Manually Recovering Files Complete the table below for ALL files. I’ve provided

Question

Manually Recovering Files

Complete the table below for ALL files. I’ve provided info for one of the files.

Next, use the information in the table to recover ALL files in unallocated space. You’ll can copy and paste the commands you used below the second table.

Tools:

Using any Linux or Windows

xxd, dd, and 4860.2.2015.dd (sha1 = 315fc97827005d4d34d27891388a7c295b2ea2b5)

Use the associated image 4860.2.2015.dd and answer the questions below:

https://www.dropbox.com/s/15n5qsmz4s1h7up/4860.2.2015.dd?dl=0

This link below is what's in the link above, the only difference is that I've extracted the .dd file just in case"

https://www.dropbox.com/s/zuh37kjcs8angq8/files.zip?dl=0

Note: Not all rows will be used. Use the root directory to identify the number of files.

File name

Deleted? (Y/N)

File Size (hex)

File Size

(decimal)

Start sector (hex) as displayed in root d.

Byte swapped start sector (hex)

Start sector (decimal)

Start BYTE (dec)

File2.png

N

2538F

152463

1301

113

306

156672

File name

Type of file

Sha1 hash

File2.png

Portable Network Graphics (png)

74fde2180dfb04b16c31e9e85dd0dd41f38b97fe

Below show the commands you used to recover each file (you may copy and paste from your VM).

1.

2.

3.

4.

5.

6.

Hints:

- Examples of how to calculate values for file5.txt:

- In the root directory the file starting cluster is given as 6902.

- We must byte swap to get actual (hex) starting cluster: x6902 -> x269

- Change that to decimal: x269->617. Use your programmer’s calculator to do this.

- Now we need to add 31 as the indicated starting cluster doesn’t count the 31 reserved sectors, so 617+31 = 648. That’s the actual number of 512 byte clusters.

- Each cluster is 512 bytes, so multiply 648 by 512: 548x512= 331776. That’s you ‘skip’ number.

- Now convert that to hex: 331776 -> x51000 (only need this if you’d like to find the start of the file in xxd)

- The file size is given as x1700 000. Byte swapping that only gives us x17.

- Convert x17 to decimal: x17->23. That’s your count.

File name

Deleted? (Y/N)

File Size (hex)

File Size

(decimal)

Start sector (hex) as displayed in root d.

Byte swapped start sector (hex)

Start sector (decimal)

Start BYTE (dec)

File2.png

N

2538F

152463

1301

113

306

156672

Explanation / Answer

Hi,

Below is the solution to your problem:

File name

Deleted? (Y/N)

File Size (hex)

File Size

(decimal)

Start sector (hex) as displayed in root d.

Byte swapped start sector (hex)

Start sector (decimal)

Start BYTE (dec)

File2.png

N

2538F

152463

1301

113

306

156672

5

File name

Type of file

Sha1 hash

File2.png

Portable Network Graphics (png)

74fde2180dfb04b16c31e9e85dd0dd41f38b97fe

use the following commands:

1.hexedit <filename>

2.ls -ltr <filename>---->Gives the Size of the file

Hope that helps.HAPPY ANSWERING!!!!!!!!

File name

Deleted? (Y/N)

File Size (hex)

File Size

(decimal)

Start sector (hex) as displayed in root d.

Byte swapped start sector (hex)

Start sector (decimal)

Start BYTE (dec)

File2.png

N

2538F

152463

1301

113

306

156672

File2.txt N 17 23 0050

5

Related Questions

Navigate

• Browse (All)
• Browse M
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.