Hi all! First, I wanna thank you very much for all the feedback I got. I'll try to answer to all the interesting points... ----------------------- Robinson, Sonja > Reformat doesn't necessarily mean "wipe" - it still leaves some info > espcially if your drive partitions are different. I'm not familiar with > your particular tool. Sorry. Someone else willprobably be able to help you > out. It had an only partition, and it still has it. The info has not been wiped, of course, in fact we already undeleted it. However we've come to many files being corrupt, I guess it's because of people booting that disk as slave in another Win machine. > This is what I did: > Using a regular hex editor you should be able to tell if the drive was > reformatted by looking at how things were written to the bits. I.e. FF or > 00, etc. Also there should be other residual info floating around on the > drive. Had similar thing occur a number of times within the last few > months. I used encase for the analysis which worked pretty well. Also, > check to see if there is any wiping signature froma wiping utility, i.e > usually has a date and then 00 or FF designating wipe or a similar repeating > pattern- however each one is different so narrowing down to WHICH one is > hard. As I said there's been no wiping, so I guess there's nowhere to look for a pattern (please, if I'm not getting the point in something, let me know!). > Hope you have a forensic copy of that drive. If you've messed with the > dates and times by physically writing to the original using whatever > tools/analysis or by booting it, your work probably won't be legally > admissable if you take it to court. You've altered the drive and can no > longer present the original if you don't have a forensic (bit by bit) copy. > Atleast that's how it works inthe US. Not sure about international laws. I do have the copy, don't worry. As soon as the disk came to my hands I imaged it via dd, no worries on that... ----------------------- End of Robinson message ------------------------ Randy Williams just a thought, but really its going to depend on the type of format they did as to what the timeline looks like..if they did a quick format it's going to just mark the files as deleted, which seems to be what happened on yours..when you mount the drive (mount -t msdos -o loop whatever.dd /mnt/recovery or whatever) ..are ANY files left? ..if not, then i'd say it's fairly safe to assume it's been formatted..i dont believe that windows keeps any kind of .bash_history or whatever, so you're probabaly screwed trying to find a timeline of command activity..the other thing you might want to look at is the order that the files were deleted, TASK restructures the FAT to look like inodes, look and see if theyre deleted in order, ..if EVERYTHING is wiped, then you can assume it was a format, because windows wouldnt have allowed them to delete files that were fopen()'d ..hope this helps some.. ---------------------End of randy Williams Let's see... As far as I've been able to check in some tests I've done, in DOS and Win9x, quick format and "common" format both leave files untouched, they just erase the FAT. So it's always possible to recover the files, with more or less corruption depending on how much they played with the drive after formatting it. The only difference is that "normal" formatting checks every HD sector for errors, and quick format doesn't (it relies on the table of bad sectors that there is in the disk before formatting, just that). But in both cases info is equally recoverable. I think I already said that there are no files appart from \recycled, which IMHO indicates that the drive was later mounted in another Win system, and it must have been _that_ system which created that folder. In fact, the C-time of C:\recycled is about one week after all the other activity, which I think is consistent with my exposition of the facts. BTW, as I've said, I don't think that FORMAT deletes files, so they don't have any change in their MACtimes. It just wipes the FAT via "raw access" (I'm assumming, may be wrong!). ---------------------- Brian Carrier "Note that in FAT, the access time is only accurate to the day (not time), so it will show up in the timeline at 00:00:00 no matter what time it was run. That could be why you do not see it in the final pages." It's strange, as I do see different times in the timeline. Maybe it's some bogus behaviour of TASK when accessing FAT filesystems? (as TCT was not initially developed to work upon these filesystems). Dunno... "FAT does not care about timezones. FAT stores the date and time as a static value (not a delta as NTFS and UNIX do). So, you should not see a change in times when you change the timezone." Didn't know that, thanks!! "The above entries correspond to files in a directory that were deleted, and the parent directory is not longer around either. FAT does not update any times when a file is deleted, so these times do not mean that the files were deleted on Sep 13. Based on the .CAB and .TMP extensions, it could have been from an installation." I see... Not sure if I get the point. Let me explain: The file _NBOOTNG.STS which appears in the portion of timeline I pasted, almost obviously belongs to the C:\windows directory. (see http://www.google.com/search?q=wnbootng.sts ) Mmm... But as there is no FAT, we could say that every directory immediately inside the root directory does not exist anymore, so it seems what you say is exactly what happens... "These are the access times for any accesses on Sep 20. Are you sure the user didn't just try to delete all the files on the system and then shutdown (but some where not deleted because the OS had them open)? If the system was formatted, then you would not get the above reference to 'C:\RECYCLED\INFO2', which appears to be an allocated file. It is hard to say much more w/out the full timeline or image, but I would say that they did not format it." No way. The drive was obviously formatted, as there are no directories like "c:\windows" or "C:\program files". However, you're right in the fact about c:\recycled\info2 , it annoys me... Maybe it arrive there after the formatting? Wow, I've just found out something interesting. Have a look here: http://216.239.51.100/search?q=cache:Tl_VWnOh-H0C:www.bc-raventech.net/tips/software/9598tips2.html+info2+recycled&hl=es&lr=lang_ca|lang_es|lang_fr|lang_en|lang_it&ie=UTF-8 and here: http://216.239.51.100/search?q=cache:UbA74NDR1xMC:www.experts-exchange.com/Operating_Systems/Win98/Q_11232021.html+info2+recycled&hl=es&lr=lang_ca|lang_es|lang_fr|lang_en|lang_it&ie=UTF-8 (sorry, part of the URL are my personal settings for language in Google) It seems that info2 and desktop.ini are automatically created into c:\recycled . That would explain why they are there after formatting the drive. Interesting tip. So they are there for the same reason that tye directory c:\recycled exists: they all were created when the disk was mounted in another Win machine and it booted (Win booted, not this disk which was empty). -------------------------------- End of Brian Carrier Well, I think this is all for now. So what we have is: - Windows does not seem to keep up-to-an-hour accurate MACtimes, just up-to-one-day . So I have a rather wide margin of error in my timeline. - How about MACtimes? How do FAT filesystems behave? I'll try to find out... I was going to put a lot ot tests I was trying to do creating files, formatting them as FAT16, mounting in loopback, creating/accessing/modifying/deleting files and later reviewing the file via TASK. But I've thought it would be useless. Tomorrow I expect to have here a brand new machine, I'll install Win on it and I'll do more reliable checks. Then I'll try to tell you what seems to be Win9x behaviour about MACtimes, ok? So ladies and gentlemen, this is all for now. Again, lots ot thanks to all of you for your feedback, and I'll try to inform you as this matter goes on. Regards from Spain, Pope -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 lgomezat_private PGP Public Key available at http://www.infoemergencias.com/lgomez.asc ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 05:06:19 PDT