Question

1 Approved Answer

Posted on Sep 22, 2024

1015920 1015936 1015952 1015968 1015984 1016000 49 00 40 00 45 00 2E 00 54 00 00 00 58 00 54 00 I LE.TXT 53

image text in transcribed

1015920 1015936 1015952 1015968 1015984 1016000 49 00 40 00 45 00 2E 00 54 00 00 00 58 00 54 00 I LE.TXT 53 41 56 45 44 46 7E 31 54 58 54 02 00 12 29 90 SAVEDF1TXT 66 41 45 45 00 00 49 90 66 41 03 00 12 00 00 00 FAEE IfA E5 58 00 54 00 00 00 FF FF FF FF OF 00 A7 FF FF &X T yyyy Syy FF FF FF FF FF FF FF FF FF FF 00 00 FF FF FF FF yyyyyyyyyy yyyy E5 44 00 45 00 4C 00 45 00 54 00 OF 00 A7 45 00 D ELET SE Figure 1. FAT Directory Entry Structure Table from a Thumb Drive Figure 1 shows the FAT directory entry structures for a file saved on a thumb drive. The file is named savedfile.txt. You don't need to fully understand what you're looking at yet. This is simply an exercise in locating, extracting, and decoding data structures. At this point, you should be able to look at any chunk of disk data, and when given a data structure table, you should be able to locate and decode the data structures. What these data structure mean will make more sense in future modules! But rather than giving you nonsense data, I'm giving you real-world data and asking you to locate, extract, and decode bytes of data that will eventually be useful in answering real-world investigative questions. Per Table 10.5 Data structure for a basic FAT directory entry in your textbook, a file's attributes are stored in a bit flag data structure at offset 11 in a file's main directory entry structure. (This means it's at offset 11, relative to the start of the directory entry structure highlighted in yellow above. Don't forget to start counting from zero!). The file attribute byte is a set of bit flags that tells the file system if the file is read-only, system, hidden, etc. Table 10.6 Flag values for the directory entry attributes field then identifies the attributes, by breaking that byte into the individual bit flags. Flag values for the directory entry attributes field then identifies the attributes, by breaking that byte into the individual bit flags. Using the figure above and Tables 10.5 and 10.6 in your textbook, answer these questions: 1. Identify the single byte that contains the data structure for the file attributes bit flag for the file named savedfile.txt. a. What is this byte in hex? b. What is this value in binary? | 1 c. Using Table 10.6 in Carrier, which bit flag(s) is/are set? d. What would the byte value be if the file were read-only and the archive bit was not set? (Hint: You need to set/un-set specific bit flags a the bit level and convert the 8 bits to a hex byte.) e. What would the byte value be if the file were read-only and hidden? f. Is endian ordering relevant to this data structure? Why or why not? Byte Range Description Essential 0-0 First character of file name in ASCII and allocation status Yes (Oxe5 or 0x00 if unallocated) 1-10 Characters 2 to 11 of file name in ASCII Yes 11-11 File Attributes (see Table 10.6) Yes 12-12 Reserved No 1313 Created time (tenths of second) No 14-15 Created time (hours, minutes, seconds) No 16-17 Created day No 18-19 No Accessed day High 2 bytes of first cluster address (0 for FAT12 and FAT16) 20-21 Yes 22-23 Written time (hours, minutes, seconds) No 24-25 Written day No 26-27 Low 2 bytes of first cluster address Yes 28-31 Size of file (o for directories) Yes Table 10.5 Data structure for a basic FAT directory entry. one or more of the bits in Table 10.6 set. Flag Value (in bits) Description Essential 0000 0001 (0x01) Read only No 0000 0010 (Ox02) Hidden file No 0000 0100 (0x04) System file No 0000 1000 (0x08) Volume label Yes 0000 1111 (OxOf) Long file name Yes 0001 0000 (Ox10) Directory Yes 0010 0000 (0x20) Archive No Table 10.6 Flag values for the directory entry attributes field. 1015920 1015936 1015952 1015968 1015984 1016000 49 00 40 00 45 00 2E 00 54 00 00 00 58 00 54 00 I LE.TXT 53 41 56 45 44 46 7E 31 54 58 54 02 00 12 29 90 SAVEDF1TXT 66 41 45 45 00 00 49 90 66 41 03 00 12 00 00 00 FAEE IfA E5 58 00 54 00 00 00 FF FF FF FF OF 00 A7 FF FF &X T yyyy Syy FF FF FF FF FF FF FF FF FF FF 00 00 FF FF FF FF yyyyyyyyyy yyyy E5 44 00 45 00 4C 00 45 00 54 00 OF 00 A7 45 00 D ELET SE Figure 1. FAT Directory Entry Structure Table from a Thumb Drive Figure 1 shows the FAT directory entry structures for a file saved on a thumb drive. The file is named savedfile.txt. You don't need to fully understand what you're looking at yet. This is simply an exercise in locating, extracting, and decoding data structures. At this point, you should be able to look at any chunk of disk data, and when given a data structure table, you should be able to locate and decode the data structures. What these data structure mean will make more sense in future modules! But rather than giving you nonsense data, I'm giving you real-world data and asking you to locate, extract, and decode bytes of data that will eventually be useful in answering real-world investigative questions. Per Table 10.5 Data structure for a basic FAT directory entry in your textbook, a file's attributes are stored in a bit flag data structure at offset 11 in a file's main directory entry structure. (This means it's at offset 11, relative to the start of the directory entry structure highlighted in yellow above. Don't forget to start counting from zero!). The file attribute byte is a set of bit flags that tells the file system if the file is read-only, system, hidden, etc. Table 10.6 Flag values for the directory entry attributes field then identifies the attributes, by breaking that byte into the individual bit flags. Flag values for the directory entry attributes field then identifies the attributes, by breaking that byte into the individual bit flags. Using the figure above and Tables 10.5 and 10.6 in your textbook, answer these questions: 1. Identify the single byte that contains the data structure for the file attributes bit flag for the file named savedfile.txt. a. What is this byte in hex? b. What is this value in binary? | 1 c. Using Table 10.6 in Carrier, which bit flag(s) is/are set? d. What would the byte value be if the file were read-only and the archive bit was not set? (Hint: You need to set/un-set specific bit flags a the bit level and convert the 8 bits to a hex byte.) e. What would the byte value be if the file were read-only and hidden? f. Is endian ordering relevant to this data structure? Why or why not? Byte Range Description Essential 0-0 First character of file name in ASCII and allocation status Yes (Oxe5 or 0x00 if unallocated) 1-10 Characters 2 to 11 of file name in ASCII Yes 11-11 File Attributes (see Table 10.6) Yes 12-12 Reserved No 1313 Created time (tenths of second) No 14-15 Created time (hours, minutes, seconds) No 16-17 Created day No 18-19 No Accessed day High 2 bytes of first cluster address (0 for FAT12 and FAT16) 20-21 Yes 22-23 Written time (hours, minutes, seconds) No 24-25 Written day No 26-27 Low 2 bytes of first cluster address Yes 28-31 Size of file (o for directories) Yes Table 10.5 Data structure for a basic FAT directory entry. one or more of the bits in Table 10.6 set. Flag Value (in bits) Description Essential 0000 0001 (0x01) Read only No 0000 0010 (Ox02) Hidden file No 0000 0100 (0x04) System file No 0000 1000 (0x08) Volume label Yes 0000 1111 (OxOf) Long file name Yes 0001 0000 (Ox10) Directory Yes 0010 0000 (0x20) Archive No Table 10.6 Flag values for the directory entry attributes field