|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: I'm having an image problem...
Date: Fri Feb 14 2003 - 22:50:08 EST
/*
I took md5 checksums of the images from the CD and subsequently my working
copies and this was my result ... These checksums match those obtained
from the copies on the hard drives,
*/
/*
The disk is formatted with FAT32 which from my understanding would
normally
have alternating pages/sectors of 00 and FF not all 00, is this correct?
*/
The file system on a drive and the data on a drive have no direct correlation except for the file system specific data structures that a format process writes to a drive. The normal format process itself does not write to the data area of a drive, so if the drive has any data on it, and you format it, the data can generally be recovered. It would not be accurate to assume that a FAT32 drive should necessarily have alternating \x00 \xFF in free space.
/*
An analysis of the registry for installed programs shows no third party
disk
utilities, leaving only stand alone utilities, software since removed, or
events after the disk was imaged as causes of this effect.
*/
I note you mentioned that other computers imaged at the same time as this one had Norton Utilities installed. Norton certainly has the capability with Speed Disk and WipeInfo to do exactly this. The user can configure Norton to write system files to the end of the drive, or alternatively, could configure Norton to write seldom used files to the end of the drive. And speed disk can be configured to write any 8bit hex value (00-FF) to all the unused space. Likewise, WipeInfo can be used to wipe the file slack areas.
In regard to stand alone utilities:
Which stand alone defrag utilities can be used (run from a floppy/CD) to defrag a FAT32 volume?
For those that can be run from floppy or CD, which ones leave no trace in the registry?
Could the utility have been run from a mounted/mapped network drive?
In regard to "software since removed":
Are there any traces of the software on the disk?
Are there any .lnk files in the "Recent" folder pointing to
nonexistent executables?
Which defrag/wipe utilities that could have been installed also
remove all traces of itself from the registry?
Don't most software programs leave some residual traces in the
registry even after being removed?
If the defrag/wipe software was removed and there are no traces of
it on disk, how did it get wiped?
In regard to "events after the disk was imaged":
That should be pretty easy to address with DIBS image validation (whatever they use).
James
James O. Holley
Ernst & Young
Litigation Advisory Services &
Computer Forensic Services
http://litigation.ey.com
Office: 703.747.1059
Fax: 703.747.0104 Lab: 703.747.0253
Pager: 888.620.5275
Pager email: 6205275 "AT" skytel.com
The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Ernst & Young LLP
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sat Feb 15 00:06:12 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |