File System Forensic Analysis by Brian Carrier

Author:Brian Carrier
Language: eng
Format: epub, pdf
Publisher: Pearson Education Limited (US titles)
Published: 2005-01-18T05:00:00+00:00

Table 10.8 ASCII values for the characters in our example LFN.

For clarity, we will do this whole thing in binary instead of constantly translating. The first step is to assign our variable ‘check’ to the value of the first letter of the name, ‘M.’

check = 0100 1101

For the remaining 10 rounds, we rotate the current checksum to the right by one bit and then add the next letter. The next two steps will shift our current value and add ‘Y.’

Click here to view code image

check = 1010 0110

check = 1010 0110 + 0101 1001 = 1111 1111

We rotate (with no effect because it is all 1s) and add ‘L.’

Click here to view code image

check = 1111 1111

check = 1111 1111 + 0100 1100 = 0100 1011

We rotate and add ‘O.’

Click here to view code image

check = 1010 0101

check = 1010 0101 + 0100 1111 = 1111 0100

From now on, I’ll leave out the rotate line and show only the addition. The next step is to rotate and add ‘N.’

Click here to view code image

check = 0111 1010 + 0100 1110 = 1100 1000

We rotate and add ‘G.’

Click here to view code image

check = 0110 0100 + 0100 0111 = 1010 1011

We rotate and add ‘~.’

Click here to view code image

check = 1101 0101 + 0111 1110 = 0101 0011

We rotate and add ‘1.’

Click here to view code image

check = 1010 1001 + 0011 0001 = 1101 1010

We rotate and add ‘R.’

Click here to view code image

check = 0110 1101 + 0101 0010 = 1011 1111

We rotate and add ‘T.’

Click here to view code image

check = 1101 1111 + 0101 0100 = 0011 0011

Finally, we rotate and add ‘F.’

Click here to view code image

check = 1001 1001 + 0100 0110 = 1101 1111 = 0xdf

Hopefully, you will never have to do this by hand, but now you can at least say that you have seen it before. The final value of 0xdf is the same that we saw in each of the LFN entries.

As an example output of processing this directory entry, we can look at the fls tool from TSK. fls prints the LFN and puts the short name in parentheses, as shown here:

Click here to view code image

# fls -f fat fat-2.dd

r/r 3: FAT DISK (Volume Label Entry)

r/r 4: RESUME-1.RTF

r/r 7: My Long File Name.rtf (MYLONG~1.RTF)

r/r * 8: _ile6.txt

The first two lines of the output show the volume label and short file name directory entries that we saw in the “Directory Entries” section. The third line shows the long name that we recently dissected and shows the name of a deleted file, _ile6.txt. The star in front of the name shows that it is deleted and the first letter is missing because the first letter of the name is used to set the unallocated status. The number before the name shows the address of the directory entry where the details can be found.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.