I recently had a need to make some simple forensic images for use with students. I decided to make one with some simple "anomalies" in hopes the students would pick up on them. So I figured I would share them and let others take a look to help refresh some foundational examination techniques.
The image linked below if fairly simple. A few files, not much more. But there are a few "anomalies" that should be detected and noted.
Download .E01 image here
The image linked below if fairly simple. A few files, not much more. But there are a few "anomalies" that should be detected and noted.
Download .E01 image here
Not sure if I am on the right track, but here are a couple of things:
ReplyDeleteMBR partition table shows only 07 and one 06, but there are actually one 07 and two FAT 16's.
Relative position for 07 and 06 is the same: 1024000.
Size for 06 is zero.
Sector 63 does not have volume boot record.
Volume C and D appear to be almost identical, except the FAT for the D volume is about four times the size of C's FAT.
Lastly, volume E's $Bad Cluster is about 524MB, seems too large.
Art
@anon
ReplyDeleteYes, you are on the right track ;)
Hello Lance,
ReplyDeleteI'm just downloaded E01. I'm gonna start
I see a discrepancy in the volume file system and the partition ID as shown in the MBR.
ReplyDeleteC volume file system is FAT16 but MBR shows 0c (FAT32x)
D volume file system is FAT32 but MBR shows 07 (NTFS)
E volume file system is NTFS but MBR shows 06 (BIGDOS)
A
Hey Lance,
ReplyDeleteThanks,
Can you create some for FTK as well