Data Carving

Question 1

What is Data Carving?

Answer 1

Unallocated system space has files extracted from it

Question 2

Data rebuilding

Answer 2

Fixing files that are damaged or partially deleted.

Question 3

What is the MFT?

Answer 3

Master File Table?

Question 4

What uses the MFT?

Answer 4

NTFS

Question 5

What is the overall structure of an MFT entry called?

Answer 5

A file record segment.

Question 6

What things does a file record segment have in it?

Answer 6

• Header
• Attribute Record Header
• Attribute type/name/value
• Attribute record header…
• 0xffffff

Question 7

How big is each MFT entry?

Answer 7

0x400

Question 8

SequenceNumber

Answer 8

Incremented each time the file record segment is freed.

Question 9

FILE_RECORD_SEGMENT_IN_USE

Answer 9

Says if the file is deleted or not.

Question 10

BaseFileRecordSegment

Answer 10

File reference to the base file record segment.

Question 11

How far in is the SequenceNumber?

Answer 11

16 bytes

Question 12

How far in is the FILE_RECORD_SEGEMNT_IN_USE?

Answer 12

22 bytes in

Question 13

How far in is the BaseFileRecordSegment?

Answer 13

32 bytes

Question 14

States for the FRSIU

Answer 14

01000 -> Existing file
00000 -> Deleted file
03000 -> existing folder
02000 -> deleted folder

Question 15

States for the BaseFileRecordSegment

Answer 15

0 if the record is the “base” (first record for the file)
Otherwise it points to the base.

Question 16

MFT Attributes

Answer 16

Each unit of information associated with a file.

Question 17

Where are attributes written that are too large for the current segment?

Answer 17

In an “extent”

Question 18

What is an ADS?

Answer 18

Alternate data stream.

Question 19

What is an alternate data stream?

Answer 19

A user defined attribute.

Question 20

What ADS’ is interesting to us?

Answer 20

The ZoneID
HostUrl
ReferrerUrl

Question 21

Why is the ZoneID interesting?

Answer 21

ZoneID 3 is the internet, meaning that the file was explicitly downloaded from the internet.

Question 22

Why is the HostUrl interesting

Answer 22

The URL of the file

Question 23

Why is the ReferrerUrl interesting?

Answer 23

URL that served the file

Question 24

Data recovery vs data carving

Answer 24

Recovery - the file is still in its fullness there
Carving - Raw medium without File system info

Question 25

PhotoRec

Answer 25

Automatically carves photos out of different spaces.

Question 26

Arsenal image mounter

Answer 26

An image mounter that lets you mount shadow copies.

Question 27

HxD

Answer 27

A raw hex editor.

Question 28

What is the jpg file header?

Answer 28

FFD8FF

Question 29

What is the jpg file footer?

Answer 29

FFD9

Question 30

What does an SSD do differently than an HDD?

Answer 30

SSDs have garbage collection which allows them to speed up performance by “caching” deletes.

Question 31

What is the TRIM command?

Answer 31

The OS telling a NAND drive that it does not need the data anymore.

Question 32

Why is the TRIM command important?

Answer 32

It allows garbage collection to happen more efficiently.