Reformat doesn't necessarily mean "wipe" - it still leaves some info espcially if your drive partitions are different. I'm not familiar with your particular tool. Sorry. Someone else willprobably be able to help you out. This is what I did: Using a regular hex editor you should be able to tell if the drive was reformatted by looking at how things were written to the bits. I.e. FF or 00, etc. Also there should be other residual info floating around on the drive. Had similar thing occur a number of times within the last few months. I used encase for the analysis which worked pretty well. Also, check to see if there is any wiping signature froma wiping utility, i.e usually has a date and then 00 or FF designating wipe or a similar repeating pattern- however each one is different so narrowing down to WHICH one is hard. Hope you have a forensic copy of that drive. If you've messed with the dates and times by physically writing to the original using whatever tools/analysis or by booting it, your work probably won't be legally admissable if you take it to court. You've altered the drive and can no longer present the original if you don't have a forensic (bit by bit) copy. Atleast that's how it works inthe US. Not sure about international laws. -----Original Message----- From: InfoEmergencias - Luis Gómez [mailto:lgomezat_private] Sent: Friday, October 04, 2002 8:29 PM To: Forensics Subject: Was the HD formatted? (under Win95) Hi all It has come to my hands an _apparently_ formatted drive. I've been informed that some people were leaving the place they worked at, and so at first sight it may seem that one of them did format this drive, trying to delete the company's work. (btw, excuse my not-so-good English). I'm trying to find evidence that it was in fact a format. It is a 1.2 GB (1 FAT16 partition) Win95 drive. The tool I'm using is TASK (via Autopsy interface). Despite the drive being formatted, I've been able to build a timeline on it. Everything *seems* to be OK 'til September the 13th, there are for instance lots of C-, A- and M-times for gif, htm and doc files - I think the gif and htm would mean iexplore sessions writing to the cache, and obviously (obviously?) the docs would correspond to someone working on msword. However, I was annoyed at one fact: I thought that iexplore.exe and winword.exe would have an A-time of the last time they were run, but I can't see them in my timeline (at least not at the final pages). Also, I must have messed a bit with the "timezone" parm in the fsmorgue file, because there seems to be a gap between the normal working hours here in Spain and the times reflected in the timeline. But I think that it doesn't matter right now (if I'm wrong please let me know). Well, anyway I think I've come to the moment of the formatting. It seems to have happened at 14:38h on Sept the 13th (as I've said, the 14:38h might be wrong, maybe it was 13:38 or 15:38...). At that moment I get (And sorry for the mess with long lines): Fri Sep 13 2002 12:45:14 0 ..c -rwxrwxrwx 0 0 11781 <dicad_c.dd-_-dead-11781> Fri Sep 13 2002 12:45:16 0 m.. -rwxrwxrwx 0 0 11781 <dicad_c.dd-_-dead-11781> Fri Sep 13 2002 12:51:24 710144 ..c -rwxrwxrwx 0 0 41556 <dicad_c.dd-_BTEMP.CAB-dead-41556> Fri Sep 13 2002 12:51:34 710144 m.. -rwxrwxrwx 0 0 41556 <dicad_c.dd-_BTEMP.CAB-dead-41556> Fri Sep 13 2002 12:51:44 1536 ..c -rwxrwxrwx 0 0 8975033 <dicad_c.dd-_B32D0.TMP-dead-8975033> Fri Sep 13 2002 12:51:46 0 ..c -rwxrwxrwx 0 0 8975034 <dicad_c.dd-_DF785D.TMP-dead-8975034> Fri Sep 13 2002 12:51:48 1536 m.. -rwxrwxrwx 0 0 8975033 <dicad_c.dd-_B32D0.TMP-dead-8975033> 0 m.. -rwxrwxrwx 0 0 8975034 <dicad_c.dd-_DF785D.TMP-dead-8975034> Fri Sep 13 2002 13:03:20 0 ..c -rwxrwxrwx 0 0 8975032 <dicad_c.dd-_-dead-8975032> Fri Sep 13 2002 13:03:22 0 m.. -rwxrwxrwx 0 0 8975032 <dicad_c.dd-_-dead-8975032> Fri Sep 13 2002 14:38:06 0 m.. -rwxrwxrwx 0 0 5079740 <dicad_c.dd-_NBOOTNG.STS-dead-5079740> And next is: Fri Sep 20 2002 00:00:00 32768 .a. d/dr-xr-xr-x 0 0 5 C:/Recycled (RECYCLED) 65 .a. -/-r-xr-xr-x 0 0 519 C:/RECYCLED/desktop.ini 65 .a. -/-r-xr-xr-x 0 0 517 C:/RECYCLED/_esktop.ini (deleted) 20 .a. -/-r-xr-xr-x 0 0 518 C:/RECYCLED/INFO2 65 .a. -r-xr-xr-x 0 0 517 <dicad_c.dd-_esktop.ini-dead-517> I'm not sure exactly what happens here, but I'd bet that one week later the drive was mounted in another Win machine, which automatically (on boot) created the recycled dir. About desktop.ini being deleted, maybe something thought "oh no! it's creating info on the damaged drive!" or something, who knows. The last referenced file is _NBOOTNG.STS ; a quick search in my Win98 filesystem and later at google reveals that an empty file named c:\windows\wnbootng.sts is created when there are errors, so that next boot Win boots into Safe Mode. And that's all. I can't find any reference to FORMAT.COM , as I might have expected, nor something like that. So here I am, all messed up and not knowing where to go next. It's my first forensics case and don't know if I'm really prepared to conduit it. Needless to say, any help you can provide will be really welcome. Thank you very much for your patience reading this. Really, men, thanks. TIA Pope -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 lgomezat_private PGP Public Key available at http://www.infoemergencias.com/lgomez.asc ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ********************************************************************** This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email. ********************************************************************** ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 08 2002 - 12:28:59 PDT