First Responder chkdisk and format NTFS Lab

In our First Responder lab, we take a close look at several incident reporting tools, starting with chkdisk. You’ll observe that with chkdisk utility, the dive volumes & paths are checked for errors and other anomalies.  You’ll overserve how to use the tool, as well as using the switch commands to perform specific tasks. With the /bottom switches, you’ll observe that NTFS performs specific checks of the volume such as checking for bad clusters, and checks of index entries.  And you’ll see how chkdsk displays all the disposition data regarding the volume including serial number, confirms file system type, and calculates file and folder totals amongst other data. [toggle_content title="Transcript"] Hi, Leo Dreiger here. I wanna talk to you about chkdsk. In many cases, you'll come up with something like this; do you want to scan and fix the Blue USB drive F? There might be a problem. Um, if so would you like it to basically scan it and fix it or continue without scanning? So what we're going to do is go to the command line, okay? Cd space dot dot, cd space dot dot, to get back to the root; clear the screen and do a chkdsk, space, forward slash, question mark. And, uh, what I'll do here is I'll try to make the font a little bit bigger just to make this a little bit easier for you guys to read, okay? So chkdsk, alright? Uh, it's a relatively easy program to run it. It – you know, if you have a network administration background, you, you more than likely have used but you certainly can use it in a forensics process as well. Um, so it's in chkdsk, then the volume or the path, um, and then basically, uh, couple of different options in what you can do. So, uh, F, okay? Fixes errors on the disk, uh, forward slash V, on FAT or FAT32 only. Display the full path and name of every file on the disk. Sounds like a little bit of a lengthy of a process if you ask me. Or on NTFS, display the clean-up messages if any, alright? So that's good, very similar to like a verbose option. Uh, dash R, locate bad sectors and recoverable readable information, okay? Um, actually that was, uh, this option right here, dot dash R. Dash L size, this will only work for NTFS, changes the log file size so that the specified number of kilobytes. Uh, if this size is not applicable display the current size, okay? Then you have a dash X or forward slash X, forces the volume to dismount first if necessary. Um, probably a good idea to do that considering you shouldn't be analyzing something that's also has potential of being used somewhere else. You have a forward slash I, performs a less vigorous check of index entries. Um, now I don't realistically ever do that. There, there probably is a reason, but you can do that. Um, however, whenever. I try to, uh, fix – uh, keyword there, fix – a disk, um, I want the vigorous options 'cause I want everything to get fixed. Uh, so I don't ever realistically use that in less vigorous. I would imagine, though, that it would be faster if you did check that option, but I'd rather have it fixed permanently than speed. Um, so to me that's just a little preference on my behalf. You have the forward slash C, this skips the checks of, uh, the cycles within the folder or structure. And forward slash B; this re-evaluates the bad clusters on the biome and also implies that you actually have a forward slash R. So one of the things we're going to to do here is, uh, if I open up – and we're going to do basically the F drive. This is the Blue USB, okay? So, we're going to do chkdsk, F colon, uh, forward slash fix, um, and then we can also do something like, uh, maybe a forward slash B here, um, and maybe, mmmm, uh, actually let's add a forward slash F, forward slash R, and forward slash B, and then let's see if it – what comes out. So in this case, the Windows – um, the type of – actually it's FAT32, so basically none of the NTFS options, um, are going to work. So that's a little, uh, foresight on my behalf, so let's just go back and do the, the dash F, alright? So its going to come up with a type of the file system is FAT32, uh, and it's only a 400 and some odd megabyte drive. Uh, the name of it is Blue USB, the serial number is such-and-such. Now this is helpful because in many cases, you actually – we need to get this serial number off of the removable drice, device, especially if you're going to try to map a particular USB drive to only work with particular systems. So you can, in theory, um, use USB drives appropriately, although it's a lot of of administrative overhead. So typically, the easy way out there is just to turn off, you know, USB drives, especially in some sort of governmental or federal space. Windows is verifying files and folders. The file folder verifications are complete. Windows has checked the file systems and found no problems. However, I still have – let's see, if it's actually still open. Umm, it looks like it went away because the little command prompts ,uh, uh, would you like to fix this drive? Looks like that's gone now, okay? So let's go back and try to do it again, okay? So we have the F fix option here. That was for FAT32. Um, and we could also do an X here and the rest of these are going to be NTFS options. So in this case, because it's actually, um, FAT32, there's not much that we're going to be able to do here. But what we can do and we can do this a couple different ways. Let's say that I want to – let's do it, um, let's do it like this. So we're going to go over to computer, mange it. Let me show you a different kind of view into this world here so stick with me. So we're going to come in here to disk management, and give it a second to open. It's, uh, loading disk configuration information down here, and you can see that towards the bottom. And there we go, so here's the, uh, FAT32. If we, um, go to the properties of this, okay? Here you can see the total size, the different tools, if you want to do error checking. So automatically a dash F or fix and then scan and attempt recovery of bad sectors, you can do that as well, right here. Uh, and that's easy enough to do, so we can just do that real quick. That shouldn't take long at all. So this is another way in which you can fix, um, a file. Oh I'm sorry, not a file but, uh, your know, a drive or something like that, and uh your device was successfully scanned. No problems were found and the devices ready for use. If you remove the device or disk before all files were written to it, part or some of the files might still be missing. If so, go back and to the source and recopy these files, um, to the disk. And you can go basically get a high level summary. So notice what's here, okay? Kind of looks familiar doesn't it? Looks exactly like what we got here in this screen here. So if I just kind of reformat that a little bit, uh, and then you can kind of compare these. 505147, 505147; 505122, 505122, looks the same to me. In other words, I am happy with that, okay? Alright? So we can close out of that so it scanned them just fine. Um, and then just really nothing else. Just to be thorough here there's nothing else in hardware. We don't necessarily want to share it. Uh, we're not going to add any password protection to it. We don't need a ready boost. Then there's nothing realistically nothing to customize, alright? So now what we can do is format the drive, and this will, uh, lose any data that is associated with it. So I do have a file on there, um, that is, uh, a password file, but I'm officially changing from FAT32 to NTFS, perform a quick format and enable and file and folder compression. That's not entirely irrelevant or accurate at, at this point. In other words I don't have a specific need for that. So I'm going to leave that alone and then also if I wanted to change the file allocation units size, um, I can do that but, you know, only, you know, the very very small drive that's irrelevant here. So, um, formatting this file you'll more erase all the data you want. Back up any data that you want to keep before formatting it. Do you want to do it? Sure. So again, we have data on here,. We've got a password file on here, and I'm in the process of formatting it, and we'll see if, um, you know, if it goes bye-bye. So now it looks like it's NTFS, okay? So again had data on it. Just formatted it. Now I should have basically a drive with nothing else on it here. So I'm going to go down to Blue USB; folder's empty. Whatever data was on there, bye-bye, okay? Nothing to see here. We can go to properties. We can verify that it's now in NTFS, um, and we're going to kinda do a couple more things here and then I'll show you some tricks, okay? So now we're going to go back to the F drive here and now all of our NTFS options will work, okay? So, chkdsk is verifying files, stages 1 of 15. 256 file records. Wow that's a lot considering I just formatted this; 256 files records processed. File verification completed, zero large files, zero bad files, zero EA records processed, zero reparse records processed. Chkdsk is verifying indexes and this was stage one, this one stage two, three, four, and five all the way through. Um, zero unindexed files scanned and recovered. Chkdsk is verifying security descriptors three of five, alright? So 256 log security IDs processed. Nine data files processed. Interesting because it had nothing on it; 240, uh, files processed, in the Stage 4 of 5 and 1100 – 11,003 clusters processed. Okay, great. And then we get a nice, uh, summary here at the end. Um, it found , uh, 21568 kilobytes in 5 different files, 11 indexes, 0 bad sectors. So in theory, we shouldn't get a pop-up anymore that says hey, would you like to scan this drive? Um, so and so used by the system, um, so and so, uh, occupied the log file sides and the available data on the drive. Okay, great, nice. So had data on it, was FAT32, formatted it as NTFS, uh, um. And now we can go back in and perhaps see if, um, for example, we can't get some of the information off this drive in a later lab, uh, to basically see, you know, if anything is left. And uh, there's several tools you can do that to try to, you know, to do your hard drive recovery and things like that. So I'll leave it for there for this lab; that's chkdsk. I basically took a drive, formatted it as FAT32, uh, formatted it as NTFS, got rid of all the data on it, so this low level format should be ready to, uh, uh, and handy, ready to go, okay? So on and so forth, a nice, nice, good spot for, uh, if a user would have cleaned their tracks and then you find a drive with nothing on it, what do we do with it, alright? So good, good, place to be in. My name's Leo Dreiger, thanks for watching and don't forget to check us out on Facebook, LinkedIn, YouTube, and Twitter. [/toggle_content]
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?