±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32585
New Yesterday: 7 Visitors: 142

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Unexplained images in Unallocated area of my HDD

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3  Next 
  

Re: Unexplained images in Unallocated area of my HDD

Post Posted: Thu May 18, 2017 11:18 am

On nt5.x (which XP is) you can write anything you want anywhere on the volume if you are administrator. The security mechanisms on that OS is crap and writing stuff to unallocated (allocated is just as easy) is trivial with a short code snippet. You need to have some technical level though. Traces of such writing may not be present in the $LogFile. But I would still analyze the $LogFile to see. Send me a pm if you have troubles with understanding the output. I am the author of that program I linked to.

About $MFT, what made you think it is corrupt?
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: Unexplained images in Unallocated area of my HDD

Post Posted: Fri May 19, 2017 12:54 am

Thankyou for your response @Joakims. Will definitely send a pm. As for the $MFT due to my lack of experience and the fact that we could not see/locate the file name of the images recovered from my Unallocated space we made that conclusion. I might need to share some outputs. Is it possible for a file in unallocated space not to have a filename?

thanks  

Simeonmil
Newbie
 
 
  

Re: Unexplained images in Unallocated area of my HDD

Post Posted: Fri May 19, 2017 1:31 am

If you write some sequence of binary data to unallocated, as jclaz described, there will usually not be any filename to be found to identify this chunk of data. A filename is what the filesystem would present to you so that you can easily located that chunk of data if the file was stored on the volume by "normal" means. But there can still be filenames on this volume, as you might just not have found them yet. The $LogFile will give some valuble information (though limited) about the history of the filesystem.

Another file you might want to check out is hiberfil.sys, which is a memory snapshot of the system if it was hibernated at some point.

Regarding unallocated, do you know for sure that the images did not exist in those sectors before you started using the laptop?
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: Unexplained images in Unallocated area of my HDD

Post Posted: Fri May 19, 2017 2:15 am

Great insight I am getting here. I am sure I did not put them there and regarding your question, You might be right they might have been in those sectors before I started using the machine. The laptop was not acquired brand new more than 5 years ago. It was formatted once though.

regards  

Simeonmil
Newbie
 
 
  

Re: Unexplained images in Unallocated area of my HDD

Post Posted: Sat May 20, 2017 3:58 am

- Simeonmil
Great insight I am getting here. I am sure I did not put them there and regarding your question, You might be right they might have been in those sectors before I started using the machine. The laptop was not acquired brand new more than 5 years ago. It was formatted once though.

regards

Wait a minute.

Formatting under XP does not clear the contents (starting from Vista, unless you use the "quick" format all sectors are zeroed), so, unless the disk was wiped anything that was not overwritten later is still there "as it was" (while of course each and every "current" $MFT and other filesystem metadata won't have any trace of that).

If this is the case, check the EXIF data of the images, if you can find dates that are preceding the time you bought the used PC (AND you can find no later dates), then this would be the most likely explanation.

Imagine a hard disk as a library (the actual physical shelves with books on them) and the $MFT (and other NTFS metadata) as the set of library cards on which you record where the books are on the shelves and when you lend them and when they are returned.

You can well remove a book entry from the card set leaving the book in its place on the shelf.
The book becomes "unallocated", but until you physically remove the volume from the shelf (by replacing it with another book) it will still be there.

When you do a non-wiping format on a hard disk it is exactly the same thing as if you throw away your set of library cards and start with a new, blank set, the whole library will appear empty on the set while it is possibly full of books.
In other words your data is not reflecting the actual physical status.

On the other hand, a distracted librarian may well remove a book from a shelf (or add one or replace one) without updating the card, let's call this "direct access", the database information is as well out-of-sync with reality.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Unexplained images in Unallocated area of my HDD

Post Posted: Sat May 20, 2017 10:36 am

Thankyou Jaclaz for explaining this to me. I will need to view the EXIF files as well and look at the dates. This is very helpful information. The example of the Library makes it more easier to understand.

Best regards Smile  

Simeonmil
Newbie
 
 
  

Re: Unexplained images in Unallocated area of my HDD

Post Posted: Sat May 20, 2017 11:02 am

- Simeonmil
The example of the Library makes it more easier to understand.


... and wait until you find out about mad typographers and crazy hotel guests (and lazy maids) Wink :
www.forensicfocus.com/...ic/t=5150/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Reply to topicReply to topic

Share and Like this forum topic to get more replies




Page 2 of 3
Go to page Previous  1, 2, 3  Next