James said:
/*
I took md5 checksums of the images from the CD and subsequently my working
copies and this was my result ... These checksums match those obtained
from the copies on the hard drives,
*/
This seems a bit confusing to me. How do "images from the CD" and "copies
on the hard drive" relate to each other?
/*
The disk is formatted with FAT32 which from my understanding would
normally
have alternating pages/sectors of 00 and FF not all 00, is this correct?
*/
The file system on a drive and the data on a drive have no direct
correlation except for the file system specific data structures that a
format process writes to a drive. The normal format process itself does
not write to the data area of a drive, so if the drive has any data on it,
and you format it, the data can generally be recovered. It would not be
accurate to assume that a FAT32 drive should necessarily have alternating
\x00 \xFF in free space.
/*
An analysis of the registry for installed programs shows no third party
disk
utilities, leaving only stand alone utilities, software since removed, or
events after the disk was imaged as causes of this effect.
*/
I note you mentioned that other computers imaged at the same time as this
one had Norton Utilities installed. Norton certainly has the capability
with Speed Disk and WipeInfo to do exactly this. The user can configure
Norton to write system files to the end of the drive, or alternatively,
could configure Norton to write seldom used files to the end of the drive.
And speed disk can be configured to write any 8bit hex value (00-FF) to
all the unused space. Likewise, WipeInfo can be used to wipe the file
slack areas.
Here are some bullets to stimulate thinking. Keep in mind that if you make
absolute statements in court like "leaving only ...", you'll get grilled
on details like this.
In regard to stand alone utilities:
Which stand alone defrag utilities can be used (run from a
floppy/CD) to defrag a FAT32 volume?
For those that can be run from floppy or CD, which ones leave no
trace in the registry?
Could the utility have been run from a mounted/mapped network
drive?
In regard to "software since removed":
Are there any traces of the software on the disk?
Are there any .lnk files in the "Recent" folder pointing to
nonexistent executables?
Which defrag/wipe utilities that could have been installed also
remove all traces of itself from the registry?
Don't most software programs leave some residual traces in the
registry even after being removed?
If the defrag/wipe software was removed and there are no traces of
it on disk, how did it get wiped?
In regard to "events after the disk was imaged":
That should be pretty easy to address with DIBS image validation
(whatever they use).
James
===============================
James O. Holley
Ernst & Young
Litigation Advisory Services &
Computer Forensic Services
http://litigation.ey.com
Office: 703.747.1059
Fax: 703.747.0104
Lab: 703.747.0253
Pager: 888.620.5275
Pager email: 6205275 "AT" skytel.com
===============================
________________________________________________________________________
The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Ernst & Young LLP
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 14 2003 - 21:04:22 PST