Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Drive forensics – and it’s free!

Published byMercy Hancock Modified over 6 years ago

Similar presentations

Presentation on theme: "Efficient Drive forensics – and it’s free!"— Presentation transcript:

1 Efficient Drive forensics – and it’s free!
Disk Editor Efficient Drive forensics – and it’s free! Prepared by Edward Webber

2 Reasons to use it: Where to find it
Reasons to use it: Completely free Regular updates Has partner file recovery app Eliminates data location calculation errors Reduces time to find data Automatically translates data for multiple file systems into user-readable format

3 Main features More than a basic hex editor

4 features overview Drive Support Template Driven Data Displays
Hard disk drives SSD & USB Disks Partitions & Volumes Files Template Driven Data Displays Drive Images Support vmWare dd images MS Virtual PC DIM support (disk image + metadata) Hyperlinks For example: MFT records link to first cluster in data run MBR links to partitions. Built-in File Editor All features are self-contained No plug-ins needed

5 Alternative: Hex workshop
Drawbacks: $90 per seat No updates in two years Lacks modern interface Steep learning curve No block hyperlinking No file system templates Manual sector calculations Must rely on bookmarks Wall of hex

6 Disk editor vs. Hex workshop
Feature DE HW Maximum file size Partial file loading Disk sector editing Bit editing Text editor Insert / Delete bytes Bit Shifting Search Unicode N/A YES NO NO* Feature DE HW File structure view Hi-res Support File Compare Find in Files Bookmarks Macro Data inspector Auto-Highlighting YES NO NO*

7 Which would you choose? Color coded. Modern interface.
Wall of Hex. UI from the 80’s.

8 Find the Total Sectors:
Disk Editor 6 Find the Total Sectors: Where is it located? What’s the value? (8 bit? 16 bit? Signed?) MFT cluster number? Hyperlinked

9 Find the Total Sectors:
Hex workshop 6.8 Find the Total Sectors: Where is it located? What’s the value? (8 bit? 16 bit? Signed?) MFT cluster number?

10 Forensics problem 1 Sampling the power of disk editor

11 Forensics problem 1 3/30/2016 4:59 PM Open Active@ Disk Editor
3/30/2016 4:59 PM Select “open disk image” 3/30/2016 5:00 PM Select “All files” from the extension dropdown menu and open FP1.dd

12 Forensics problem 1 3/30/2016 5:01 PM Click the “Find” icon, enter “pw” in the search field 3/30/2016 5:02 PM If not selected, select the “Find Results” tab in the lower left.

13 Forensics problem 1 3/30/2016 7:28 PM Select “‘pw’ Down; Match case (1 hits)”, then select “pw=goodtimes” 3/30/2016 7:31 PM Password is hidden within the RAM slack of “Cover page.jpg” image file. Should appear as “pw=goodtimes” in sector x2156 (8,534) at offset x40-4B (64-76)

14 Project 5.2 – file entry metadata
Where disk editor shines (and hex workshop nightmares begin)

15 specific files C5Prj02.txt Contents:
“A slip of the foot you may soon recover, but a slip of the tongue you may never get over. Drive thy buisness or it will drive thee. An investment in knowledge always pays the best interest.”

16 Organized metadata structure
File metadata Fully highlighted Organized metadata structure Attribute sections 10 30 80

17 File metadata – mac times
No guessing No math No losing your place in a sea of hex No human error At-a-glance results

18 File previews Many formats supports Word RTF Excel CSV Text JPG BMP
TIFF PNG

19 FAT32/USB File System Evaluation
Where disk editor shines (and hex workshop nightmares continue)

20 FAT32/USB File System Evaluation
Switch between Hex / Dec? One mouse click FAT32 Boot Sector Automatically highlighted and parsed

21 FAT32/USB File System Evaluation
Root directory entry Where is it? Do the math: Sectors per FAT: 1,955 Number of FATs: 2 1955 x 2 = 3,910 Reserved sectors: 4,282 4, ,910 = 8,192 Bytes per sector: 512 Sectors per cluster: 8 Root cluster: 2 512 x 8 x 2 = 8,192

22 FAT32/USB File System Evaluation
FAT32 Boot Sector Boot sector validator Checks for out of spec values

23 Did I mention FREE? Summary Active@ Disk Editor 6
Quick shortcuts to content Clickable hyperlinks to relevant sectors FREE! Easy file editing Easy to learn Minimal training required Did I mention FREE? Prevents hex reading mistakes Little endian, Big endian – All automatically calculated

24 Active@ Disk Editor Questions? http://www.disk-editor.org/download
Presentation by: Edward webber

Download ppt "Efficient Drive forensics – and it’s free!"

Similar presentations

Intro to WinHex CSC 414.

Intro to WinHex CSC 414.
Using Macros and Visual Basic for Applications (VBA) with Excel

Using Macros and Visual Basic for Applications (VBA) with Excel
Site Modules > Page Builder Access the Page Builder module through the Site Modules top navigation link. Access Page Builder from the Site Modules navigation.

Site Modules > Page Builder Access the Page Builder module through the Site Modules top navigation link. Access Page Builder from the Site Modules navigation.
The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.

The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Connecting with Computer Science, 2e

Connecting with Computer Science, 2e
Customizing Word Microsoft Office Word 2007 Illustrated Complete.

Customizing Word Microsoft Office Word 2007 Illustrated Complete.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
Objectives Learn what a file system does

Objectives Learn what a file system does
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.

Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
Lecture 9: The FAT and VFAT Filesystems 6/16/2003 CSCE 590 Summer 2003.

Lecture 9: The FAT and VFAT Filesystems 6/16/2003 CSCE 590 Summer 2003.
© 2008 The McGraw-Hill Companies, Inc. All rights reserved. WORD 2007 M I C R O S O F T ® THE PROFESSIONAL APPROACH S E R I E S Lesson 21 Fields and Forms.

© 2008 The McGraw-Hill Companies, Inc. All rights reserved. WORD 2007 M I C R O S O F T ® THE PROFESSIONAL APPROACH S E R I E S Lesson 21 Fields and Forms.
Website Development with Dreamweaver

Website Development with Dreamweaver
MICROSOFT WORD 2007 INTERMEDIATE/ADVANCED. CREATE A NEW STYLE BASED ON A SELECTED TEXT HOME tab > STYLES group dialog launcher > at the bottom of the.

MICROSOFT WORD 2007 INTERMEDIATE/ADVANCED. CREATE A NEW STYLE BASED ON A SELECTED TEXT HOME tab > STYLES group dialog launcher > at the bottom of the.
1.Getting Started 2.Modifying Design 3.Page 4.News 5.Events 6.Photo Gallery 7.Newsletter Index Training 15 th Mar., 2011.

1.Getting Started 2.Modifying Design 3.Page 4.News 5.Events 6.Photo Gallery 7.Newsletter Index Training 15 th Mar., 2011.
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.

Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
Windows NTFS Introduction to Operating Systems: Module 15.

Windows NTFS Introduction to Operating Systems: Module 15.

Similar presentations

Ads by Google