Application Trial bypass(draft)

This document covers the very basics of working around the limitations of programs that have not been fully activated in other words trial programs. I do not promote piracy and do not recommend it. This document is for educational purposes only! I also assume that you have a basic understanding of assembly and basic knowledge of a debugger.

Read more of this post

NTFS Boot Record (NTFS forensics part 2)

New Technology File System (NTFS) is Microsoft’s preferred file system to be installed on all new machines that utilize the Windows operating system. NTFS is superior then the standard FAT file system for several factors that it can reach greater sizes and it is “self healing,” as well as NTFS provides security, compression, encryption. The benefits that NTFS provides are not available on FAT systems. These benefits also make it a preferred option for the majority of computers. This chapter explains the first sector in the partition of a standard install of NTFS. It is required that you understand how to read hexadecimal and how the hard drive stores data on your system.

The tools that will be required will be a hex editor such as HxD which can be found at http://mx-nedus.de/en, also administrator access is required to be able to read the hard drive at a disk level.  This document will not go in depth on how to use a hex editor. I am keeping this as generic as possible so you can use your own tools, an understanding of your tools is required.

Figure 2-1 shows sector zero of an active NTFS partition. This sector stores information for NTFS and has executable code for loading windows. The MBR sector is important for getting sector size (typically 512 bytes), sectors per cluster and the master file table location start. Also could possibly to be used to get the master file table mirror location if the original master file table has been destroyed. From this capture you can determine that this is a NTFS by examining 8 bytes with an offset of 3 bytes. Looking at the Unicode section you will see NTFS or in hex 4E 54 46 53 20 20 20 20. If you are performing forensic analysis on a hard drive with an unknown file system this is an excellent way to determine what file system is being used.  Table 2-1 lists the structure of the MBR sector. To find what you are looking for take how many bytes there are before what you are looking for and then find the offset in the hex editor.

Figure 2-1

Finding the $MFT Start

The master file table stores all the Meta data about a file, file location, creation time, accessed time and more. If the file is small enough the information in the file will be stored in the $MFT. When a file is deleted all that changes in the $MFT is a single byte which informs the file system that the file is no longer in use. This explains how certain programs and companies can recover a file after it has been deleted from the operating system. Changing a byte is quicker then actually erasing the file off of the hard drive. Operating systems will eventually use that space the file that was deleted was deleted making the file un-recoverable in most cases. There are some theory methods such as taking the platter and finding the difference from the zero and a one of a bit is off and then getting the value of the erased file that way.

In order for us to find the starting location of the $MFT we need to find the MFT start value and then multiply it by the sectors per cluster. To find the sectors per clusters you start from the beginning of the sector and then go to an offset of 13 bytes and get the next byte.  In our example the next byte is 0x08 which translated to 8 sectors per cluster. The next important piece of information that is needed is the MFT start location. In our example you want to go to an offset of 48 or 0x30 and obtain the next 8 bytes. We will obtain the value 00 00 0C 00 00 00 00 00. This will convert to C0000 when converting it from the hex to decimal system. After converting you should obtain the value 786432. That is the block starting point but in order to get the correct block we must multiply that by the sectors per cluster which is 8. The starting point in our example is 6291456. To obtain the mirror you do the same steps except for getting the MFT start you obtain the MFT Mirror Start.

Definition Bytes
Jump 3
Format 8
Bytes Per Sector 2
Sectors Per Cluster 1
Boot Sectors 2
MBz1 1
Mbz2 2
Reserved 1 2
Media Type 1
Mbz3 2
Sectors Per Track 2
Number of heads 2
Partition Offset 4
Reserved 2 8
Total Sectors 8
MFT Start 8
MFT Mirror Start 8
Clusters Per File Record 4
Clusters Per Index Block 4
Volume Serial Number 8
Code 430
Boot Signature 2

Table 2-1

To obtain how many bytes are in each table you need to the following pieces of information which is clusters per file record, sectors per cluster, and bytes per cluster. Using the table 2-1 and figure 2-1 as the example we can obtain the values 246, 8 and 512 respectively. We need to figure if the value of clusters per file record is smaller than 0x80 or 128 in decimal then we need to multiple 246 * 8 * 512 to get the cluster but since 246 is larger than 128 we need to subtract 256 from clusters per file record which we would get 10 in our example. We need to bitwise left shift it with 1 and then we will get 1024 bytes per file record or 2 sectors.  Bytes per file record is also described as how long each file entry is.

NTFS Forensics Part 1

In performing any action relating to computer forensics, programming or any other aspect of a file system storage it is important to understand basics of the operating on binary systems, storage types, etc. Failure to understand the basic workings of a computer properly can result in a lot of wasted time scratching your head wondering what you are looking at.  Understanding how to convert hex to decimal or binary to decimal or even convert it the other way around is crucial to understanding in detail how file systems work. Also it is important to know how the hard drive provides data to the application to read and writes data to the disk.

Counting Systems

Counting systems range differently in the computer realm and the human realm. Humans rely on the decimal counting system that is based on the base of 10. The system counts in the following way, as many are aware of 0, 1, 2, 3, 4, 5, 6, 7, 8, 9. Computers do not understand the decimal system but understand the binary system. Binary is a base-2 number system limiting our options of either 0 or 1. Hexadecimal is also another counting system that you will commonly deal with in the computer realm, which is a base-16 system. The option for hexadecimal range from 0 to F which is different from the base population is accustomed to.

Converting these from one system to another is time consuming to learn as it forces you to think out of the realm of what you are use to. You may or may not be used to seeing numbers such as FF which is 255 in decimal. Practicing the conversion process several times will allow you to convert from one counting system to another. You should understand how to convert from one system to the other before continuing. Memorizing how to convert it is not necessary but understanding it is a key point to focus on.

Binary Structures

Binary can be grouped into several categories to know how many bits you are talking about. A group of 8 bits or eight 1 and zeros beside each other is known as 1 byte. 16 bits or sixteen one and zeros together can be classified as a word.

Storage Types

Storage system started at the smallest form and has grown to be several terabytes in size as well as many types of storage systems. Knowing these types of systems will not only allow you to make informed decisions of pulling data off and how data is stored in the forensic field but also troubleshooting regular computer issues. Data is stored on storage devices in the form of binary such as either a one or a zero. This document will not cover how the storage controller writes to the storage media but rather the types of media storage types.

Volatile Memory and Non-volatile Memory

Memory can be stored on a device that will retain its state when power is lost or loses its state when the power is lost to the device. Volatile memory is the form of storage that requires power to maintain stored information. Devices such as Random Access Memory (RAM) are included in the volatile memory section. Hard drives, USB drives are included in the section of non-volatile memory. It is important to know these due to the fact if you power off the machine to move to another location to perform forensic analysis then you will lose all memory in RAM.

Hard drives explained.

Hard drives are made from several different pieces that make a platter that stored the information. Knowing each piece of information will aid in the understanding on how the hard drive reads the data. Heads is the device in the hard drive that reads data from the platter and a single hard drive can have multiple heads in the hard drive enclosure.  The platter contains tracks, cylinders and sectors and the operating system adds on this by forming Blocks or clusters. Tracks are a thin concentric strip on the platter service which contains the magnetic medium to which the data is written. Cylinders contain the same track number on each platter in the enclosure. Sectors are the most important piece to get out of this section. Tracks are subdivided into smaller sections called sectors. This is the smallest storage unit on a hard drive. The typical amount for hard drive sectors are 512 bytes.  Blocks and Clusters are used in the file system and group multiple sectors into one “sector.”

Little Endian vs Big Endian

This section does not conclude which architecture is better or which one can perform more calculations per second but it does describe the basics of how each architecture works. Little endian is processors such as x86 and big endian  is processors such as IBM PowerPC Core. The biggest difference between these two architectures is how they order the bytes in an external media. Little endian stores the low order byte first and big endian stores the high order byte first. Figure 1-1 shows part of the NTFS MBR and the bytes per sector highlighted. If you try to convert 2 to decimal you will get 2. In order to get 12 you have to read it backwards and convert it to 200( 00 02 becomes 200.) If you take 200 and convert it to decimal it shows that we have 512 bytes per sector.

1-1