Unexplained images ...
 
Notifications
Clear all

Unexplained images in Unallocated area of my HDD

16 Posts
5 Users
0 Likes
1,124 Views
(@simeonmil)
Posts: 6
Active Member
Topic starter
 

Hello Everyone,

I am new here and I have a situation which requires advice from a computer forensics perspective because someone might have COPIED important information from my laptop and LEFT JPG and PNG images on my HDD I am sure I have never seen in as much as I can remember. I am a Network/Electronics Systems Engineer by profession with 8 years’ experience currently focusing on Transmission Systems. I am asking if someone with the expertise can help me to understand and explain what might have happened to my computer HARD DRIVE after it fell into the wrong hands. I have an old laptop running Windows XP, SP3, NTFS, 32 bit system with two partitions. I suspect it fell into the wrong hands because I found a lot(almost a 100) of jpg and Png pictures in unallocated space using Photorec and bulk file extractor which have no timestamps, can not tell where they came from or who last opened them(the MFT is corrupt). Image was mounted using FTK imager as read only. I only use one account to login and the pictures cannot be traced to it. Can not tell if they were downloaded from a website or copied. I used my password protected laptop more than a year ago and can see some failed login attempts after a year. When I do a time analysis all I can see is that the machine was booted recently and failed attempts to login via OS. How do I tell if someone removed my hard drive and put the pictures in unallocated space? I suspect it(HDD) was removed since password login failed. What do I look out for? Does the hard drive keep logs/traces when its removed from the laptop and connected to another device/computer for access. If traces are left are they in the OS because I think when the hard drive is removed windows is not working during access. Any response or ideas will be appreciated.

thankyou,

Simeon

 
Posted : 18/05/2017 2:58 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

Can you give any sort of context? Where are you based on the globe?

 
Posted : 18/05/2017 3:28 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

As a generic advice, always think about the 5 W's
https://en.wikipedia.org/wiki/Five_Ws

You have more or less the What, and - possibly - the When and Where, but before the Who you might want to make some (educated) guesses on the possible Why.

The What is connected to possible Who's and Why's as well, I mean, are these JPG's/PNG's LolCats?
Or are them related to business matters?
Or are they personal photos?
Are they just "unusual" (as you don't remember having seen them before) or *somehow* illegal/potentially incriminating you if found during an investigation?

jaclaz

 
Posted : 18/05/2017 4:34 pm
(@simeonmil)
Posts: 6
Active Member
Topic starter
 

Hai,

I am based in Africa country Zambia. Ultimately I want to find out whether it is possible for someone to put images in unallocated area on my hard drive and copy files after removing it without traces/logs? All the images recovered have no MAC times.

thanks

 
Posted : 18/05/2017 4:43 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hai,

I am based in Africa country Zambia. Ultimately I want to find out whether it is possible for someone to put images in unallocated area on my hard drive and copy files after removing it without traces/logs? All the images recovered have no MAC times.

thanks

Well, that is another question altogether
Q. Is it possible for someone to put images in unallocated area on my hard drive and copy files after removing it without traces/logs?
A. Yes, as long as the someone has physical access to the device, and again possibly yes if the machine is compromised, from remote (this may also depend specifically on the OS involved).
Basically the images you found are in an unallocated area, so it is easy to find which areas are unallocated and dd to them *whatever* data, and this will obviously create no trace in $MFT, Registry or *whatever*.

jaclaz

 
Posted : 18/05/2017 4:56 pm
joakims
(@joakims)
Posts: 224
Estimable Member
 

If you imaged the system immediately, you may have a $LogFile that can contain some good information. Try this one https://github.com/jschicht/LogFileParser It is basically a limited history of the filesystem transactions.

Then I am wondering what makes you think the $MFT is corrupt?

You can extract the $MFT and run this tool https://github.com/jschicht/Mft2Csv to decode all entries, at least if the file is in a healthy condition. If it is corrupt, it may not be so straight forward though.

 
Posted : 18/05/2017 5:38 pm
(@simeonmil)
Posts: 6
Active Member
Topic starter
 

Thankyou Jaclaz and Joakims for your responses and explanations. Please allow me to ask as I am completely new to this. As mentioned below if its a dd which was used to write data to my hard drive in unallocated space, can there be a log in the $LogFile? What do I need to look out for if am looking at the $logfile? some sort of transaction table showing time data might have been moved to my hard drive? We imaged the hard drive immediately. Can you share any reference I can read on what you have explained Jaclaz.

thanks

 
Posted : 18/05/2017 7:48 pm
joakims
(@joakims)
Posts: 224
Estimable Member
 

On nt5.x (which XP is) you can write anything you want anywhere on the volume if you are administrator. The security mechanisms on that OS is crap and writing stuff to unallocated (allocated is just as easy) is trivial with a short code snippet. You need to have some technical level though. Traces of such writing may not be present in the $LogFile. But I would still analyze the $LogFile to see. Send me a pm if you have troubles with understanding the output. I am the author of that program I linked to.

About $MFT, what made you think it is corrupt?

 
Posted : 18/05/2017 10:18 pm
(@simeonmil)
Posts: 6
Active Member
Topic starter
 

Thankyou for your response @Joakims. Will definitely send a pm. As for the $MFT due to my lack of experience and the fact that we could not see/locate the file name of the images recovered from my Unallocated space we made that conclusion. I might need to share some outputs. Is it possible for a file in unallocated space not to have a filename?

thanks

 
Posted : 19/05/2017 11:54 am
joakims
(@joakims)
Posts: 224
Estimable Member
 

If you write some sequence of binary data to unallocated, as jclaz described, there will usually not be any filename to be found to identify this chunk of data. A filename is what the filesystem would present to you so that you can easily located that chunk of data if the file was stored on the volume by "normal" means. But there can still be filenames on this volume, as you might just not have found them yet. The $LogFile will give some valuble information (though limited) about the history of the filesystem.

Another file you might want to check out is hiberfil.sys, which is a memory snapshot of the system if it was hibernated at some point.

Regarding unallocated, do you know for sure that the images did not exist in those sectors before you started using the laptop?

 
Posted : 19/05/2017 12:31 pm
Page 1 / 2
Share: