('binary' encoding is not supported, stored as-is) An acquaintace of mine who works at a crime lab was recently working with a Windows XP installation when we saw some unexpected 'deleted' files on a diskette that the OS produced. So, we decided to do a forensic analysis of the floppy disk (it is created when you place a floppy in the drive and select the check box for "Startup Disk" from the 'right click menu'). It turned out that it had begun its journey as a Windows ME Startup Disk; whomever at Microsoft had been assigned the task of making this simple DOS (ME; version 8.0) Boot Disk FOR Windows XP (it will only boot to an A: prompt and does nothing else), obviously did not start with a formatted diskette. This seems to reflect either a very hurried day for that employee or someone who didn't even know that deleting files from the disk would not actually remove their contents (unless overwritten)! In all fairness though, if you examine the MAC times, you CAN see that the original IO.SYS file appears to have been targeted for some editing and then intended to remain as the basis for the new XP Disk. However, I'd have suggested that they copied all the necessary files to a hard disk and started with fully formatted diskette before releasing it into production! One of the files that can still successfully be undeleted from the disk is the entire EBD.CAB file from the original Win ME Startup Disk. I thought some of you might be interested in using this as 'homework assignment' for some Computer/Forensics classes or I wouldn't have brought this up. Sincerely, Daniel B. Sedory ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon May 12 2003 - 19:38:04 PDT