I can’t share with you the specifics of the problems that
make up the CFCE Mentor process, but I can tell you that knowing the ins and
outs of basic File System structures is key.
Doesn’t give much away, does it?
To understand all of the intricacies of NTFS, I relied heavily on Brian
Carrier’s book, File System Forensic Analysis.
My first exposure to this book was when my co-worker and friend (and
former cop) lent me his copy WAY back when I was studying for my EnCE (Guidance
Software’s EnCase Certified Examiner) certification. Let me describe the condition of his book –
that thing was dog-eared, sticky-tabbed, highlighted and underlined and stunk
of blood, sweat and tears. I don’t think
I had ever seen a book in such a “lovingly
used” condition and at the time, I didn’t understand it. Yet, now after putting the finishing touches
on Problem 4 of my CFCE certification, I get it. I now own two copies (and my husband has one,
too!) and I keep one in the back of my car at all times. I can’t stress enough the many mysteries the book has revealed to me.
Yet, there is one thing I ran into that was NOT in “the book” and I wish
to share it here:
If you ever need to find the MFT entry number of a deleted
entry, the old-school technique of figuring this out was to count the distance
(in bytes) from the start of the MFT (Entry 0 - $MFT) to the start of the entry
you needed to enumerate. Divide this
value by the size of an MFT entry (1,024 bytes) and the resultant number will
be the deleted entry number. So, what I
didn’t know, until just recently, is that there is an easier way.
At offset 44-47 of
each MFT entry for Windows XP and later, the value is also that of the MFT
entry number. (See image below)
So, what does this mean?
1.)
You need to write on p. 354 of your Carrier book
a note in the top margin that offset 44-47 of the data structure of the basic
MFT entry represents the Entry Record Number.
2.)
You no longer need to do MATH to figure out the
MFT entry number.
This clearly is not easy-to-find
information and that is why I was motivated to write this post. I spent DAYS searching for this
information and found some very confusing documentation on the subject but no
specifics!
