This sounds like virus activity. Did you consider the possibility that a virus may have wiped the files and directories and then wrote over the blocks? As for the files on root, where they all common file extensions like .doc .xls? A virus may have been written to search for those files and secure wipe them. At least this would explain why the normal system files where still present. If the file system was FAT/FAT32, you can check out ECFS (Enforcement of Critical File Systems) by Winternals (www.winternals.com). This is a nice utility for hashing the files sector by sector based on MD5, 128 bit or other hashes. At least this could tell you if the windows folder is still present in the blocks. I do have a question though; you stated that "4,096 Bytes in Bad Sectors." Shouldn't those bad sectors appear when you list out all of the files based on their hash? Can a virus mark sectors as bad? Anyone? Very nice job of explaining and taking the reader through the incident! KMS Kevin Shannon, Sr. Network Administrator DOT/FAA/AVN/ Lockheed Martin InformationTechnology http://www.it.lockheedmartin.com/ Office - 405.954.7134 Email - Kevin.M-ctr.Shannonat_private http://avn.faa.gov/ |---------+----------------------------> | | "Chris Mawer" | | | <chris_mawer@hotm| | | ail.com> | | | | | | 11/04/2002 04:20 | | | PM | | | | |---------+----------------------------> >------------------------------------------------------------------------------------------------------------------------------| | | | To: forensicsat_private | | cc: | | Subject: Win32 Port of TAR | >------------------------------------------------------------------------------------------------------------------------------| Hey all, Recently came to possession of a 1.98GB Fujitsu internal IDE hard-drive. Its a little old and creaky, and stopped functioning quite as expected. Every time the POST process occurred during bootup, the process would complete, but then the dreaded blue screen of death would occur. Thus, the user asked me to recover as much as possible and then restructure the drive if possible into working format again. No problem, mount under Windows 2000 access the drive, hmmn all seems fine files arent corrupted. c:\>CHKDSK e: 4,096 Bytes in Bad Sectors. Whoops, wheres that then..hmmn cant find those sectors. CHKDSK e: /f didnt do anything either. Ok, so I cant find the clusters..[backspace] *cluster*. Never mind, ill tar the directories and files on the FAT32 partition and GZIP them, MD% the file wipe the HH and then restore the files. c:\>tar -cvf backup.tar e:\* c:\>gzip backup.tar c:\>md5sum backup.tar.gz Nice little batch file and an hour later, woohoo a 500MB tar/gzip archive thatll fit nicely on a recovery CD. Come to expand the archive. The gzip program decompresses the original tar archive. The tar program deflates into e:\ retaining the original stucture of the paths etc. Nice, files expanding CPU usage 100%...(1.33GHz Athlon lol). Oh. Huh? What the hell? c:\>e: e:\>ls My Documents Program Files autoexec.bat Bootlog.prv Bootlog.txt Command.com Config.sys Detlog.txt Frunlog.txt Io.sys Msdos.--- Msdos.sys Netlog.txt Well thats sweet. What happened to the WINDOWS folder? What happened to the other 20 directories and sub-directories of the project the guy was working on? What happened to the other files in the root dir? AAAARRRHHHH!!! Ok, not to worry, i have my tarred and gzipped and md5 hashed archive burnt to CD-R. Sweet, no sweat start again. Nope, same thing. Why doesnt the win32 port from unxutils of TAR tar up certain directories? The TAR archive is just under the total filesize of the used filespace..whats happened? Am i looking at an inability to cover archives bigger than 600MB with these ports? Ive just landed myself and my guy in some trouble, but he dumped me in it first I guess. :)) Anyone have any ideas? Ive now labelled the disk damaged, so as to avoid being used until its integrity can be futher confirmed. Thanks, and apologies for the length. Chris Mawer http://chrismawer.netfirms.com _________________________________________________________________ Broadband? Dial-up? Get reliable MSN Internet Access. http://resourcecenter.msn.com/access/plans/default.asp ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 08 2002 - 18:19:26 PST