Be a Better Detective #1

As a digital forensics examiner, you wanted to know the starting cluster address of MFT.

You have a forensic image, and you thought you know what you are doing..

You looked it up the address of such detail and you found it is at offset 0x30 with size of 0x8 bytes.

You opened the hex editor, and used it to open the disk image, and went to the NTFS partition's VBR (Volume Boot Record) of the image.

You went there, calculated the MFT cluster address, converted from Little Endian to Big Endain, and you are so happy 😄 

You decided to go to the calculated MFT cluster address just to verify, but it was full of nonsense.

You knew that it should have started with "FILE" signature, but it did not!

Something went wrong, but you do not know what it was!!

You closed the hex editor, mounted the image, and opened the $MFT file regardless, where it exists, or how the tool found out its location..

You just closed your eyes and said that I do not need to know such details..

Here is the thing:

It is not only you accepted blindly data without knowing from where it came from, you also did not know how to validate data, interpret data without depending on such tools, and you just pushed the buttons!

This might be a huge indicator that you may use such techniques in much more critical situations and not validating your findings, but only on the tools'.

𝐁𝐞 𝐚 𝐁𝐞𝐭𝐭𝐞𝐫 𝐃𝐞𝐭𝐞𝐜𝐭𝐢𝐯𝐞. 🕵

Here is the task: Identify what went wrong, and how to correct it. Put you answer in the comment section, so I can review it for you.

Cya till the next time ~Hoxed

You can find me on other social medias here.