James said: /* I took md5 checksums of the images from the CD and subsequently my working copies and this was my result ... These checksums match those obtained from the copies on the hard drives, */ This seems a bit confusing to me. How do "images from the CD" and "copies on the hard drive" relate to each other? /* The disk is formatted with FAT32 which from my understanding would normally have alternating pages/sectors of 00 and FF not all 00, is this correct? */ The file system on a drive and the data on a drive have no direct correlation except for the file system specific data structures that a format process writes to a drive. The normal format process itself does not write to the data area of a drive, so if the drive has any data on it, and you format it, the data can generally be recovered. It would not be accurate to assume that a FAT32 drive should necessarily have alternating \x00 \xFF in free space. /* An analysis of the registry for installed programs shows no third party disk utilities, leaving only stand alone utilities, software since removed, or events after the disk was imaged as causes of this effect. */ I note you mentioned that other computers imaged at the same time as this one had Norton Utilities installed. Norton certainly has the capability with Speed Disk and WipeInfo to do exactly this. The user can configure Norton to write system files to the end of the drive, or alternatively, could configure Norton to write seldom used files to the end of the drive. And speed disk can be configured to write any 8bit hex value (00-FF) to all the unused space. Likewise, WipeInfo can be used to wipe the file slack areas. Here are some bullets to stimulate thinking. Keep in mind that if you make absolute statements in court like "leaving only ...", you'll get grilled on details like this. In regard to stand alone utilities: Which stand alone defrag utilities can be used (run from a floppy/CD) to defrag a FAT32 volume? For those that can be run from floppy or CD, which ones leave no trace in the registry? Could the utility have been run from a mounted/mapped network drive? In regard to "software since removed": Are there any traces of the software on the disk? Are there any .lnk files in the "Recent" folder pointing to nonexistent executables? Which defrag/wipe utilities that could have been installed also remove all traces of itself from the registry? Don't most software programs leave some residual traces in the registry even after being removed? If the defrag/wipe software was removed and there are no traces of it on disk, how did it get wiped? In regard to "events after the disk was imaged": That should be pretty easy to address with DIBS image validation (whatever they use). James =============================== James O. Holley Ernst & Young Litigation Advisory Services & Computer Forensic Services http://litigation.ey.com Office: 703.747.1059 Fax: 703.747.0104 Lab: 703.747.0253 Pager: 888.620.5275 Pager email: 6205275 "AT" skytel.com =============================== ________________________________________________________________________ The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Ernst & Young LLP ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 14 2003 - 21:04:22 PST