Recovering file nam...
 
Notifications
Clear all

Recovering file names from Norton Wipe Info

3 Posts
3 Users
0 Likes
266 Views
(@murdocha)
Posts: 9
Active Member
Topic starter
 

I'm conducting an investigation where a suspect has possibly wiped files from the machine in question. From what I can ascertain the most likely tool that would have been used is Norton Wipe info.

According to the help file
"Wipe info eliminates a file's contents from the disk, but does not remove the file name. While the file names remains on the disk, it is no longer visible in windows explorer, and therefore no data is stored with it. On NTFS volumes, streams (alternative data that belongs to a file but is not stored with the file) are also wiped."

1) Am I correct to assume that the filename has nothing to do with streams? And that according to what Norton says the filename will therefore still exist on an NTFS drive?

2) How would I be able to recover the filenames that may have been potentially wiped from a drive?

 
Posted : 23/07/2007 8:07 pm
 kern
(@kern)
Posts: 67
Trusted Member
 

Hi murdocha

maybe try a practical approach and with best practices in mind ie work only on a copy, use write blockers etc etc. try a file recovery application and see what turns up.

Depending upon what exactly you are trying to find, there are other methods that will find a trail of evidence about what was on the system.

kern

 
Posted : 23/07/2007 11:47 pm
steve862
(@steve862)
Posts: 194
Estimable Member
 

Murdocha,

It sounds like an odd product. Most wiping tools will remove entries in the MFT and the file itself. In the case of NTFS the MFT record contains the filename, dates/times of access etc etc and the location of the file on the disk. From what it sounds like Norton is only wiping the file but is leaving the MFT record almost intact, possibly just marking the MFT entry as available to reuse.

Alternate data streams is a potential way of hiding a file from a standard Windows user. It is a feature of NTFS but is not something you normally encounter on a computer. It is not automatically the case that if you see ADS it is because of a suspect hiding data though. Forensic programs see right through files hidden using ADS of course. Simply put ADS is where two physical files point to the same MFT record, the standard user only sees and accesses the file for which the MFT record actually belongs.

Many wiping tools leave some sort of clue behind that they have been used. Presumably the Norton tool is installed and the execuatable has been accessed since install. Does it have an ini file or data file in which it stores paths of locations it is meant to wipe? Are there zeroed out MFT records in the middle of the MFT zone, as opposed to populated records but with the deleted marker? Do you find files with zeroed cluster slack in the 'user' areas of the disk but find data in the cluster slack of files elsewhere on the disk? Are there several user accounts and if so who has shortcuts to the wiping tool?

I would also do as Kern suggests and run some tests, create a clone of the original drive (or restore the image) and boot the original PC with your clone and see what the wiping tool does on startup, on closing programs, shutting down Windows etc.

Hope this helps as a starting place.

Steve

Steve

 
Posted : 24/07/2007 4:41 pm
Share: