I am investigating a 250GB FAT32 disk which has had many files deleted
- the suspicion is that the deleting was malicous. The disk is in good
working condition, with not errors.
On the disk is about 25GB of data and this is at the start of the
disk. The middle 85%(approx) of the disk is untouched, and all
sectors are blank, (filled with zeros). What is odd is there is data
from a deleted directory in the final 2GB of the disk. All the files
are from a single deleted subdirectory, or 'System volume
information'. The system volume information is not deleted.
Has anyone seen this rather odd allocation before, and is there any
reason for it?
There are many deleted files on the first part of the hard drive - as
one would expect.
Previously mscotgrove@aol.com <mscotgrove@aol.com> wrote:
> I am investigating a 250GB FAT32 disk which has had many files deleted
> - the suspicion is that the deleting was malicous. The disk is in good
> working condition, with not errors.
> On the disk is about 25GB of data and this is at the start of the
> disk. The middle 85%(approx) of the disk is untouched, and all
> sectors are blank, (filled with zeros). What is odd is there is data
> from a deleted directory in the final 2GB of the disk. All the files
> are from a single deleted subdirectory, or 'System volume
> information'. The system volume information is not deleted.
> Has anyone seen this rather odd allocation before, and is there any
> reason for it?
> There are many deleted files on the first part of the hard drive - as
> one would expect.
On Jan 9, 11:12*am, Arno Wagner <m...@privacy.net> wrote:
> Previously mscotgr...@aol.com <mscotgr...@aol.com> wrote:
> > I am investigating a 250GB FAT32 disk which has had many files deleted
> > - the suspicion is that the deleting was malicous. The disk is in good
> > working condition, with not errors.
> > On the disk is about 25GB of data and this is at the start of the
> > disk. The middle 85%(approx) *of the disk is untouched, and all
> > sectors are blank, (filled with zeros). *What is odd is there is data
> > from a deleted directory in the final 2GB of the disk. *All the files
> > are from a single deleted subdirectory, or 'System volume
> > information'. The system volume information is not deleted.
> > Has anyone seen this rather odd allocation before, and is there any
> > reason for it?
> > There are many deleted files on the first part of the hard drive - as
> > one would expect.
> > Michael
> >www.cnwrecovery.com
>
> Is the disk filesystem structure intact? If so, maybe somebody just
> wiped the empty space by writing several large files containing only
> zeros...
>
> Arno- Hide quoted text -
>
> - Show quoted text -
Everything looks intact. The top 2GB starts data with the first
sector of a file. Writing a large zero length file would be hard to
stop at a valid location. I would also like to think that I would
find the 200GB deleted file full of zeros - well it would have to be
50 x 4GB files being FAT32, and even more chance to find them.
Previously mscotgrove@aol.com <mscotgrove@aol.com> wrote:
> On Jan 9, 11:12*am, Arno Wagner <m...@privacy.net> wrote:
>> Previously mscotgr...@aol.com <mscotgr...@aol.com> wrote:
>> > I am investigating a 250GB FAT32 disk which has had many files deleted
>> > - the suspicion is that the deleting was malicous. The disk is in good
>> > working condition, with not errors.
>> > On the disk is about 25GB of data and this is at the start of the
>> > disk. The middle 85%(approx) *of the disk is untouched, and all
>> > sectors are blank, (filled with zeros). *What is odd is there is data
>> > from a deleted directory in the final 2GB of the disk. *All the files
>> > are from a single deleted subdirectory, or 'System volume
>> > information'. The system volume information is not deleted.
>> > Has anyone seen this rather odd allocation before, and is there any
>> > reason for it?
>> > There are many deleted files on the first part of the hard drive - as
>> > one would expect.
>> > Michael
>> >www.cnwrecovery.com
>>
>> Is the disk filesystem structure intact? If so, maybe somebody just
>> wiped the empty space by writing several large files containing only
>> zeros...
>>
>> Arno- Hide quoted text -
>>
>> - Show quoted text -
> Everything looks intact. The top 2GB starts data with the first
> sector of a file. Writing a large zero length file would be hard to
> stop at a valid location. I would also like to think that I would
> find the 200GB deleted file full of zeros - well it would have to be
> 50 x 4GB files being FAT32, and even more chance to find them.
Not necessarily. If they were put into a subdirectory, and removed
again, either by writing the same or alarger number of other
files (entries are recucled) or by removing the subdirectory
and re-creating it (should at least blank its first sector),
you would find no trace of the zero-content files. There are also
tools that overwrite all unallocated sectors with zeros, in
which case there never were directory entries.
One possibility for the deleted directory being there in the top
is that it was actually not deleted when the overwriting
occured, but later on.
The general pattern, however, is that something large was written in a
continuous fashion (i.e. no other data written in between) and then
removed and the free space overwritten in some fashion.
To speculate (no need to confirm or deny anything), it looks as if
somebody has put 200GB of the files you are looking for in one step on
the disk, after the 25GB at the start were already there. From what I
have seen of typical FAT allocation strategies, this would put the
files into the configuration of empty space you see. The system volume
info was then written to the disk later. In a second step the 200GB
were deleted and the free space on the disk overwritten. The system
volume information was deleted later.
For the overwriting, I tend to suspect a free space wiper. Somebody
writing files with zeros and then carefully removing the directory
these files were in sounds inconsistent. Wiping the free space
directly is far easier and requires both less competence and less
effort. In addition, there would be no way to demonstrate conclusively
that this is what was done. An allocation pattern consistent
with this having happened is not enough. You would need to demonstrate
thet the OSes the disk was used with cannot generate this allocation
pattern under other circumstances.
Here is one scenario that would could create this pattern without
anything ever having been wiped, only deleted: 1. Put 200GB files on
disk 2. put system vol info there, 3. delete 200GB files.
Copy disk with disk imager to an empty disks 5. remove system
volume directory. This would require a sector imager that only
copies allocated sectors. Such applications should be available.
I agree that a free space wiping program is the only consistant way to
get all zeros sectors and leave no trace. However, I just don't see
how one alarge amount of a single deleted subdirectory ends up at the
end of the disk. If a wiping program was used, I would expect more
gaps elsewhere on the disk.
Also of interest, all the subdirectories, for this subdirectory are
stored in the final 2GB.
I would suspect something odd with the drive, but all the cluster
pointers etc tie up, and file contents match the file name.
So far your speculations don't convince me, but I appreciate your
thoughts.
In my experience with FAT disks is that they fill from the start, and
that the end of a lightly used disk is always blank. The same with
NTFS, except for the final partition check block.
I will play more, and let you know if I have any 'brain' waves'
Michael
ps The customer is happy with data recovered
Previously mscotgrove@aol.com <mscotgrove@aol.com> wrote:
>> - Show quoted text -
> Arno,
> I have read your ideas with interest.
> I agree that a free space wiping program is the only consistant way to
> get all zeros sectors and leave no trace. However, I just don't see
> how one alarge amount of a single deleted subdirectory ends up at the
> end of the disk. If a wiping program was used, I would expect more
> gaps elsewhere on the disk.
> Also of interest, all the subdirectories, for this subdirectory are
> stored in the final 2GB.
Ok, think of it this way: The 200GB were put on disk without any gaps
in them. A single copy operation to never before used space can do
that.
The directroy at the end was put there afterwards and no ither space
was available on the disk at that time. The 25GB at the start may have
been put there in a similar fashion and hence there may have been no
gaps for the 200GB to fill (and later be wiped). I take it you
have looked for all-zero areas in the first 25GB?
> I would suspect something odd with the drive, but all the cluster
> pointers etc tie up, and file contents match the file name.
> So far your speculations don't convince me, but I appreciate your
> thoughts.
No problem. After all it will be your analysis, not mine. I
can do completely risk-free brainstorming here.
> In my experience with FAT disks is that they fill from the start, and
> that the end of a lightly used disk is always blank. The same with
> NTFS, except for the final partition check block.
Yes, but the disk may have been allmost full when the directory was
placed. It would then go to the very end.
> I will play more, and let you know if I have any 'brain' waves'
;-)
> Michael
> ps The customer is happy with data recovered
mscotgrove@aol.com wrote in
news:79e2f03f-a927-40a8-ac6e-a7709a029328@i7g2000prf.googlegroups.com
> I am investigating a 250GB FAT32 disk which has had many files deleted
> - the suspicion is that the deleting was malicous. The disk is in good
> working condition, with not errors.
>
> On the disk is about 25GB of data and this is at the start of the
> disk. The middle 85%(approx) of the disk is untouched, and all
> sectors are blank, (filled with zeros). What is odd is there is data
> from a deleted directory in the final 2GB of the disk. All the files
> are from a single deleted subdirectory, or 'System volume
> information'. The system volume information is not deleted.
>
> Has anyone seen this rather odd allocation before, and is there any
> reason for it?
>
> There are many deleted files on the first part of the hard drive - as
> one would expect.
>
> Michael
> www.cnwrecovery.com
If I were *speculating*, I would say someone did an earlier
recovery attempt of some sort.
I find the name of that subdirectory particularly suspicious.
Or that a partition resize operation was underway, or a defrag.
Or any operation that involves saving important data in a free or
secluded space while a potentially risky operation is underway.
mscotgrove@aol.com wrote in
news:7b48a1cc-ac63-4528-a9c6-99e03a9825a4@j78g2000hsd.googlegroups.com
> > - Show quoted text -
>
> Arno,
>
> I have read your ideas with interest.
>
> I agree that a free space wiping program is the only consistant way to
> get all zeros sectors and leave no trace. However, I just don't see
> how one alarge amount of a single deleted subdirectory ends up at the
> end of the disk. If a wiping program was used, I would expect more
> gaps elsewhere on the disk.
>
> Also of interest, all the subdirectories, for this subdirectory are
> stored in the final 2GB.
>
> I would suspect something odd with the drive, but all the cluster
> pointers etc tie up, and file contents match the file name.
>
> So far your speculations don't convince me, but I appreciate your
> thoughts.
The babblebot is on a 24-7 posting spree again. It's the caffeine talking.
Maybe even speed.
>
> In my experience with FAT disks is that they fill from the start, and
> that the end of a lightly used disk is always blank. The same with
> NTFS, except for the final partition check block.
>
> I will play more, and let you know if I have any 'brain' waves'
>
> Michael
> ps The customer is happy with data recovered
Arno Wagner wrote in news:5ujqu2F1ig3chU1@mid.individual.net
> Previously mscotgrove@aol.com <mscotgrove@aol.com> wrote:
> > On Jan 9, 11:12 am, Arno Wagner <m...@privacy.net> wrote:
> > > Previously mscotgr...@aol.com <mscotgr...@aol.com> wrote:
> > > > I am investigating a 250GB FAT32 disk which has had many files deleted
> > > > - the suspicion is that the deleting was malicous. The disk is in good
> > > > working condition, with not errors.
> > > > On the disk is about 25GB of data and this is at the start of the
> > > > disk. The middle 85%(approx) of the disk is untouched, and all
> > > > sectors are blank, (filled with zeros). What is odd is there is data
> > > > from a deleted directory in the final 2GB of the disk. All the files
> > > > are from a single deleted subdirectory, or 'System volume
> > > > information'. The system volume information is not deleted.
> > > > Has anyone seen this rather odd allocation before, and is there any
> > > > reason for it?
> > > > There are many deleted files on the first part of the hard drive - as
> > > > one would expect.
> > > > Michael
> > > >
> > >
> > > Is the disk filesystem structure intact? If so, maybe somebody just
> > > wiped the empty space by writing several large files containing only
> > > zeros...
> > >
> > > Arno- Hide quoted text -
> > >
> > > - Show quoted text -
>
> > Everything looks intact. The top 2GB starts data with the first
> > sector of a file. Writing a large zero length file would be hard to
> > stop at a valid location. I would also like to think that I would
> > find the 200GB deleted file full of zeros - well it would have to be
> > 50 x 4GB files being FAT32, and even more chance to find them.
>
> Not necessarily. If they were put into a subdirectory, and removed
> again, either by writing the same or alarger number of other
> files (entries are recucled) or by removing the subdirectory
> and re-creating it (should at least blank its first sector),
> you would find no trace of the zero-content files. There are also
> tools that overwrite all unallocated sectors with zeros, in
> which case there never were directory entries.
>
> One possibility for the deleted directory being there in the top
> is that it was actually not deleted when the overwriting
> occured, but later on.
>
> The general pattern, however, is that something large was written in a
> continuous fashion (i.e. no other data written in between) and then
> removed and the free space overwritten in some fashion.
>
> To speculate (no need to confirm or deny anything), it looks as if
> somebody has put 200GB of the files you are looking for in one step on
> the disk, after the 25GB at the start were already there. From what I
> have seen of typical FAT allocation strategies, this would put the
> files into the configuration of empty space you see. The system volume
> info was then written to the disk later. In a second step the 200GB
> were deleted and the free space on the disk overwritten. The system
> volume information was deleted later.
>
> For the overwriting, I tend to suspect a free space wiper. Somebody
> writing files with zeros and then carefully removing the directory
> these files were in sounds inconsistent.
> Wiping the free space directly is far easier and requires both less
> competence and less effort.
FAT32 odd file allocation 
Linear Mode
