Re: [sleuthkit-users] Examining RAID-5 with only 1 drive

[Simson G. <si...@ac...>]

On Nov 19, 2006, at 6:00 PM, DePriest, Jason R. wrote:

>
> I have been told by my boss that the lawyers say the FBI found
> evidence of file deletion on the drive.

That's a weird statement. What does it mean? That files were deleted?  
That files relevant to the case were deleted?

>
> My question is this: how can such evidence be found when the file
> system is not mountable?  If there is not a recognized file system to
> provide the references and pointers to files and file names, how can
> you know what was deleted and what was still a file?

Depends on what the file system is. If it is FAT32, then the first  
character of filenames will be changed when they are deleted. You  
might recover directory entries even if the file system is not  
recoverable.

Or do they mean that they think there has been intentional running of  
a sanitization tool?

>
> I see large sections of the disk that are just 0x00, but that is
> normal for areas that have never been written to.

It's also normal for areas that have 0x00s in them.  You will find a  
lot of them in file systems.
>
> Other areas have suspicious patterns such as 00 01 02 03 04 05 06 07
> 08 09 0a 0b 0c 0d 0e 0f 00, etc.  I honestly don't know what would
> cause that naturally.

TIFF files. Data. Who knows?

>
> But since I cannot mount the drive and look at the file system
> directly, I can only make inferences.
>
> I imagine the disk was inside a Windows server, so the original file
> system was likely NTFS.

Why do you imagine this?

>
> Is there anyway I can force any of the sleuthkit tools to see it as
> such and extract a real file list from it?
>
> Or am I completely out of luck?  I cannot search for file names,  
> only strings.
>
> What would be the best way to search for the MFT by strings alone?

Honestly, I think that you're going to need to bring in somebody who  
has more experience than you do at this sort of thing.