Cybercrime & Forensics - January 26, 2016 Hands-On Homework #3 - Due February 2nd on Canvas by beginning of Class. Location and Size Worksheet The format of the traditional DOS 3 is as follows Offset Length Value Name Arbate ( O V Date archive read-only be yembe D.Grectory be Volume be Time Date Cluter (se below) File Size 22 24 26 28 word word word deord Note: WORD - 2 bytes. DWORD -4 bytes LOCATION in the form of a starting cluster address, is given in offset 26-27. REMEMBER we are "Little Endian" so we REVERSE THE ORDER of the two Bytes we find at offset 22. Od c9 = 3529 ** Cluster Area: 160 -69395 METADATA INFORMATION Range: 2-1020946 Root Directory: 2 CONTENT INFORMATION Sector Size: 512 Cluster Size: 2048 Total Cluster Range: 2 - 15945 Math: ((Cluster Address - Reserved Clusters) x (Cluster Size / Sector Size+ Cluster Area Start) x Sector Size File start location ((3529-2) (2048/512) + 160) x 512 = 7,305,216 SIZE Example: 001188046 41 40 45 50 55 7 31 4a 50 47 20 00 75 06 78 Sa 38 5a 38 00 00 67 42 73 79 od 05 97 22 00 LAKEPU-13PG Convert 05 9f 22 00 to Little Endian = 00 22 9f05 Hex to Decimal convert x00229f05 to Decimal 2,268,933 ASSIGNMENT PORTION Using your new Thumb Drive image from class ... Choose one of your .JPG files, your .MP3 file, and your .PDF file Calculate the LOCATION and SIZE of each of those files, showing your work in the following steps: FOR EACH OF THREE FILES: 1. Show the value at offset 26-27. 2. Show the equation to calculate the starting point for your file. 3. Calculate the starting point. 4. Show the directory entry value at offset 28-31. 5. Use little endian to show the hexadecimal size 6. Show the decimal value of that size 7. Use the starting location to find the first line of your file in FRHED. Provide the HEX bytes of the first 32 bytes of the file. 8. Show the hex Starting and Ending point that you will enter into FRHED to export the file. REMEMBER TO DO THIS THREE TIMES FOR CREDIT!!!! The format of the traditional DOS 8.3 is as follows: Offset Length Value 0 8 8 3 bytes bytes Name Eston Attribute(OORSHDV) Owned bet archive Rread-only be S system bt D. directory bit V volume be word 26 28 word dword Dute Cluster (dere below) Fie Sue Note: WORD=2 bytes, DWORD=4 bytes LOCATION in the form of a starting cluster address, is given in offset 26-27. REMEMBER we are "Little Endian" so we REVERSE THE ORDER of the two Bytes we find at offset 22. Od c9 = 3529 ** Cluster Area: 160 -69395 METADATA INFORMATION Range: 2-1020946 Root Directory: 2 CONTENT INFORMATION Sector Size: 512 Cluster Size: 2048 Total Cluster Range: 2 - 15945 Math: ((Cluster Address - Reserved Clusters)