Encase for FAT Demo

EnCase Forensic is a fantastic tool for forensic analysis.
In this demo, I only want to show you how do we use EnCase
to visually see file-systems we covered in the lecture, for example FAT system and NTFS.
So, in this demo I want to show you the FAT system how do we visually
to see what components inside of the FAT system.

I have already prepared a case called case one and then I move on to the evidence.
In this case, I have a couple of images loaded into this forensic case,
but the first image is a FAT 12 system so I open up.
Don’t worry about the EnCase GUI interface and all that, we will discuss this detail later.
But in this demo, I only want to focus on how to study the system.
So, this is the chief structure on here and then first let’s move on to a disk view.
If you recall, I used the disk view before to show you how to see a mass boot record.
But now I look at the disk view from this image and again, this image is a FAT 12 image.
Okay and you can see the first one is red okay, that’s the first sector, it’s a boot
And then follow by this one, if I click one this is all, this is the FAT table
and the two is the backup, the backup of FAT table.
So, FAT 1 and the backup FAT table.
The green one those are the content for the root directory.
So, all root directory content is in these green boxes, each box is 512 bytes.
And then the blue one those are currently allocated data sectors.
And then the grey one currently is not in use it’s just historical data, garbage,
nothing okay.
Now let’s move on to examine the root directory.
If you recall from this week’s lecture you know directory’s content is for Trojan.
Basically, is for a file residing in this directory or a separate directory resides in this directory.
Each entry uses 32 bytes to contain information including the file name and extension,
what type is the file either is directory or file,
and what is the first cluster’s address which is important right.
And also, the length of the file and then date and time.
So, each entry uses 32 bytes to represent one entry.
Now we look at the content here because now I click on the green one, click on the green
to look at the root directory and then I change that to hex view.
Okay, so if you look at the offset you see I have actually adjusted the pane
to be 32 bytes long for each line because it’s from 00 to 31, this is the start from
So, each line is 32 bytes which means I line up correctly,
so each line represents one entry in this directory, one entry.
So, for example the second line here is called file four.
Now you can see that the first 12, first 11 bytes it is the filename
and followed by other information.
We said the first cluster information is reside in byte 26 of 27,
which is this one, byte 26 of 27.
And since this is a little endian so you have to really swap those two bytes, so it reads as 0002.
It means the first cluster is 0002 and once the FAT gets this first cluster for this file
and then it will use FAT table to represent, to find the chain of other clusters.
So here is the first cluster information it’s very important.
And when you get a chance to use EnCase if you want
to practice this exercise make sure here each line is 32 bytes that’s critical.
And also, in the class I talk about the file if in FAT 2 —
if in FAT system the if the file is deleted the file name’s first character change to
So, if you see the file’s name started with E5 like for example File1 this is deleted okay.
You will see many of those E files, those are all deleted files, the first character of the filename changed to E5.
So, you will see the whole content from this root directory because every file starts
from root directory, you will see the whole content of the root directory.
Okay now let’s go back to the evidence here.
If I look at here okay.
If I choose one folder, let’s see if I choose this folder.
No, this folder has nothing.
If I choose a folder here, now you can see which folder I choose,
I choose that fseventst folder okay, that one you see the content.
See this is the folder and the content has the dot and the dot dot.
And this is the way EnCase or other forensic tools use to recover a deleted folder
because they just look at the content and if they find the dot and the dot dot those are the ones that means there is content, then they assume oh this might be a directory because directory always has those two entries in there.
Now previously, when we looked at the root directory view we analyzed a file for —
it’s in second line right, this is file four has a first cluster
as a 00, first cluster number is 0002.
Let’s see if that’s correct whether this file four and the starting cluster number is 0002.
So, we go back to here find file four, so look for file four, actually there’s a picture
and then EnCase very smartly to show you the picture view already.
And if we look at the hex and then you look at bottom this says, this is file four.
And then here CL means cluster, so the starting cluster is cluster number two
so that’s also match for what we see from the entry from file four entry.
Okay that’s it for this video.

Reference: Yin Pan,
Professor, Computing Security
Rochester Institute of Technology

Author: McPeters Joseph

Joseph McPeters is a Security Researcher. He specializes in network and web application penetration testing. Contact: admin@incidentsecurity.com

Leave a Reply

Your email address will not be published. Required fields are marked *