Alpha Geek

(8)

$10/per page/Negotiable

About Alpha Geek

Levels Tought:
University

Expertise:
Accounting,Algebra See all
Accounting,Algebra,Architecture and Design,Art & Design,Biology,Business & Finance,Calculus,Chemistry,Communications,Computer Science,Environmental science,Essay writing,Programming,Social Science,Statistics Hide all
Teaching Since: Apr 2017
Last Sign in: 438 Weeks Ago, 5 Days Ago
Questions Answered: 9562
Tutorials Posted: 9559

Education

  • bachelor in business administration
    Polytechnic State University Sanluis
    Jan-2006 - Nov-2010

  • CPA
    Polytechnic State University
    Jan-2012 - Nov-2016

Experience

  • Professor
    Harvard Square Academy (HS2)
    Mar-2012 - Present

Category > Computer Science Posted 28 Apr 2017 My Price 8.00

In this project you explore the MFT

 

In this project, you explore the MFT and learn how to locate date and time values in the metadata of a file you create. These steps help you identify fragments of MFT records, which you might find in unallocated disk space or Pagefile.sys. You need the following for this project:

• Windows 2000 or later with the C drive configured as NTFS

• Notepad to create a small text file

• ProDiscover Basic to copy the MFT to your work folder (Note: Vista users, remember to use the Run as administrator option.)

• WinHex Demo to analyze the metadata in the MFT (provided on the book’s DVD, so copy and install it on your system first, if necessary)

1. Start Notepad, and create a text file with one or more of the following lines:

• A countryman between two lawyers is like a fish between two cats.

• A slip of the foot you may soon recover, but a slip of the tongue you may never get over.

• An investment in knowledge always pays the best interest.

• Drive thy business or it will drive thee.

2. Save the file in your work folder as C6Prj02.txt, and exit Notepad. (If your work folder isn’t on the C drive, make sure you save the C6Prj02.txt file on your C drive to have it entered in the $MFT files you copy later.)

3. Next, review the material in “MFT and File Attributes,” paying particular attention to attributes 0x10 and 0x30 for file dates and times. The following charts show the offset byte count starting at position FILE of the file’s MFT record for the date and time stamps:

4. Start ProDiscover Basic, and start a new project, using C6Prj02 for the project number and filename.

5. Click Action from the menu, point to Add, and click Disk.

6. In the Add Disk to Project dialog box, click PhysicalDrive0. Type c-drive in the Please enter unique name for physical disk text box, and then click Add. If you see the Add Disk warning message, click OK.

7. In the tree view, click to expand Content View, Disks, and PhysicalDrive0. Then click to select the C drive.

8. In the work area, scroll down, if necessary, and then right-click $MFT and click Copy File. In the Save As dialog box, navigate to your work folder, and then click Save.

9. When the $MFT file has been copied to your work folder, exit ProDiscover Basic, saving the project if prompted.

1. Start WinHex Demo by clicking Start, pointing to All Programs, and clicking WinHex. If you see an evaluation warning message, click OK.

2. Click the Open toolbar button. In the Open dialog box, navigate to your work folder, click the $MFT file, and then click Open. If you see another evaluation warning message, click the Do not display this kind of message again check box, and then click OK.

3. Click Search, Find Text from the menu.

4. In the text box for specifying the text string to search, type C6Prj02.txt. Click the Format Code list arrow (next to the list box containing the text “ASCII”), click Unicode, and then click OK. By default, WinHex displays a floating Data Interpreter window that converts hex values to decimal values and can also convert date and time codes. If you don’t see this window, activate it by clicking View, pointing to Show, and clicking Data Interpreter.

5. Right-click the Data Interpreter window and click Options. In the Data Interpreter Options dialog box, click the Win32 FILETIME (64 bit) check box, and then click OK. The Data Interpreter should then have FILETIME as an additional display.

6. In the WinHex window, scroll up so that the MFT record label FILE for C6Prj02.txt is the first line at the top of the hexadecimal and text displays.

7. Click at the beginning of the record, on the letter F in FILE, and then drag down and to the right while you monitor the hexadecimal counter in the lower-right corner. When the counter reaches 50, release the mouse button.

8. Move the cursor one position to the left (to the next byte), and record the date and time of the Data Interpreter’s FILETIME values.

9. Repeat Steps 7 and 8, using the offset positions plus 1 byte to see the values for the remaining date and time positions. Write down these values.

10. When you’re finished, exit WinHex and hand in the date and time values you recorded.

 

 

 
 

Answers

Alpha Geek
(8)
Status NEW Posted 28 Apr 2017 09:04 AM My Price 8.00

-----------

Attachments

file 1493372852-Answer.docx preview (876 words )
I-----------n t-----------his----------- pr-----------oje-----------ct,----------- yo-----------u e-----------xpl-----------ore----------- th-----------e M-----------FT -----------and----------- le-----------arn----------- ho-----------w t-----------o l-----------oca-----------te -----------dat-----------e a-----------nd -----------tim-----------e v-----------alu-----------es -----------in -----------the----------- me-----------tad-----------ata----------- of----------- a -----------fil-----------e y-----------ou -----------cre-----------ate-----------. T-----------hes-----------e s-----------tep-----------s h-----------elp----------- yo-----------u i-----------den-----------tif-----------y f-----------rag-----------men-----------ts -----------of -----------MFT----------- re-----------cor-----------ds,----------- wh-----------ich----------- yo-----------u m-----------igh-----------t f-----------ind----------- in----------- un-----------all-----------oca-----------ted----------- di-----------sk -----------spa-----------ce -----------or -----------Pag-----------efi-----------le.-----------sys-----------. Y-----------ou -----------nee-----------d t-----------he -----------fol-----------low-----------ing----------- fo-----------r t-----------his----------- pr-----------oje-----------ct:----------- ----------- -----------Win-----------dow-----------s 2-----------000----------- or----------- la-----------ter----------- wi-----------th -----------the----------- C -----------dri-----------ve -----------con-----------fig-----------ure-----------d a-----------s N-----------TFS----------- ----------- -----------Not-----------epa-----------d t-----------o c-----------rea-----------te -----------a s-----------mal-----------l t-----------ext----------- fi-----------le ----------- ----------- P-----------roD-----------isc-----------ove-----------r B-----------asi-----------c t-----------o c-----------opy----------- th-----------e M-----------FT -----------to -----------you-----------r
Not Rated(0)