Subscribe Feed (RSS)Windows 98 stops being supported
November 10th, 2008 by rob585 | No Comments | Filed in File SystemOn 11th July 2006 Windows stopped providing support for Windows 98.
Archive for the ‘Data Recovery’ Category
Windows 3.1 x is no more
November 10th, 2008 by rob585 | No Comments | Filed in File SystemOn 1st November 2008 Microsoft stopped issuing licenses for Windows 3.1, which was first released in 1990.
What is unallocated space?
September 6th, 2008 by rob585 | No Comments | Filed in File System, ForensicsWhat is unallocated space?
Unallocated space, sometimes called “free space”, is logical space on a hard drive that the operating system, e.g Windows, can write to. To put it another way it is the opposite of “allocated” space, which is where the operating system has already written files to.
Examples.
If the operating system writes a file to a certain space on the hard drive that part is now “allocated” to the file, and no other files can be written to that section. If that file is deleted then that part of the hard drive is no longer required to “allocated” and becomes unallocated. This means that new files can now be re-written to that location.
On a standard, working computer, files can only be written to the unallocated space.
If a new drive is connected to a computer, virtually all of the drive space is unallocated space (a small amount of space will be taken up by files within the file system, e.g $MFT, etc). On a new drive the unallocated space is normally zeros, as files are written to the hard drive the zeros are over written with the file data
Working Example
Blank Drive
A freshly formatted (NTFS) 500 GB hard drive starts with 99.9% unallocated space; we will assume its 100% to make the maths slightly easier. All of the unallocated space will be zeros, literally 00 00 00 written on the hard drives.
If a 5 GB file, e.g a large movie, is placed on the drive, then there will be 1% (5 GB) allocated space and 99% unallocated (495 GB)
If a 10 GB database file is now added to this hard drive there will be a total of 3 % (15 GB) of allocated space and 485 GB unallocated space. New files will only be written into the remaining unallocated space.
What happens when a file is deleted?
If the movie file, from the above example, is deleted the allocated space it was using will now become unallocated. I.e There will now be 2% allocated space (the 10 GB database) and 98% unallocated space.
However the data from the movie file is still on the hard drive, it does not just disappear, it just changes its status. This means that the following situation now exists:
There is 10 GB of allocated space and 490 GB of unallocated space.
Of the 490 GB, 485 GB would be all zeros, however 5 GB of the unallocated space would be the old movie data.
Until new files are written to the hard drive this movie file will remain deleted but still recoverable from the hard drive. Even if new files are written it must overwrite the same unallocated space as the movie file, before the movie file is destroyed.
Unallocated space can only be accessed by specialist tools, and now directly from Windows. Such tools include:
R-Studio, WinHex, EnCase, FTK,
Tags: Encase
What is File Slack?
August 31st, 2008 by rob585 | 1 Comment | Filed in Encase, File System, Video GuidesWhat is File Slack?
This article looks at file slack, where it is, how to find it, and includes a video guide of how to view this data in EnCase 6.10
Requirements
To understand File Slack, one must first understand the basic concepts of Cluster and Sectors.
This article is based on the assumption that the reader understands these concepts. It is also written with the assumption that the hardware under consideration is a standard windows hard drive, with sector size of 512 and a cluster size of 8 sectors.
Clusters and Sectors
As the operating system can only address clusters, rather than sectors which hard drives can, it means that files are stored on a hard drive in units of clusters and not sectors.
Examples:
A 5000 byte file, takes up 9 sectors, however the operating system will allocate the file 2 clusters (16 sectors), as it does not fit into 1 sector. 2 Sectors is 8 KB
A 2500 byte file will fit into 5 sectors, however the operating system will allocate the file 1 full cluster (8 sectors), which is 4 KB
A file which is 10,000 bytes will be allocated 12 KB – 3 sectors.
Different Sizes
From this it can be seen that a file has two different sizes, the logical file size the actual size of the file and the physical file size, the size given to the file on the hard drive.
The physical file size is always greater than or equal to the logical file size (ignoring resident data for the moment).
File Slack
File slack is the difference between the physical file size and logical file size.
E.g for a 5000 byte file, which is given 2 clusters (8192 bytes), the file slack will be 8192 – 5000, which is 3192 bytes. The file slack should always be less than 1 cluster (4096 bytes).
As file slack is literally the space on the hard drive between the logical and physical file size, it means that anything that was in that space before become file slack. As a new file is created by overwriting unallocated space (even if it means deleting a file immediately before the request to write) this means that file slack is essentially old fragments of unallocated file space (RAM slack is not being discussed at this point).
This means that file slack can contain anything at all, from fragments of web pages, emails, and even complete small pictures, to junk text. It is more often than not the latter, however complete EML files, and thumbnail pictures have been recovered than can prove an entire case.
Below is a video showing file slack, using EnCase 6.10. Encase is better at viewing this type of data than FTK.
Tags: Encase, File Slack, NTFS, Video
Video: Locating MFT from Volume Boot
August 28th, 2008 by rob585 | 1 Comment | Filed in Encase, File System, Video GuidesFollowing on from the previous articles on the Master Boot Record (MBR Partition Tables and a guide to the MBR for an NTFS drive)
Below is a guide on trying to locate the MFT (Master File Table) and MFT Mirror, from the Volume Boot/Boot Sector/BPB
Tags: Encase, MFT, Volume Boot
Video - Locating the First Partiton from the MBR
August 27th, 2008 by rob585 | 1 Comment | Filed in Encase, File System, Video GuidesBelow is a video demonstrating how to locate the the first partition from the MBR (Sector 0).
This follows on from the articles list below, which may also be useful
Video: The MBR
August 27th, 2008 by rob585 | No Comments | Filed in Encase, File System, Video GuidesFollowing on from the previous articles on the MBR (MBR Partition Tables and MBR NTFS )
Below is a video showing the MBR via EnCase.
Tags: Encase
MBR (NTFS) Partition Table Entry
August 25th, 2008 by rob585 | 3 Comments | Filed in File SystemIn the previous example we demonstrated an MBR from a drive that only had one partition, so where is the information stored if there is multiple partitions?
The information is stored in the remaining bytes within the MBR – from 462 to 510. i.e All of the partition information is from 446 to 510 – a total of 64 bytes. The final two bytes (511 and 512) in the MBR are the “magic numbers”. (Remember that the MBR is 1 sector, which is 512 bytes)
Below is the location of the partition information, within the MBR. Attached is the information in PDF format
Partition Table #1
| Offset (within MBR) | Information | Length |
| 446 | Active (80=Active) | 1 |
| 450 | Partition Type | 1 |
| 454 | Sectors Preceding Partition 1 | 4 |
| 458 | Sectors in Partition 1 | 4 |
Partition Table #2
| Offset (within MBR) | Information | Length |
| 462 | Active (80=Active) | 1 |
| 466 | Partition Type | 1 |
| 470 | Sectors Preceding Partition 2 | 4 |
| 474 | Sectors in Partition 2 | 4 |
Partition Table #3
| Offset (within MBR) | Information | Length |
| 478 | Active (80=Active) | 1 |
| 482 | Partition Type | 1 |
| 486 | Sectors Preceding Partition 3 | 4 |
| 490 | Sectors in Partition 3 | 4 |
Partition Table #4
| Offset (with MBR) | Information | Length |
| 494 | Active (80=Active) | 1 |
| 490 | Partition Type | 1 |
| 502 | Sectors Preceding Partition 4 | 4 |
| 506 | Sectors in Partition 4 | 4 |
File Systems: MBR (NTFS)
August 25th, 2008 by rob585 | 4 Comments | Filed in File SystemAttached is the MBR, Master Boot Record, taken from a 500 GB drive, formatted in NTFS, with a single partition, running Windows XP
The first 440 bytes, from offset 0 to offset 439, contain the Maser Bootstrap Loader Code. In this case starting 33 C0 BE.
At offset 440, for 4 a length of 4 bytes, is the Windows Disk signature. In this example it is 2AD42AD4. This is unique for a drive, and can be considered to be a forensic artifacts.
At offset 446, for a length of 1, is a value which states if the partition (whose location is given shortly) is active or not, in this case the value is set to “80” which means it is active.
At offset 450, for a length of 1, a the partition type indicator. i.e it tells the computer if it should expect an NTFS partition or FAT32, or the like. Each partition type has its own unique number, in this case it is 07
At offset 454, for a length of 1, is a byte which states the number of sectors preceding the start of the partition 1, i.e the location of the first partition. In this example (and most “standard” drives) the value is 3F, which is 63 in decimal. This means that the partition starts at sector 63 (as the first sector is 0).
At offset 458, for a length of 4, is the size of the first partition, in sectors. In this example it is 80CE373A. This needs to be converted, (hex value is in little endian and needs to be converted to big endian). Giving the hex value of 3A37CE80, this gives the decimal value of 976735872. This is the size in sectors of the first partition, as each partition is 512, the total size of the partition is 512*976735872 = 500,088,766,464 bytes, or 465 GB
Example of MBR with colour coding
