Forensic Examination of Suspect's Media

The suspect works for a large computer programming firm.  He was seen by a co-worker having lunch with the CTO of another software company who creates similar software solutions.  In addition, his boss located a suspicious email that discussed trading code for $50,000 to the CTO of the competing company.  The director of security ordered a forensic examination of the suspect’s media, which has been imaged for you.  You have been asked to locate the file, “TheSourceCode.exe” (without the quotes) in order to prove the suspect copied the company’s proprietary code on the suspect’s personally owned storage media.  You will be asked to answer a series of questions related to the file system as part of your required proficiency in the NTFS file system.

1. There are_________physical sectors contained in the forensic image of the media.  

2. The size of the image of the forensic image is approximately________gigabytes (not bytes, not megabytes).

3. The MD5 Hash value of the media is________.

4. SHA1 hash value is________.

5. How many partitions appear in the partition table?

6. Which file system is located on the partition?

7. In which physical sector does the partition begin?       

8. What is the volume serial number of the volume (list hex values)?

9. How many sectors are contained within the volume?

10 How many sectors per cluster are contained within the volume?

11. How many bytes are in one cluster?

12. How many bytes are in one MFT record?

13. Examine the NTFS system files on the volume. Assuming that the NTFS volume was used on a Windows system that was set to Eastern Daylight Time, when was the volume formatted (provide a date and time).

14. What is the volume name assigned to this volume?

15. In which logical file on the volume is the volume name located?

16. What is the logical size of the file that contains the volume name?

17. In which physical sector does the actual volume name appear?

18. In a one to three sentences, describe what is the sole purpose of the $BITMAP file is?

19. Within the $BITMAP file, how many clusters does a single byte govern on the volume?

20. Locate byte offset 10434 within the $BITMAP file and provide the binary value (bits) of this single byte.

21. From your answer to Question #20, how many clusters are allocated for this single byte value?

22. From your answer to Question #20, how many clusters are unallocated for this single byte value?

23. What is the record number of the file, $MFTMirr?

24. Examine the $MFTMirr file.  What is the file name of the third MFT record?

25. During the course of an examination, you discover data in unallocated clusters, and at the onset of the cluster, the characters “INDX” appear followed by a series of file names.  What is the technical name of this NTFS object?