Sample NTFS file system architecture for generating evaluation in Linux (iii)

Experiment NTFS-3 Description:

Xxx.tar.gz in the ntfs-3\ directory is a disk image that includes the NTFS file system after decompression. Now the known situation is:

1, the hard disk before using the MBR partition method is the only partition of the NTFS file system (no extended partition);

2. The MBR region and the DBR region are cleared 0, and the starting position of the partition is uncertain;

3, NTFS DBR Backup Some important parameters are destroyed, the rest of the area is not destroyed;

Please answer the question as follows.

Requirements:

Please use Winhex to repair the DBR manually and answer the modified MD5 hash value of the DBR sector.

1, using Winhex manual way to read.

2, do not use Winhex template function.

3. Do not use Winhex file system parsing function.

4. In the NTFS DBR structure, please fix: Total number of partition sectors, number of sectors per cluster, $MFT location, $MFTMIRR location, number of clusters per file record. The rest of the sections are not faulted and need to be kept intact.

5, the NTFS file system size described in DBR, the scope of the DBR sector to the "DBR backup sector of the previous sector", excluding the DBR backup sector.

6, fill in the MD5 hash value is all uppercase, does not include 0x head or H-tail, the middle must not have any spacing symbols (including spaces, tabs, '-' and other symbols), the Winhex software to calculate the hash value is the subject.

Experimental Purpose:

1. Understand the structure of NTFS DBR.

2. Understand the overall structure of the NTFS file system.

3, learn how to analyze file system parameters through data area.

4, skilled use of winhex

Question Bank (example):

1, in the experimental NTFS-3, for the image file Ntfs-3-1.img, according to the existing information analysis, DBR sector position should be ___ (decimal digit representation). The MD5 hash value after modifying its DBR is 0x___. (Calculate DBR HASH only)//995#26665a42e0dc3ad0894170d9a1cc2084//easy. 2, in the experimental NTFS-3, for the image file Ntfs-3-2.img, according to the existing information analysis, DBR sector position should be ___ (decimal digit representation). The MD5 hash value after modifying its DBR is 0x___. (Calculate DBR HASH only)//435#37ec25faeaa44d46b386cee3fcd71eca//easy. ......

To generate a question bank process:

The first step:

Modify NTFS-3G source code, compile, install, to implement $MFT, $MFTMIRR the random location of the file:

#下载ntfs -3g source wget https://tuxera.com/opensource/ntfs-3g_ntfsprogs-2017.3.23.tgz  #解压源码tar  -ZXF  ntfs-3g_ntfsprogs-2017.3.23.tgz#|     Edit the file, modify the following line near:#|     No. 3941, in # |    g_mft_lcn = g_rl_mft_bmp[0].lcn + g_rl_mft_bmp[0].length;#|  After    , add:#|              .   srandom (Sle64_to_cpu (Mkntfs_time ())/10000000);#|                 g_mft_lcn +=  ((U16) random ()  & 0xff); #|      near line No. 3990 (counting the two lines previously added), in #|       g_mftmirr_lcn  =  (opts.num_sectors * opts.sector_size >> 1) #|                            &nAfter bsp; / g_vol->cluster_size;#|     line, add:#|        g_mftmirr_lcn +=  ((U16) random ()  & 0xf); vim ntfs-3g_ntfsprogs-2017.3.23/ Ntfsprogs/mkntfs.c# compiled code, installation module cd ntfs-3g_ntfsprogs-2017.3.23./configuremakemake install# after installation, if it does not take effect, You can find the location after Which mkntfs, delete, re-make install, or re-login to the shell. #测试命令 (The following commands can be connected to perform in order to observe statistics): # mkntfs -f -c 1024 /dev/loop0;# ntfscluster /dev /loop0;# ntfsinfo -m /dev/loop0 ;# ntfscluster -i 1 /dev/loop0#  Observe whether the,mft zone position:  value changes after each format, and see if the LCN of the last line $mftmirr is changed.

Step Two:

Create a Python script to generate test samples and questions

#!/usr/bin/python3import osimport randomimport hashlibimport struct r=os.systemrc= Random.choiceri=random.randintmd5=hashlib.md5 clusize=[512,1024,2048,4096,8192,16384]r ("Cd ~/NTFS-3" ) R ("ls") fkaoti = open ("Ntfs-3-kaoti.txt", ' w+ ') Zeroblock = bytearray (for i in)  range (1,101):  fd =  ("ntfs-3-%d.img"  % i)   diskkbs=ri (300* 1024,500*1024)   r ("Qemu-img create -f raw %s %dk"  %  (fd,diskKBs))   r ("losetup /dev/loop0 %s" &NBSP;%&NBSP;FD)   r ("Parted -s /dev/loop0  mklabel msdos ")   ss = ri (100,1000)   r (" Parted -s /dev/loop0  mkpart -s primary fat32 %ds %d%% "%  (Ss,ri (90,99))  )   r (" Mkfs.ntfs -f -c %d /dev/loop0p1 "&NBSP;%&NBSP;RC (clusize)  )   r (" mount.ntfs-3g /dev/loop0p1 /mnt ")    #100  dirs  for ii in range (1,100):     Dir1=ri (100,999999)     r ("mkdir /mnt/%d"  % dir1)     for  iii in range (1,20):       file1=ri (1000000,9999999999)        r ("dd if=/dev/zero of=/mnt/%d/%d.file seek=%d count=1  Bs=4096 2>/dev/null " %  (Dir1,file1,ri (16,50))  )   r (" Umount /dev/loop0p1 " )   r ("Losetup -d /dev/loop0")   r ("cd ~/ntfs-3")    #计算生成HASH    f = open ("%s"  % fd, ' rb+ ')   f.seek (ss * 512)   dbr  = f.read (  pPad1,pSecSize,pCluSecs,pPad2,pHiddenSecs,pPad3,pTotalSecs,   )      pMftCluNo,pMftmirrCluNo,pCluPerFR,pPad4,pSign          =&nbSp;struct.unpack (' <11shb14si8sqqqb445sh ', DBR)   dbrmd5 = md5 (DBR)   f_dbr  = open ("%S.DBR"  % fd[:-4], ' wb+ ')   f_dbr.write (DBR)   f_dbr.close ()    baddbr=struct.pack (' <11shb14si8sqqqb445sh ',ppad1,psecsize,         0,ppad2,phiddensecs,ppad3,0,        0,0,0,ppad4,psign)    f.seek ( ss * 512 + ptotalsecs * 512)   f.write (BadDBR)    f.seek (0)   for it in range (0,ss+1):     f.write (Zeroblock)   f.close ()   fkaoti.write ("In experimental NTFS-3, for image file%s, the sector position of DBR should be ___ (decimal digit representation) According to the existing information analysis." The Md5 hash value after modifying its DBR is 0x___.          (calculation Dbr hash only)//%d#%s//easy. \ n "  %  ( fd,ss,dbrmd5.hexdigest () Upper ()  )  )   fkaoti.flush ()    r ("tar -zcf %s.tar.gz %s " %  (FD[:-4],FD))   r (" rm %s "&NBSP;%&NBSP;FD) Fkaoti.close () 

Deployment process:

1, execute the above script under Liunx, Generate Ntfs-3.img and ntfs-3-kaoti.txt (can generate two copies, one for practice, one for exams). Where *.tar.gz is the exam image, Ntfs-3-kaoti.txt is the generated question file, run_ntfs-3.py is the above script file, *.DBR is the correct DBR backup.

2, for each exam, the ntfs-3-kaoti.txt into the examination system.

3, for each exam, put all the ntfs-3-xxx.tar.gz into the examination system designated directory.

4. Do not put the documents directly involved in the examination into the test system disk.

This article is from the "Zhang Yu (Data Recovery)" blog, please be sure to keep this source http://zhangyu.blog.51cto.com/197148/1942226

Sample NTFS file system architecture for generating evaluation in Linux (iii)