PricingBlogAbout Us

University File System Analysis Reflection: Digital Forensics Module

Verified

Added on  2022/09/09

|4
|681
|27
Essay
AI Summary
This document presents a student's personal reflection on their learning experience in a digital forensics module, specifically focusing on file system analysis. The reflection details the student's understanding of the Master File Table (MFT), its analysis procedures, and the use of tools like Encase and Kali Linux. The essay covers the working patterns of MFT analysis, including the Encase and alternative methods using hex editors. The student discusses MFT entries, attributes, and their content, including resident and non-resident attribute stores. Furthermore, the reflection highlights the MFT record breakdown, attribute headers, and practical examples, demonstrating the application of learned concepts. The student emphasizes the importance of tools and methodological approaches in digital forensics, reflecting on how the practical sessions enhanced their understanding of the subject matter and the skills developed. The essay concludes with an assessment of the learned concepts and the ability to apply them to real-world scenarios.
Document Page
Running head: FILE SYSTEM ANALYSIS
FILE SYSTEM ANALYSIS
Name of the Student
Name of the University
Author note
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
2
FILE SYSTEM ANALYSIS
Description
It have been seen that there have been proper analysis of the MFT and is performed in an
usual procedure for investigation. The difficulty in the disassembling part is also considered in
the section. These are the issues that are considered in this case.
Reflection
As per the reading I have understood that MFT have been acting useful in performing the
investigation. I have also analyzed that the disassembling in a manual manner have been
difficult as well. Proper usage of the tools have been an important factor that is to be considered.
As per the material and the module a proper understanding of the working of MFT can be
performed.
The working pattern have been subdivided in 2 major sections. The sections are namely
Encase and Alternative.
In case of Encase, it have been seen that the operational process, creation of the case and
importing the evidence file have been performed. The importing process have been performed
with the help of LB154. The evidence file is shown in the Volume C;\. Hence wise the preview
of the NTFS MFT entries are shown. Again in the alternative process, I have learned that the
entre process is performed in 2 major steps. The steps are namely using the hex editor and hence
wise previewing of the MFT is also performed, the samples are recorded in S:\\Common Area\
BSc\Forensics All Years. After this process, Kali Linux VM is used. Windows Forensic VM
have been used as well. After this copying of the MFT_Parser tool will be performed.
Document Page
3
FILE SYSTEM ANALYSIS
After this I have learnt regarding MFT Entries Content. The size of the entry is defined in
boot section. The usual size of the versions are 1024 bytes. The firsts 43 bytes are structured and
has 12 fields. I was also provided with the outlines of the default MFT entries.
After this section I was taught regarding the MFT attributes that are to be considered. A
table was provided to us that was divided in between Attribute name and Identifier. Attribute
names were provided along with the Identifiers. A proper learning regarding the attribute headers
are also learnt in the process. I have learnt that Attribute headers help in performing identifying
the types of attributes, size as well as name. Flags are used for identification process as well. Few
of the entries have multiple attributes. In the next section, attribute content is considered. There
are 2 kinds of attribute storage sections. They are namely resident attribute store as well as the
non resident attribute store. Residential attribute works in smaller clusters, whereas non cluster
attributes store content in external clusters in the file system. Cluster runs are used in the section.
Tables regarding Resident Attributes as well as Nin resident attributes are provided. After
this section MFT Record breakdown is discussed. Header break down is considered to be another
aspect that is taught in the process. A tabular format is provided and this helps in better analysis
of the Offset within Header, Size and Description is provided. The attributes are generally
considered to be of 16 bytes.
After these sections I was provided with examples that helped in better processing of the
MFT. Different colors were used in the process for highlighting the specific entries. Magic
number is also demonstrated in its operational process.

This is a preview!

Do you want full access?

icon

Trusted by 1+ million students worldwide

Document Page
4
FILE SYSTEM ANALYSIS
Conclusion
The above process helps in analyzing the work pattern that is to be implemented for
proper assessment of the business process. This section also ensures the fact that there have been
better analysis of the MFT entry contents. MFT attributes have been discussed in the process as
well.
chevron_up_icon
1 out of 4
circle_padding
hide_on_mobile
zoom_out_icon
logo.png

Your All-in-One AI-Powered Toolkit for Academic Success.

  +13062052269
info@desklib.com

Available 24*7 on WhatsApp / Email

[object Object]
Unlock your academic potential

Copyright © 2020–2026 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.