Apologies if this has been posted in the wrong section.
Been reading an old paper on floppy image forensics the analysis of which can be found here :
http://old.honeynet.org/scans/scan24...nnis/index.htm
I pretty much comfortable with most of the forensics but am slightly confused on one of the sections with reference to the non-zero parts of the root directory and FAT1
From the web page :
Since the file was deleted, the clusters used by it were released in the FAT by setting them to zero. The starting cluster is 0002, which we see in the FAT is set to zero. This file can be recovered in a number of ways using file recovery utilities or extracting the appropriate sectors from the image and placing them in a new file using the Linux �dd� command.
1. I can understand that the deleted doc file can be undeleted using generic software but how is this achieved by using dd ? The starting cluster is 0002 , could someone explain how we can see that it is set to zero in the FAT ?
Moving to the next paragraph down (schedu~1.exe)
This cluster entry is at 109 (0x6D) bytes into the FAT
2.How is this worked out and how is the total number of clusters assigned to the file and their locations calculated ? I can't understand how he arrived at sector 104-108 ?
Next, look at the root directory entry for coverp~1.jpg. The starting cluster is listed as 0x01a4 (420); however, the FAT is completely zero at this location (not shown in the figure); hence, this must not be the correct starting cluster. Look at the FAT. There is a section of assigned clusters that have not been accounted for (turquoise highlighted section). The starting cluster is at offset 0x23F, which corresponds to a cluster value of 42, which is sector 73. Note that the starting cluster of this unidentified file is exactly one-tenth of the advertised starting cluster for the coverp~1.jpg file. Following the linked list in the FAT reveals that sectors 73 through 103 are allocated to this file.
Again I have highlighted in bold black the parts I cannot understand
How are corresponding cluster values and sectors worked out from the starting cluster offset of 0x23F ? AS you can see I'm having trouble interpreting FAT entries, cluster values and sector locations and how they are linked. Clarification and help would be most appreciated.
