Prev: Can I burn a bootable ISO on a CD+RW or only on a CD+R ?
Next: Network Attached storage
From: mscotgrove on 9 Jan 2008 05:45
I am investigating a 250GB FAT32 disk which has had many files deleted
- the suspicion is that the deleting was malicous. The disk is in good
working condition, with not errors.

On the disk is about 25GB of data and this is at the start of the
disk. The middle 85%(approx) of the disk is untouched, and all
sectors are blank, (filled with zeros). What is odd is there is data
from a deleted directory in the final 2GB of the disk. All the files
are from a single deleted subdirectory, or 'System volume
information'. The system volume information is not deleted.

Has anyone seen this rather odd allocation before, and is there any
reason for it?

There are many deleted files on the first part of the hard drive - as
one would expect.

Michael
www.cnwrecovery.com
From: Arno Wagner on 9 Jan 2008 06:12
Previously mscotgrove(a)aol.com <mscotgrove(a)aol.com> wrote:
> I am investigating a 250GB FAT32 disk which has had many files deleted
> - the suspicion is that the deleting was malicous. The disk is in good
> working condition, with not errors.

> On the disk is about 25GB of data and this is at the start of the
> disk. The middle 85%(approx) of the disk is untouched, and all
> sectors are blank, (filled with zeros). What is odd is there is data
> from a deleted directory in the final 2GB of the disk. All the files
> are from a single deleted subdirectory, or 'System volume
> information'. The system volume information is not deleted.

> Has anyone seen this rather odd allocation before, and is there any
> reason for it?

> There are many deleted files on the first part of the hard drive - as
> one would expect.

> Michael
> www.cnwrecovery.com

Is the disk filesystem structure intact? If so, maybe somebody just
wiped the empty space by writing several large files containing only
zeros...

Arno
From: mscotgrove on 9 Jan 2008 06:26
On Jan 9, 11:12 am, Arno Wagner <m...(a)privacy.net> wrote:
> Previously mscotgr...(a)aol.com <mscotgr...(a)aol.com> wrote:
> > I am investigating a 250GB FAT32 disk which has had many files deleted
> > - the suspicion is that the deleting was malicous. The disk is in good
> > working condition, with not errors.
> > On the disk is about 25GB of data and this is at the start of the
> > disk. The middle 85%(approx)  of the disk is untouched, and all
> > sectors are blank, (filled with zeros).  What is odd is there is data
> > from a deleted directory in the final 2GB of the disk.  All the files
> > are from a single deleted subdirectory, or 'System volume
> > information'. The system volume information is not deleted.
> > Has anyone seen this rather odd allocation before, and is there any
> > reason for it?
> > There are many deleted files on the first part of the hard drive - as
> > one would expect.
> > Michael
> >www.cnwrecovery.com
>
> Is the disk filesystem structure intact? If so, maybe somebody just
> wiped the empty space by writing several large files containing only
> zeros...
>
> Arno- Hide quoted text -
>
> - Show quoted text -

Everything looks intact. The top 2GB starts data with the first
sector of a file. Writing a large zero length file would be hard to
stop at a valid location. I would also like to think that I would
find the 200GB deleted file full of zeros - well it would have to be
50 x 4GB files being FAT32, and even more chance to find them.

Michael
From: Arno Wagner on 9 Jan 2008 06:53
Previously mscotgrove(a)aol.com <mscotgrove(a)aol.com> wrote:
> On Jan 9, 11:12�am, Arno Wagner <m...(a)privacy.net> wrote:
>> Previously mscotgr...(a)aol.com <mscotgr...(a)aol.com> wrote:
>> > I am investigating a 250GB FAT32 disk which has had many files deleted
>> > - the suspicion is that the deleting was malicous. The disk is in good
>> > working condition, with not errors.
>> > On the disk is about 25GB of data and this is at the start of the
>> > disk. The middle 85%(approx) �of the disk is untouched, and all
>> > sectors are blank, (filled with zeros). �What is odd is there is data
>> > from a deleted directory in the final 2GB of the disk. �All the files
>> > are from a single deleted subdirectory, or 'System volume
>> > information'. The system volume information is not deleted.
>> > Has anyone seen this rather odd allocation before, and is there any
>> > reason for it?
>> > There are many deleted files on the first part of the hard drive - as
>> > one would expect.
>> > Michael
>> >www.cnwrecovery.com
>>
>> Is the disk filesystem structure intact? If so, maybe somebody just
>> wiped the empty space by writing several large files containing only
>> zeros...
>>
>> Arno- Hide quoted text -
>>
>> - Show quoted text -

> Everything looks intact. The top 2GB starts data with the first
> sector of a file. Writing a large zero length file would be hard to
> stop at a valid location. I would also like to think that I would
> find the 200GB deleted file full of zeros - well it would have to be
> 50 x 4GB files being FAT32, and even more chance to find them.

Not necessarily. If they were put into a subdirectory, and removed
again, either by writing the same or alarger number of other
files (entries are recucled) or by removing the subdirectory
and re-creating it (should at least blank its first sector),
you would find no trace of the zero-content files. There are also
tools that overwrite all unallocated sectors with zeros, in
which case there never were directory entries.

One possibility for the deleted directory being there in the top
is that it was actually not deleted when the overwriting
occured, but later on.

The general pattern, however, is that something large was written in a
continuous fashion (i.e. no other data written in between) and then
removed and the free space overwritten in some fashion.

To speculate (no need to confirm or deny anything), it looks as if
somebody has put 200GB of the files you are looking for in one step on
the disk, after the 25GB at the start were already there. From what I
have seen of typical FAT allocation strategies, this would put the
files into the configuration of empty space you see. The system volume
info was then written to the disk later. In a second step the 200GB
were deleted and the free space on the disk overwritten. The system
volume information was deleted later.

For the overwriting, I tend to suspect a free space wiper. Somebody
writing files with zeros and then carefully removing the directory
these files were in sounds inconsistent. Wiping the free space
directly is far easier and requires both less competence and less
effort. In addition, there would be no way to demonstrate conclusively
that this is what was done. An allocation pattern consistent
with this having happened is not enough. You would need to demonstrate
thet the OSes the disk was used with cannot generate this allocation
pattern under other circumstances.

Here is one scenario that would could create this pattern without
anything ever having been wiped, only deleted: 1. Put 200GB files on
disk 2. put system vol info there, 3. delete 200GB files.
Copy disk with disk imager to an empty disks 5. remove system
volume directory. This would require a sector imager that only
copies allocated sectors. Such applications should be available.

Arno
From: mscotgrove on 9 Jan 2008 07:49
> - Show quoted text -

Arno,

I have read your ideas with interest.

I agree that a free space wiping program is the only consistant way to
get all zeros sectors and leave no trace. However, I just don't see
how one alarge amount of a single deleted subdirectory ends up at the
end of the disk. If a wiping program was used, I would expect more
gaps elsewhere on the disk.

Also of interest, all the subdirectories, for this subdirectory are
stored in the final 2GB.

I would suspect something odd with the drive, but all the cluster
pointers etc tie up, and file contents match the file name.

So far your speculations don't convince me, but I appreciate your
thoughts.

In my experience with FAT disks is that they fill from the start, and
that the end of a lightly used disk is always blank. The same with
NTFS, except for the final partition check block.

I will play more, and let you know if I have any 'brain' waves'

Michael
ps The customer is happy with data recovered
 |  Next  |  Last
Pages: 1 2
Prev: Can I burn a bootable ISO on a CD+RW or only on a CD+R ?
Next: Network Attached storage