just a thought, but really its going to depend on the type of format they did as to what the timeline looks like..if they did a quick format it's going to just mark the files as deleted, which seems to be what happened on yours..when you mount the drive (mount -t msdos -o loop whatever.dd /mnt/recovery or whatever) ..are ANY files left? ..if not, then i'd say it's fairly safe to assume it's been formatted..i dont believe that windows keeps any kind of .bash_history or whatever, so you're probabaly screwed trying to find a timeline of command activity..the other thing you might want to look at is the order that the files were deleted, TASK restructures the FAT to look like inodes, look and see if theyre deleted in order, ..if EVERYTHING is wiped, then you can assume it was a format, because windows wouldnt have allowed them to delete files that were fopen()'d ..hope this helps some.. -randy ----- Original Message ----- From: "InfoEmergencias - Luis Gómez" <lgomezat_private> To: "Forensics" <forensicsat_private> Sent: Friday, October 04, 2002 8:28 PM Subject: Was the HD formatted? (under Win95) Hi all It has come to my hands an _apparently_ formatted drive. I've been informed that some people were leaving the place they worked at, and so at first sight it may seem that one of them did format this drive, trying to delete the company's work. (btw, excuse my not-so-good English). I'm trying to find evidence that it was in fact a format. It is a 1.2 GB (1 FAT16 partition) Win95 drive. The tool I'm using is TASK (via Autopsy interface). Despite the drive being formatted, I've been able to build a timeline on it. Everything *seems* to be OK 'til September the 13th, there are for instance lots of C-, A- and M-times for gif, htm and doc files - I think the gif and htm would mean iexplore sessions writing to the cache, and obviously (obviously?) the docs would correspond to someone working on msword. However, I was annoyed at one fact: I thought that iexplore.exe and winword.exe would have an A-time of the last time they were run, but I can't see them in my timeline (at least not at the final pages). Also, I must have messed a bit with the "timezone" parm in the fsmorgue file, because there seems to be a gap between the normal working hours here in Spain and the times reflected in the timeline. But I think that it doesn't matter right now (if I'm wrong please let me know). Well, anyway I think I've come to the moment of the formatting. It seems to have happened at 14:38h on Sept the 13th (as I've said, the 14:38h might be wrong, maybe it was 13:38 or 15:38...). At that moment I get (And sorry for the mess with long lines): Fri Sep 13 2002 12:45:14 0 ..c -rwxrwxrwx 0 0 11781 <dicad_c.dd-_-dead-11781> Fri Sep 13 2002 12:45:16 0 m.. -rwxrwxrwx 0 0 11781 <dicad_c.dd-_-dead-11781> Fri Sep 13 2002 12:51:24 710144 ..c -rwxrwxrwx 0 0 41556 <dicad_c.dd-_BTEMP.CAB-dead-41556> Fri Sep 13 2002 12:51:34 710144 m.. -rwxrwxrwx 0 0 41556 <dicad_c.dd-_BTEMP.CAB-dead-41556> Fri Sep 13 2002 12:51:44 1536 ..c -rwxrwxrwx 0 0 8975033 <dicad_c.dd-_B32D0.TMP-dead-8975033> Fri Sep 13 2002 12:51:46 0 ..c -rwxrwxrwx 0 0 8975034 <dicad_c.dd-_DF785D.TMP-dead-8975034> Fri Sep 13 2002 12:51:48 1536 m.. -rwxrwxrwx 0 0 8975033 <dicad_c.dd-_B32D0.TMP-dead-8975033> 0 m.. -rwxrwxrwx 0 0 8975034 <dicad_c.dd-_DF785D.TMP-dead-8975034> Fri Sep 13 2002 13:03:20 0 ..c -rwxrwxrwx 0 0 8975032 <dicad_c.dd-_-dead-8975032> Fri Sep 13 2002 13:03:22 0 m.. -rwxrwxrwx 0 0 8975032 <dicad_c.dd-_-dead-8975032> Fri Sep 13 2002 14:38:06 0 m.. -rwxrwxrwx 0 0 5079740 <dicad_c.dd-_NBOOTNG.STS-dead-5079740> And next is: Fri Sep 20 2002 00:00:00 32768 .a. d/dr-xr-xr-x 0 0 5 C:/Recycled (RECYCLED) 65 .a. -/-r-xr-xr-x 0 0 519 C:/RECYCLED/desktop.ini 65 .a. -/-r-xr-xr-x 0 0 517 C:/RECYCLED/_esktop.ini (deleted) 20 .a. -/-r-xr-xr-x 0 0 518 C:/RECYCLED/INFO2 65 .a. -r-xr-xr-x 0 0 517 <dicad_c.dd-_esktop.ini-dead-517> I'm not sure exactly what happens here, but I'd bet that one week later the drive was mounted in another Win machine, which automatically (on boot) created the recycled dir. About desktop.ini being deleted, maybe something thought "oh no! it's creating info on the damaged drive!" or something, who knows. The last referenced file is _NBOOTNG.STS ; a quick search in my Win98 filesystem and later at google reveals that an empty file named c:\windows\wnbootng.sts is created when there are errors, so that next boot Win boots into Safe Mode. And that's all. I can't find any reference to FORMAT.COM , as I might have expected, nor something like that. So here I am, all messed up and not knowing where to go next. It's my first forensics case and don't know if I'm really prepared to conduit it. Needless to say, any help you can provide will be really welcome. Thank you very much for your patience reading this. Really, men, thanks. TIA Pope -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 lgomezat_private PGP Public Key available at http://www.infoemergencias.com/lgomez.asc ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 08 2002 - 12:00:48 PDT