Question Details

(solution) Hardware/Software Setup Required WinHex 15-1 SR-8 (available at


Hardware/Software Setup Required

WinHex 15-1 SR-8 (available athttp://www.x-ways.net/winhex/or the EC-Council Certification Portalhttp://portal.eccouncil.org/)


Problem Description

Slack space is the area of a disk cluster between the end of the file and the end of the cluster. If the size of a file is less than the cluster size, a full cluster is still assigned to that file. The remaining space remains unused and is called slack space.


Slack space can be used to hide information. When analyzing a disk, you should also review the information contained in a file slack space. For this exercise, you will use WinHex to analyze files on a flash drive. First, you will extract a copy of the boot sector. Next, you will select any file, find its slack space, and extract the information contained there.


Estimated completion time:1 hour


Outcome

  • A report of the steps you need to perform these tasks
  • A copy of the boot sector
  • A file with the information on a file?s slack space


Validation/Evaluation

·How big is the boot sector?

·What is the structure of a FAT boot sector?

·How can you extract the content of the slack space into a file?


ISSC459

 

Name: _________________________ Week 2 Lab 1

 

Date: _____________ Fill in your name above, put your full response below the question, save the file using the file

 

naming convention: ?ISSC459_Lab1_LastName_FirstName.doc? where LastName is your

 

last name and FirstName is your first name, then return this document for grading.

 

Hardware/Software Setup Required

 

WinHex 15-1 SR-8 (available at http://www.x-ways.net/winhex/ or the EC-Council Certification

 

Portal http://portal.eccouncil.org/)

 

Problem Description

 

Slack space is the area of a disk cluster between the end of the file and the end of the

 

cluster. If the size of a file is less than the cluster size, a full cluster is still assigned to that

 

file. The remaining space remains unused and is called slack space.

 

Slack space can be used to hide information. When analyzing a disk, you should also review

 

the information contained in a file slack space. For this exercise, you will use WinHex to

 

analyze files on a flash drive. First, you will extract a copy of the boot sector. Next, you will

 

select any file, find its slack space, and extract the information contained there.

 

Estimated completion time: 1 hour

 

Outcome A report of the steps you need to perform these tasks A copy of the boot sector A file with the information on a file?s slack space

 

Validation/Evaluation How big is the boot sector? What is the structure of a FAT boot sector? How can you extract the content of the slack space into a file? ISSC459 Week 2 Lab 1 Lab Solution

 

1. Download WinHex from http://www.x-ways.net/winhex/ and install it on your computer.

 

2. Connect a flash drive to your computer.

 

3. Start WinHex. 4. Use the Open Disk button on the toolbar to begin examining your flash drive. ISSC459 Week 2 Lab 1 5. On the next window, select the appropriate drive and click OK. 6. Now, double-click Start sectors to analyze the partition boot sector and extract a copy. ISSC459 Week 2 Lab 1 7. Use the Internet to read more about the boot record for a FAT partition and explain the

 

structure of the boot record. 8. Now, create a table with the structure of the boot record you wrote in the previous step and

 

fill it with the corresponding information extracted from the actual boot record found by

 

WinHex. ISSC459 Week 2 Lab 1 Boot record. 9. Close the tab.

 

10. Now, double-click Partition 1 to analyze the slack space of a file. 11. Select a file from this new tab and take a moment to analyze the information presented about

 

the file, including the following:

 

a. File name

 

b. File extension ISSC459 c.

 

d.

 

e.

 

f.

 

g.

 

h.

 

i.

 

j.

 

k. Week 2 Lab 1 Size

 

Creation date

 

Last modification date

 

Last access date

 

Attributes

 

First sector number

 

(First) Cluster number

 

Physical sector number

 

Logical sector number ISSC459 Week 2 Lab 1 12. To see the list of clusters used by this file, right-click the file, then select Position->List

 

Clusters. The list of clusters will appear on a pop-up window. 13. Recall that the slack space is the space between the end of a file and the end of the cluster.

 

So, you need the size of the file in bytes to know where the slack space begins. You already

 

have this information through WinHex. Note: You might need to convert the size presented by

 

WinHex to bytes. Remember that a KB is 1024 bytes, a MB is 1024 Kbytes, etc. For example,

 

34.5 KB is equivalent to 34.5 x 1024 = 35328 bytes.

 

14. Now, click the Offset button at the bottom of the window. ISSC459 Week 2 Lab 1 15. Enter the size of the file in bytes as the ?New position? on the next window. Also, select

 

?current position? and click OK. 16. The cursor marks the beginning of the slack space. ISSC459 Week 2 Lab 1 Beginning of

 

slack space. 17. Next, you will extract the content of the slack space to a new file. First, you need to create a

 

copying block. Click Edit->Define block. 18. On the next window, use current position as the value for the ?Beginning? field and click

 

OK. ISSC459 Week 2 Lab 1 19. Now we need to go to the beginning of the next cluster. Determine your current cluster

 

number and add one to it. 20. Then, click the Sector button at the bottom of the window. ISSC459 Week 2 Lab 1 21. Write the desired cluster on the ?Cluster? field on the next window, and click OK. 22. The cursor will mark the beginning of the next cluster; however, you need to go one

 

character to the left, to the end of the previous cluster. ISSC459 Week 2 Lab 1 Desired position. Beginning of next

 

cluster. 23. Now select again Edit->Define block and use the current position as the value for the ?End?

 

field. Click OK. 24. The selected block will be highlighted. ISSC459 Week 2 Lab 1 25. Now select Edit->Copy Block->Into New File, or press Ctrl+Shift+N. Write the name of the

 

file, and click Save.

 

26. WinHex will save the content of the marked block (slack space) to the file and automatically

 

display it on a new tab. 27. You can use this file later for further analysis.

 

28. Close the application. ISSC459 Week 2 Lab 1 Structure and content of a FAT boot sector

 

The first sector (512 bytes) of a FAT filesystem is the boot sector and contains the following

 

fields:

 

Bytes Description 0-2

 

3-10

 

11-12*

 

13

 

14-15

 

16

 

17-18

 

19-20

 

21

 

22-23

 

24-25

 

26-27

 

28-31

 

32-35 Jump to bootstrap

 

OEM name/version

 

Number of bytes per sector

 

Number of sectors per cluster

 

Number of reserved sectors

 

Number of FAT copies

 

Number of root directory entries

 

Total number of sectors in the filesystem

 

Media descriptor type

 

Number of sectors per FAT

 

Number of sectors per track

 

Number of heads

 

Number of hidden sectors

 

Total number of sectors in the filesystem (in case

 

the total was not given in bytes 19-20)

 

Logical Drive Number (for use with INT 13, e.g.

 

0 or 0x80)

 

Reserved

 

Extended signature. Indicates that the three

 

following fields are present.

 

Serial number of partition

 

Volume label or "NO NAME " 36

 

37

 

38

 

39-42

 

43-53

 

54-61

 

62-509 Filesystem type (E.g. "FAT12 ", "FAT16 ",

 

"FAT ", or all zero.)

 

Bootstrap Hex value extracted from the

 

file

 

FA BE 00

 

7C BF 00 7A B9 00 01 FC

 

0E 1F

 

0E

 

07 F3

 

A5

 

EA 16

 

7A 00

 

00

 

BB BE

 

7B 33

 

C9 80

 

3F 80 75 06

 

FE C5 8B F3

 

EB

 

07

 

80

 

3F 00 75 02

 

FE C1 83 C3 10 81 FB FE 7B

 

72 E5

 

83 F9 04 74 0B 81 F9 03

 

01740ABBA57AEB2CBB877

 

AEB278B4C028B14B80102B

 

B007CCD137305BBBC7AEB

 

132EA1FE7D3D55AA7405B

 

BBC7AEB05EA007C00002E

 

8A073C00740C53BB0700B4

 

0ECD105B43EBEDEBFE4E6

 

F20626F6F7461626C6520706

 

1727469746F6E20696E20746

 

1626C6500496E76616C6964

 

205061727469746F6E207461

 

626C6500496E76616C69642

 

06F722064616D61676564204

 

26F6F7461626C65207061727 ISSC459 510-511

 

Signature 55 AA

 

* BIOS Parameter Block starts here. Week 2 Lab 1 46974696F6E0000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000A7B8A781000080

 

0101000E0FA0BF20000000E

 

07F3D0000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

000000000000000000000000

 

0000000

 

55 AA Quoted from an article posted September 20, 2002 at http://www.win.tue.nl/~aeb/linux/fs/fat/fat1.html written by Andries Brouwer titled The FAT filesystem.

 


Solution details:

Pay using PayPal (No PayPal account Required) or your credit card . All your purchases are securely protected by .
SiteLock

About this Question

STATUS

Answered

QUALITY

Approved

DATE ANSWERED

Sep 13, 2020

EXPERT

Tutor

ANSWER RATING

GET INSTANT HELP/h4>

We have top-notch tutors who can do your essay/homework for you at a reasonable cost and then you can simply use that essay as a template to build your own arguments.

You can also use these solutions:

  • As a reference for in-depth understanding of the subject.
  • As a source of ideas / reasoning for your own research (if properly referenced)
  • For editing and paraphrasing (check your institution's definition of plagiarism and recommended paraphrase).
This we believe is a better way of understanding a problem and makes use of the efficiency of time of the student.

NEW ASSIGNMENT HELP?

Order New Solution. Quick Turnaround

Click on the button below in order to Order for a New, Original and High-Quality Essay Solutions. New orders are original solutions and precise to your writing instruction requirements. Place a New Order using the button below.

WE GUARANTEE, THAT YOUR PAPER WILL BE WRITTEN FROM SCRATCH AND WITHIN A DEADLINE.

Order Now