To explore the MFT records, learn how to locate date and time values in the metadata of a file we create. These steps help us to identify previously deleted fragments of MFT records in unallocated disk space or in residual data in Pagefile.sys.

[Hands-On Project 1–2]

Investigation and Development Procedures:

In this project, we need to conduct an internal digital investigations and forensics examinations. We need to explore the MFT records, identify previously deleted fragments of MFT records information. All the required procedures such as identifying, analysing, investigating, developing, testing of various operations has documented with WinHex tool [1]. In this project, the following activities on the MFT using the WinHex editor will be carried out.

System Requirements:

A system running Windows with the C drive formatted as NTFS.

• Notepad to create a small text file.

• WinHex to analyse the metadata in the MFT.

WinHex tool: Computer Forensics & Data Recovery Software,Hex Editor & Disk Editor:

WinHex is at its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for every day and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards.

What you can do with WinHex Tool:

Disk cloning, disk imagingTo produce exact duplicates of disks/drives, e.g. to save the time for a full installation of the operating system and other software for several computers/disks of the same type, or to be able to restore a running installation in case of data loss/screwed up Windows (restoration of a backup).

RAM editorFor debugging purposes (programming), for examining/manipulating any running program and in particular computer games (cheating).

Analyzing filesTo determine the type of data recovered as lost cluster chains by ScanDisk or chkdsk.

Wiping confidential files or disksComputer forensics specialists) will be able to retrieve them. To securely erase a file, use File Manager | Delete Irreversibly. For disk wiping, open the disk with the disk editor and use Edit | Fill Disk Sectors. E.g. fill with zero bytes (hexadecimal value 00) or random bytes.

==Wiping unused space and slack space==To close security leaks, to securely destroy previously existing classified files that have been deleted in the traditional way only, or to minimize the size of your disk backups (like WinHex backups or Norton Ghost backups), since initialized space can be compressed 99%. On NTFS drives, WinHex will even offer to wipe all currently unused $Mft (Master File Table) file records, as they may still contain names and fragments of files previously stored in them. File slack can be found in the unused end of the last cluster allocated to a file, which usually contains traces of previously existing files. Slack space — like everything else — is processed by WinHex very fast.

ASCII — EBCDIC conversionAllows to exchange text between mainframe computers and the PC in both directions. You may even tailor the character translation table in WinHex (ebcdic.dat) for your own needs.

Binary, Hex ASCII, Intel Hex, Motorola S conversion==(E)==PROM programmers.

Unifying/Dividing odd/even bytes/words(E)PROM programmers.

Editing data structureTo use acustom templates.

Splitting files that do not fit on a diskSplit/Concatenate.

WinHex as a reconnaissance and learning toolAre you sure Microsoft Word really discards previous states of your document? You may be surprised to find text deleted long ago in your .doc files. Maybe text that you really do not wish to be seen by the person you are going to pass the .doc file to? Discover what various software programs save in their files. Study unknown file formats and learn how they work. Investigate e.g. how executable files are structured and how they are loaded in RAM.

Finding interesting valuesTo use the Combined Search or using the File Comparison utility, for later manipulation.

Manipulating saved game filesCheat sites on the Internet or for developing your own cheats.

Upgrading MP3 jukeboxes and Microsoft Xbox with larger hard driveTo upgrade, the new hard disk must be prepared first. This is where you need WinHex.

Viewing and manipulating files that usually cannot be editedThey are protected by Windows (e.g. the swap file, temporary files of the Internet Explorer), using the disk editor.

Viewing, editing, and repairing system areasThe Master Boot Record with its partition table and boot sectors.

Hiding data or discovering hidden dataWinHex specifically supports access to surplus sectors that are not in use by the operating system because they do not add to an entire cluster or cylinder.

Unlimited UndoWhen editing, reverse any of your steps.

Jump back and forward WinHex keeps a history of your offset jumps, and lets you go back and forward in the chain, like an Internet browser does.

ScriptingAutomated file editing using scripts, to accelerate recurring routine tasks or to carry out certain tasks on unattended remote computers. The ability to execute scripts other than the supplied sample scripts is limited to owners of a professional license.

API (Application Programming Interface)Professional users may also make good use of WinHex’ advanced capabilities in their own programs written in Delphi, C/C++, or Visual Basic. The WinHex API provides a convenient interface for random access to files and disks (at the sector level). The provided functions are similar to the scripting commands.

Data recoveryFor erroneously deleted files or generally after an experienced loss of data. Can be done manually (see undeleting files) or automatically. There is an automatic recovery mode for FAT12, FAT16, FAT32, and NTFS drives called “File Recovery by Name” that simply requires you to specify one or more file masks (like *.gif, John*.doc, etc.). WinHex will do the rest. Via the Access button menu, a recovery mechanism is available for FAT drives which re-creates entire nested directory structures. Another mechanism (“File Recovery by Type”, formerly “file retrieval”) can be used on any file system and recovers all files of a certain type at a time. Supported file types: jpg, png, gif, tif, bmp, dwg, psd, rtf, xml, html, eml, dbx, xls/doc, mdb, wpd, eps/ps, pdf, qdf, pwl, zip, rar, wav, avi, ram, rm, mpg, mpg, mov, asf, mid. In particular owners of digital cameras quite often encounter problems with their media. WinHex is likely to help with this automated function that makes good use of the existence of file headers (characteristic signatures at the beginning of a file).

Computer examination/forensicsWinHex is an invaluable tool in the hands of computer investigative specialists in private enterprise and law enforcement.

128-bit encryptionto make files unreadable by others.

Checksum/digest calculationto make sure a file is not corrupt and was not manipulated, or to identify common known files.

Generating pseudo-random datafor various (e.g. scientific simulation) purposes.

[Hands-On Project 1–2]

Step 1: First, Open the “WinHex tool” Home screen window on your PC. As shown in Figure 1.

Step 2: To start a Notepad, and create a text file with one or more lines. Please, feel to add anything.

Step 3: Save the file in your work folder as C5Prj02.txt and exit Notepad. (If your work folder isn’t on the C drive, make sure you save the file on your C drive to have it entered in the $MFT files you copy later.)

Step 4: Next, review the material in “MFT and File Attributes,” paying particular attention to attributes 0x10 and 0x30 for file dates and times. The following charts show the offset byte count starting at position FILE of the file’s MFT record for the date and time stamps:

Step 5: Next, you examine the metadata of the C5Prj02.txt file stored in the $MFT file.

Step 6: Start WinHex with the Run as administrator option. If you see an evaluation warning message, click OK.

Step 7: As a safety precaution, click Options, Edit Mode from the menu. In the Select Mode (globally) dialogue box, click Read-only Mode (=write protected), as shown in Figure 4, and then click OK.

Step 8: Click Tools, Open Disk from the menu. In the View Disk dialog box, click the C: drive (or the drive where you saved C5Prj02.txt), as shown in Figure 5–40, and then click OK. If you’re prompted to take a new snapshot, click Take new one. Depending on the size and quantity of data on your disk, it might take several minutes for WinHex to traverse all the files and paths on your disk drive.

Step 9: Click Options, Data Interpreter from the menu. In the Data Interpreter Options dialogue box, click the Windows FILETIME (64 bit) check box, shown in Figure 6, and then click OK. The Data Interpreter should then have FILETIME as an additional display item.

Step 9: Now we need to navigate to our work folder (C:\Assmnt1\Ch05\) in WinHex. In the upper-right pane of WinHex, scroll down until you see our folder. Double-click each folder in the path as shown in Figure 8 and then click the C5Prj02.txt file.

Step 10: Drag from the beginning of the record, to the letter F in FILE, and then down and to the right while you monitor the hexadecimal counter in the lower-right corner. (Note: 50 hexadecimal bytes is the “position” for the first date and time stamp for this record, as described in the previous charts for 0x10 $Standard Information.) When the counter reaches 50 as shown in Figure 9, consecutively release the mouse button.

Item1: C Time (file creation):

Note: The given above offset identification is for C Time (file creation).

Item 2. A Time (file altered) with offset value 0x58:

Step 11: Drag from the beginning of the record, to the letter F in FILE, and then down and to the right while you monitor the hexadecimal counter in the lower-right corner. (Note: 58 hexadecimal bytes is the “position” for the first date and time stamp for this record, as described in the previous charts for 0x58 $Standard Information.) When the counter reaches 58 as shown in Figure 10, consecutively release the mouse button.

Item 3. A Time (file altered) with offset value 0x60:

Step 12: Drag from the beginning of the record, to the letter F in FILE, and then down and to the right while you monitor the hexadecimal counter in the lower-right corner. (Note: 60 hexadecimal bytes is the “position” for the first date and time stamp for this record, as described in the previous charts for 0x60 $Standard Information.) When the counter reaches 60 as shown in Figure 11, consecutively release the mouse button.

0x30 $File_Name (data starts at offset 0x18)

Item4: C Time (file creation):

Step 13: Drag from the beginning of the record, to the letter F in FILE, and then down and to the right while you monitor the hexadecimal counter in the lower-right corner. (Note: B8 hexadecimal bytes is the “position” for the first date and time stamp for this record, as described in the previous charts for 0xB8 $Standard Information.) When the counter reaches B8 as shown in Figure 12, consecutively release the mouse button.

Item5: A Time (file altered):

Step 13: Drag from the beginning of the record, to the letter F in FILE, and then down and to the right while you monitor the hexadecimal counter in the lower-right corner. (Note: C0 hexadecimal bytes is the “position” for the first date and time stamp for this record, as described in the previous charts for 0xC0 $Standard Information.) When the counter reaches C0 as shown in Figure 13, consecutively release the mouse button.

Item6: R Time (file read):

Step 13: Drag from the beginning of the record, to the letter F in FILE, and then down and to the right while you monitor the hexadecimal counter in the lower-right corner. (Note: C8 hexadecimal bytes is the “position” for the first date and time stamp for this record, as described in the previous charts for 0xC8 $Standard Information.) When the counter reaches C8 as shown in Figure 14, consecutively release the mouse button.

Item7: M Time (MFT change):

Step 14: Drag from the beginning of the record, to the letter F in FILE, and then down and to the right while you monitor the hexadecimal counter in the lower-right corner. (Note: D0 hexadecimal bytes is the “position” for the first date and time stamp for this record, as described in the previous charts for 0xD0 $Standard Information.) When the counter reaches D0 as shown in Figure 15, consecutively release the mouse button.

Project summary with FILETIME information’s:

The explored results are recorded in the project summary Table 2.

Conclusion:

In this project, we created a new snapshot in the “C:\Assmnt1\Ch05” drive to explore the MFT records on the Windows system. Consecutively, we created the “C5Prj02.txt” project file and stored in the $MFT file in the C: drive. Before, we started to examine, we modified the WinHex settings to run on “Read-only mode”, which helps to protect the data intact.

The objective of this task is identified and understand the file variances and factors such as file create, read, alter, change, and accessed timestamps. We successfully analysed and interpreted the given offset position values with the metadata of the created text file, and located, recorded each date and time values of different offset positions. The explored results are recorded in the project summary Table 2.

The empirical findings in this study provided additional evidence, all the FILETIME values share the similar records due to the time of the file creation and project activities, and file was not accessed or altered in any way. Therefore, to justify, the recorded values are accurate for evaluation and result verification. Thus, results insinuate future project work should be conducted on accessing, changing the file “contents”, and read the metadata to record the evidence to achieve the long-term efficacy in digital forensics.

Hands-on Project 2–2, Exploring File Headers

In this project, we need to conduct an internal digital investigations and forensics examinations. We need to explore the WinHex to become familiar with different file types.

Investigation and Development Procedures:

We need to explore the WinHex to become familiar with different file types.

Step 1: First, Open the “WinHex tool” Home screen window on your PC. As shown in Figure 1.

Step 2: To create a new Microsoft Excel (.xlsx), Microsoft Word (.docx), and .jpg file.

Note: Please, feel to create an empty file and/or choose any of your files. In this task, we are analysing the file header, and not making any changes to the file headers.

Step 3: Open each file type in WinHex. Record the hexadecimal codes for each file in a text editor, such as Notepad or WordPad.

We referenced to this website to compare our header positions according to the given positions such as Hex Signature, File Extension, ASCII Signature, File Description etc., [2].

Conclusion:

In this project, we conducted an internal digital investigations and forensics examinations on file types. We created and explored the different types of file formats with WinHex viewer in Read-only mode and recorded the different file types and its offset values in the summary table.

REFERENCES

[1] X-Ways Software Technology AG. (Nov 23, 2021). WinHex: Hex editor & disk editor, computer forensics & data recovery software. Software for Computer Forensics, Data Recovery, and IT Security. https://www.x-ways.net/winhex/

[2] Kessler, G. C., CCE, & CISSP. (n.d.). File signatures. GaryKessler.net.

https://www.garykessler.net/library/file_sigs.html

(Maybe Popular and Trending😉): Don’t forget to check these Article’s ⬇️

• A Guide to Doing a Digital Forensics Examination on Digital Media (USB)

• How to Surf the Dark Web safely and Monitor Traffic?

• Deploying AES Encryption On Cryptool 2.1

• Cracking The HMAC Message Authentication System In Cryptography

• The 12 Key Requirements for Your Company’s Valid PCI-DSS Compliance Plan

• OWASP Top Ten Security Vulnerabilities To Look After

• ISO/IEC 27035: The Incident Security Incident Management Guide

• Guide to Risk Assessment Management and ISO/IEC 27002/27005

• What Is Risk Management And How To Integrate It Into SDLC: Best Explanation Ever
  Software Developers' Top 12 Secure Software Development Lifecycle (SSDL) practices by Microsoft

• How To Turn Off Chrome Search Suggestions

• How To Use Google Search Privacy Settings

• Vulnerability Management: Identify, Classify, Remediate, and Mitigate

• OWASP Top 14 Security Practices For Software Developers

• Life-Changing Facts About Apple’s iOS Security Architecture

— — — — — —— — -THE END — — — — — — — — — — — —

Quote of the day: 石橋を叩いて渡る (Ishibashi o tataite wataru).

Explanation: For instance, consider a stone bridge very solid in structure. However, like any kind of bridge, stone bridges could potentially collapse at any time if their structure has weakened. It’s the necessity of taking precautions even though it may seem safe at first.

Thanks for reading! Have a pleasant day!