Hands-On Project 16-1

As you learned previously, Mr. Shu stated that a couple of JPG files with the name Kayak are on his second computer. For this project, you need the GCFI-js02.001 image you used in in-chapter activities. Follow these steps to carve the second orphan JPG file:

1. In File Explorer, double-click the Ch16-Data-Carve.exe file you downloaded and click Extract to extract the Ch16-Data-Carve.xlsx spreadsheet to your work folder.
3. Start FTK Imager Lite, and click File, Image Mounting from the menu. In the Mount Image To Drive dialog box, click the . . . button next to the Image File text box, navigate to your work folder, click GCFI-js0001, and then click Open. Click the Mount button, and keep this dialog box open. Remember to leave FTK Imager Lite running so that you can access this image as a mounted drive.
5. Start WinHex. Click Tools, Open Disk from the menu. In the Select Disk dialog box, click GCFI-js02 (G:), and then click OK. (Note: Your drive letter might be different.)
7. Click Search, Find Text from the menu to open the Find Text dialog box. In the text box at the top, type Kayak4, click the List search hits, up to check box, and click OK. In the Search complete message box, click OK.
9. In the upper pane, click the Name column header once to sort alphabetically from A to Z, and then scroll down and click the row with the first occurrence of $MFT. Scroll up in the bottom pane to show FILE0 (see Figure 16-23).

6. In the hexadecimal pane, start at the first byte of the record, offset 00361400, and navigate to the last byte of the file header field, then the last byte of attribute 0x10, and then the last byte of attribute 0x30 to find the starting position for attribute 0x80 (offset 00361508). (For additional guidance on this step, see Navigating Through an MFT Record earlier in this chapter.)

7. Open the Ch16-Data-Carve.xlsx spreadsheet and enter the data run values. 8. In WinHex, find the first data run for this file (offset 00361548), and then place the cursor 1 byte to the right (offset 00361549). Record the value shown for 8 Bit() in the Data Interpreter window. Figure 16-24 shows this files data runs.

8. In the hexadecimal pane, start at the first byte of the record, offset 00361400, and navigate to the last byte of the file header field, then the last byte of attribute 0x10, and then the last byte of attribute 0x30 to find the starting position for attribute 0x80 (offset 00361508). (For additional guidance on this step, see Navigating Through an MFT Record earlier in this chapter.)

9. Open the Ch16-Data-Carve.xlsx spreadsheet and enter the data run values. 8. In WinHex, find the first data run for this file (offset 00361548), and then place the cursor 1 byte to the right (offset 00361549). Record the value shown for 8 Bit() in the Data Interpreter window. Figure 16-24 shows this files data runs.

9. In the Ch16-Data-Carve.xlsx spreadsheet, enter the LCN address 2552 in cell B17, and then type the first data runs number of clusters in cell B18 (see Figure 16-25).

10. Repeat Step 9 for the second and third data runs in cells B21, B22, B25, and B26. Note

In this example, the second data run has the VCN value -68. When entering VCN values with minus signs in the Data Interpreter, be sure to include the minus sign in the spreadsheet cell to compute the correct starting cluster position.

11. In WinHex, click the Drive G: tab listing search results (substituting your drive letter, if needed), and then click Navigation, Go To Sector from the menu. In the Go To Sector dialog box, type the first data runs starting address, 2552 (listed in spreadsheet cell D17), in the =Cluster text box, and click OK. At the start of the cluster, right-click the first byte of the file header and click Beginning of block (see Figure 16-26).

12. Click Navigation, Go To Sector from the menu. In the Go To Sector dialog box, type the first data runs ending address, 2557 (listed in spreadsheet cell D19), in the =Cluster text box, and click OK. To mark the ending block for the data run, scroll up one row in the lower pane, and then right-click offset 009FCFFF and click End of block (see Figure 16-27).

13. Click Edit from the menu, point to Copy Block, and click Into New File. In the Save File As dialog box, navigate to and click your work folder, type Kayak-dr1.jpg in the File name text box, and click Save.

Caution

When marking the beginning and ending blocks, press the Esc key to avoid highlighting the entire image file after saving the data run.

14. Click the Drive G: tab listing search results (substituting your drive letter, if needed), and then click Navigation, Go To Sector from the menu. In the Go To Sector dialog box, type the second data runs starting address, 2484 (listed in spreadsheet cell D21), in the =Cluster text box, and click OK. At the beginning cluster, right-click the first byte of the file header and click Beginning of block.

15. Next, click Navigation, Go To Sector from the menu. In the Go To Sector dialog box, type the second data runs ending address, 2489 (listed in spreadsheet cell D23), in the =Cluster text box, and click OK. To mark the ending block for the data run, scroll up one row in the lower pane, and then right-click offset 009B8FFF and click End of block.

16. Click Edit from the menu, point to Copy Block, and click Into New File. In the Save File As dialog box, navigate to and click your work folder, type Kayak-dr2.jpg in the File name text box, and click Save.

17. Click Navigation, Go To Sector from the menu. In the Go To Sector dialog box, type the third data runs starting address, 2558 (listed in spreadsheet cell D25), in the =Cluster text box, and click OK. At the beginning cluster, right-click the first byte of the file header and click Beginning of block.

18. Click Navigation, Go To Sector from the menu. In the Go To Sector dialog box, type the third data runs starting address, 2559 (listed in spreadsheet cell D27), in the =Cluster text box, and click OK. To mark the ending block for the data run, scroll up one row in the lower pane, and then right-click offset 009FE0FF and click End of block.

19. Click Edit from the menu, point to Copy Block, and click Into New File. In the Save File As dialog box, navigate to and click your work folder, type Kayak-dr3.jpg in the File name text box, and click Save. Leave the spreadsheet open and WinHex running for the next steps.

Now that youve finished the first stage of carving orphan files from a disk drive, you can move on to the next stage of concatenating the data runs into one file. Follow these steps:

1. In WinHex, click Tools from the menu, point to File Tools, and click Concatenate. In the Select Destination File dialog box, navigate to and click your work folder, type Kayak4. jpg, and click Save to create the file where youre exporting data runs (the target file]

2. After you save the target file, the Choose Source File #1 dialog box opens. Click Kayak4-dr1.jpg and click the Append button to write the first data run to Kayak4.jpg, the target file.

3. Next, the Choose Source File #2 dialog box opens. Click Kayak4-dr2.jpg and click the Append button to add the second data run to the target file.

4. Next, the Choose Source File #3 dialog box opens. Click Kayak4-dr3.jpg and click the Append button to add the third data run to the target file. Click the Done button, and then click OK in the confirmation message box.

5. In File Explorer, navigate to your work folder and open Kayak4.jpg with your preferred graphics viewer to see whether the recovery was successful. Figure 16-28 shows the results you should get.

6. Right-click the Drive G: tab and click Close, and then right-click the $MFT tab and click Close. Leave WinHex running for the next project.

7. Write a short memo to Mr. Benson stating that you used WinHex to recover the Kayak4.jpg file. Explain that this file had three data runs that were recovered successfully and added to a re-created file. Attach the recovered image to the memo, and submit both to your instructor.