8 01 00 00 00 66 a3 |......f`f.....f.|

00000740 1e 02 66 a1 1a 02 66 03 06 52 02 66 a3 5a 02 66 |..f...f..R.f.Z.f|

00000750 03 06 52 02 66 a3 4a 02 66 a1 30 00 66 0f b6 1e |..R.f.J.f.0.f...|

00000760 0d 00 66 f7 e3 66 8b 1e 4a 02 66 89 07 66 a3 10 |..f..f..J.f..f..|

00000770 00 83 c3 04 66 a1 56 02 66 89 07 a3 0e 00 83 c3 |....f.V.f.......|

00000780 04 66 89 1e 4a 02 66 8b 1e 1a 02 1e 07 e8 37 f9 |.f..J.f.......7.|

00000790 66 8b fb e8 51 ff 66 a1 1a 02 66 bb 20 00 00 00 |f...Q.f...f. ...|

000007a0 66 b9 00 00 00 00 66 ba 00 00 00 00 e8 10 fd 66 |f.....f........f|

000007b0 0b c0 0f 84 19 01 66 8b d8 1e 07 66 8b 3e 16 02 |......f....f.>..|

000007c0 66 33 c0 e8 a2 fd 66 8b 1e 16 02 66 81 3f 80 00 |f3....f....f.?..|

000007d0 00 00 0f 84 eb 00 03 5f 04 eb f0 66 53 66 8b 47 |......._...fSf.G|

000007e0 10 66 f7 26 56 02 66 50 66 33 d2 66 0f b6 1e 0d |.f.&V.fPf3.f....|

000007f0 00 66 f7 f3 66 52 e8 dc 00 66 0b c0 0f 84 61 f9 |.f..fR...f....a.|

00000800 66 8b 0e 56 02 66 0f b6 1e 0d 00 66 f7 e3 66 5a |f..V.f.....f..fZ|

00000810 66 03 c2 66 8b 1e 4a 02 66 89 07 83 c3 04 66 0f |f..f..J.f.....f.|

00000820 b6 06 0d 00 66 2b c2 66 3b c1 0f 86 03 00 66 8b |....f+.f;.....f.|

00000830 c1 66 89 07 66 2b c8 66 5a 0f 84 75 00 66 03 c2 |.f..f+.fZ..u.f..|

00000840 66 50 66 33 d2 66 0f b6 1e 0d 00 66 f7 f3 66 51 |fPf3.f.....f..fQ|

00000850 e8 82 00 66 59 66 0b c0 0f 84 05 f9 66 0f b6 1e |...fYf......f...|

00000860 0d 00 66 f7 e3 66 8b 1e 4a 02 66 8b 17 83 c3 04 |..f..f..J.f.....|

00000870 66 03 17 66 3b d0 0f 85 15 00 66 0f b6 06 0d 00 |f..f;.....f.....|

00000880 66 3b c1 0f 86 03 00 66 8b c1 66 01 07 eb a5 83 |f;.....f..f.....|

00000890 c3 04 66 89 1e 4a 02 66 89 07 83 c3 04 66 0f b6 |..f..J.f.....f..|

000008a0 06 0d 00 66 3b c1 0f 86 03 00 66 8b c1 66 89 07 |...f;.....f..f..|

000008b0 eb 82 83 c3 04 66 ff 06 1e 02 66 89 1e 4a 02 66 |.....f....f..J.f|

000008c0 5b 03 5f 04 66 81 3f 80 00 00 00 0f 84 0c ff 66 |[._.f.?........f|

000008d0 61 90 1f 07 c3 66 8b d0 66 8b 0e 1e 02 66 8b 36 |a....f..f....f.6|

000008e0 5a 02 66 03 36 52 02 66 52 66 51 66 52 66 8b 1e |Z.f.6R.fRfQfRf..|

000008f0 5a 02 66 8b 3e 56 02 66 8b 04 66 a3 10 00 83 c6 |Z.f.>V.f..f.....|

00000900 04 66 8b 04 a3 0e 00 83 c6 04 1e 07 e8 b8 f7 66 |.f.............f|

00000910 2b f8 0f 84 08 00 f7 26 0b 00 03 d8 eb d9 66 8b |+......&......f.|

00000920 3e 5a 02 1e 07 e8 bf fd 66 a1 5a 02 66 bb 80 00 |>Z......f.Z.f...|

00000930 00 00 66 b9 00 00 00 00 66 8b d1 e8 81 fb 66 0b |..f.....f.....f.|

00000940 c0 0f 84 1c f8 66 8b d8 66 58 66 56 e8 2c 01 66 |.....f..fXfV.,.f|

00000950 5e 66 0b c0 0f 84 05 00 66 5b 66 5b c3 66 59 66 |^f......f[f[.fYf|

00000960 5a e2 84 66 33 c0 c3 06 1e 66 60 66 50 66 51 66 |Z..f3....f`fPfQf|

00000970 33 d2 66 0f b6 1e 0d 00 66 f7 f3 66 52 66 57 e8 |3.f.....f..fRfW.|

00000980 53 ff 66 5f 66 0b c0 0f 84 d6 f7 66 0f b6 1e 0d |S.f_f......f....|

00000990 00 66 f7 e3 66 5a 66 03 c2 66 a3 10 00 66 59 66 |.f..fZf..f...fYf|

000009a0 0f b6 1e 0d 00 66 3b cb 0f 8e 13 00 89 1e 0e 00 |.....f;.........|

000009b0 66 2b cb 66 58 66 03 c3 66 50 66 51 eb 14 90 66 |f+.fXf..fPfQ...f|

000009c0 58 66 03 c1 66 50 89 0e 0e 00 66 b9 00 00 00 00 |Xf..fP....f.....|

000009d0 66 51 06 66 57 8b df 83 e3 0f 8c c0 66 c1 ef 04 |fQ.fW.......f...|

000009e0 03 c7 50 07 e8 e0 f6 66 5f 07 66 03 3e 4e 02 66 |..P....f_.f.>N.f|

000009f0 59 66 58 66 83 f9 00 0f 8f 70 ff 66 61 90 1f 07 |YfXf.....p.fa...|

00000a00 c3 06 1e 66 60 66 f7 26 56 02 66 8b 0e 56 02 e8 |...f`f.&V.f..V..|

00000a10 55 ff e8 d2 fc 66 61 90 1f 07 c3 06 1e 66 60 66 |U....fa......f`f|

00000a20 f7 26 62 02 66 8b 1e 32 02 66 8b 0e 62 02 66 8b |.&b.f..2.f..b.f.|

00000a30 36 26 02 1e 07 66 8b 3e 42 02 e8 81 fb e8 a7 fc |6&...f.>B.......|

00000a40 66 61 90 1f 07 c3 66 50 66 53 66 51 66 8b 1e 46 |fa....fPfSfQf..F|

00000a50 02 66 8b c8 66 c1 e8 03 66 83 e1 07 66 03 d8 66 |.f..f...f...f..f|

00000a60 b8 01 00 00 00 66 d3 e0 67 84 03 0f 84 04 00 f8 |.....f..g.......|

00000a70 eb 02 90 f9 66 59 66 5b 66 58 c3 67 80 7b 08 01 |....fYf[fX.g.{..|

00000a80 0f 84 04 00 66 2b c0 c3 67 66 8d 73 10 67 66 8b |....f+..gf.s.gf.|

00000a90 56 08 66 3b c2 0f 87 0b 00 67 66 8b 16 66 3b c2 |V.f;.....gf..f;.|

00000aa0 0f 83 04 00 66 2b c0 c3 67 03 5e 10 66 2b f6 67 |....f+..g.^.f+.g|

00000ab0 80 3b 00 0f 84 3e 00 e8 81 00 66 03 f1 e8 39 00 |.;...>....f...9.|

00000ac0 66 03 ca 66 3b c1 0f 8c 21 00 66 8b d1 66 50 67 |f..f;...!.f..fPg|

00000ad0 66 0f b6 0b 66 8b c1 66 83 e0 0f 66 c1 e9 04 66 |f...f..f...f...f|

00000ae0 03 d9 66 03 d8 66 43 66 58 eb c4 66 2b c8 66 2b |..f..fCfX..f+.f+|

00000af0 c2 66 03 c6 c3 66 2b c0 c3 66 2b c9 67 8a 0b 80 |.f...f+..f+.g...|

00000b00 e1 0f 66 83 f9 00 0f 85 04 00 66 2b c9 c3 66 53 |..f.......f+..fS|

00000b10 66 52 66 03 d9 67 66 0f be 13 66 49 66 4b 66 83 |fRf..gf...fIfKf.|

00000b20 f9 00 0f 84 0d 00 66 c1 e2 08 67 8a 13 66 4b 66 |......f...g..fKf|

00000b30 49 eb eb 66 8b ca 66 5a 66 5b c3 66 53 66 52 66 |I..f..fZf[.fSfRf|

00000b40 2b d2 67 8a 13 66 83 e2 0f 66 2b c9 67 8a 0b c0 |+.g..f...f+.g...|

00000b50 e9 04 66 83 f9 00 0f 85 08 00 66 2b c9 66 5a 66 |..f.......f+.fZf|

00000b60 5b c3 66 03 da 66 03 d9 67 66 0f be 13 66 49 66 |[.f..f..gf...fIf|

00000b70 4b 66 83 f9 00 0f 84 0d 00 66 c1 e2 08 67 8a 13 |Kf.......f...g..|

00000b80 66 4b 66 49 eb eb 66 8b ca 66 5a 66 5b c3 66 0b |fKfI..f..fZf[.f.|

00000b90 c9 0f 85 01 00 c3 66 51 66 56 67 83 3e 61 0f 8c |......fQfVg.>a..|

00000ba0 0c 00 67 83 3e 7a 0f 8f 04 00 67 83 2e 20 66 83 |..g.>z....g.. f.|

00000bb0 c6 02 e2 e6 66 5e 66 59 c3 66 50 66 51 66 8b d0 |....f^fY.fPfQf..|

00000bc0 66 a1 2e 02 67 66 8d 58 10 67 03 43 04 67 66 8d |f...gf.X.g.C.gf.|

00000bd0 40 10 66 8b da e8 44 f9 66 0b c0 0f 84 05 00 66 |@.f...D.f......f|

00000be0 59 66 59 c3 66 a1 32 02 66 0b c0 0f 85 08 00 66 |YfY.f.2.f......f|

00000bf0 59 66 59 66 33 c0 c3 66 8b 16 32 02 67 66 8d 52 |YfYf3..f..2.gf.R|

00000c00 10 67 66 8b 42 18 66 33 d2 66 f7 36 5e 02 66 33 |.gf.B.f3.f.6^.f3|

00000c10 f6 66 50 66 56 66 58 66 5e 66 3b c6 0f 84 3a 00 |.fPfVfXf^f;...:.|

00000c20 66 56 66 40 66 50 66 48 e8 1b fe 72 e8 e8 eb fd |fVf@fPfH...r....|

00000c30 66 5a 66 5e 66 59 66 5b 66 53 66 51 66 56 66 52 |fZf^fYf[fSfQfVfR|

00000c40 66 a1 42 02 67 66 8d 40 18 e8 d0 f8 66 0b c0 74 |f.B.gf.@....f..t|

00000c50 c4 66 59 66 59 66 59 66 59 c3 66 59 66 59 66 33 |.fYfYfYfY.fYfYf3|

00000c60 c0 c3 66 51 66 50 66 b8 05 00 00 00 1e 07 66 8b |..fQfPf.......f.|

00000c70 f9 e8 8d fd 66 8b c1 66 bb 20 00 00 00 66 b9 00 |....f..f. ...f..|

00000c80 00 00 00 66 ba 00 00 00 00 e8 33 f8 66 5b 66 59 |...f......3.f[fY|

00000c90 66 85 c0 0f 85 15 00 66 8b c1 66 0f b7 0e 0c 02 |f......f..f.....|

00000ca0 66 ba 0e 02 00 00 e8 16 f8 eb 33 90 66 33 d2 66 |f.........3.f3.f|

00000cb0 8b c1 66 8b cb 66 50 66 53 e8 23 00 66 5b 66 5f |..f..fPfS.#.f[f_|

00000cc0 66 0b c0 0f 84 17 00 1e 07 e8 35 fd 66 8b c7 66 |f.........5.f..f|

00000cd0 0f b7 0e 0c 02 66 ba 0e 02 00 00 e8 e1 f7 c3 66 |.....f.........f|

00000ce0 52 66 51 66 bb 20 00 00 00 66 b9 00 00 00 00 66 |RfQf. ...f.....f|

00000cf0 ba 00 00 00 00 e8 c7 f7 66 0b c0 0f 84 63 00 66 |........f....c.f|

00000d00 8b d8 1e 07 66 8b 3e 16 02 66 33 c0 e8 59 f8 1e |....f.>..f3..Y..|

00000d10 07 66 8b 1e 16 02 66 59 66 5a 26 66 39 0f 0f 85 |.f....fYfZ&f9...|

00000d20 0c 00 26 66 39 57 08 0f 84 31 00 eb 13 90 26 66 |..&f9W...1....&f|

00000d30 83 3f ff 0f 84 2f 00 26 83 7f 04 00 0f 84 26 00 |.?.../.&......&.|

00000d40 26 66 0f b7 47 04 03 d8 8b c3 25 00 80 74 cb 8c |&f..G.....%..t..|

00000d50 c0 05 00 08 8e c0 81 e3 ff 7f eb be 26 66 8b 47 |............&f.G|

00000d60 10 c3 66 59 66 5a 66 33 c0 c3 a0 f9 01 e9 f4 f3 |..fYfZf3........|

00000d70 a0 fa 01 e9 ee f3 00 00 00 00 00 00 00 00 00 00 |................|

00000d80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

00002000

What you are actually looking at is the Volume Boot Record for this NTFS volume. We are also seeing some of the bootstrap code. If you are interested in parsing out the Volume Boot Record you can go here.

We will look at some other options with the fls in future posts. Enjoy

Avoiding Atrophy Forensics

Friday, April 18, 2014

File System Overview

No comments:

Post a Comment