Example of NTFS file system architecture for generating evaluation in Linux (II.)

Experiment NTFS-2 Description: NTFS -2.img is a disk image that contains the NTFS file system, use Winhex to read out the specified file in the filesystem and answer its MD5 hash value.

Requirements:

1, using Winhex manual way to read.

2, do not use Winhex template function.

3. Do not use Winhex file system parsing function.

4, fill in the MD5 hash value is all uppercase, does not include 0x head or H-tail, the middle must not have any spacing symbols (including spaces, tabs, '-' and other symbols), the Winhex software to calculate the hash value is the subject.

Experimental Purpose:

1. Implement manual tracking of a file in the NTFS file system with a resident 0x80 attribute and read out its contents.

2. Understand how to handle updating sequence words in file record.

3. Further understand the structure of file record.

4, skilled use of winhex

Item Bank

1, experimental NTFS-2, the file system in the "/mnt/ntfs-2-58/12.txt", the manual reading of the contents of the calculated file MD5 hash value is 0x___. 927c94bbfc5b2a545c8526f8272f65f8//easy. 2, experimental NTFS-2, the file system in the "/mnt/ntfs-2-58/7.txt", the manual reading of the contents of the calculated file MD5 hash value is 0x___. 685a3c1600211f75362f2b9d0541a2da//easy. 3, experimental NTFS-2, the file system in the "/mnt/ntfs-2-58/4.txt", the manual reading of the contents of the calculated file MD5 hash value is 0x___. 0c72d420dd8902bbae41a8c4e6676bca//easy. ... ...

Attached: The python script that generated the questions:

#!/usr/bin/python3import osimport randomimport hashlibimport structr=os.systemrc= Random.choiceri=random.randintmd5=hashlib.md5items = list (range (1,21)) R ("Cd ~/ntfs-2") fkaoti= Open ("Ntfs-2-kaoti.txt", ' w+ ') R ("qemu-img create -f raw ntfs-2.img 300m") R ("Losetup  /dev/loop0 ntfs-2.img ") R (" Mkfs.ntfs -f /dev/loop0 ") R (" mount.ntfs-3g /dev/loop0  /mnt ") For i in range (1,60):   r (" mkdir /mnt/ntfs-2-%d " % i)    Random.shuffle (items)   for ii in items:     #确保文件大小, just file  The record is placed at the same time as it crosses the boundary of a sector.     r ("dd if=/dev/urandom of=/mnt/ntfs-2-%d/%d.file      bs=2 count=%d "% (I,ii,ri (100,200))) #//cannot exist in the first directory block after a 40 directory generation md5 hash,40  range (40,60):    for ii in items:     fn= "/mnt/ Ntfs-2-%d/%d.fIle "% (i,ii)      ff=open (FN, ' RB ')      data=ff.read ()       ff.close ()      fkaoti.write ("In the experimental NTFS-2, the"%s\ "in the file system,       manually read content after the computed file Md5 hash value is 0x___. %s//easy. \ n "                    %  (FN,MD5 (data) hexdigest (). Upper ())  )          Fkaoti.flush ()  fkaoti.close () R ("CD") R ("Umount /dev/loop0") R ("Losetup -d /dev/loop0")

Deployment process:

1, execute the above script under Liunx, Generate Ntfs-2.img and ntfs-2-kaoti.txt (can generate two copies, one for practice, one for exams).

2, for each exam, the ntfs-2-kaoti.txt into the examination system.

3, for each exam, put ntfs-2.img into the examination system designated directory.

4. Do not put the documents directly involved in the examination into the test system disk.

This article is from the "Zhang Yu (Data Recovery)" blog, please be sure to keep this source http://zhangyu.blog.51cto.com/197148/1942217

Example of NTFS file system architecture for generating evaluation in Linux (II.)