Re: [sleuthkit-users] Examining RAID-5 with only 1 drive
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Examining RAID-5 with only 1 drive
|
From: DePriest, J. R. <jrd...@gm...> - 2006-11-19 23:36:36
|
On 11/19/06, Simson Garfinkel wrote: > > On Nov 19, 2006, at 6:00 PM, DePriest, Jason R. wrote: > > > > > I have been told by my boss that the lawyers say the FBI found > > evidence of file deletion on the drive. > > That's a weird statement. What does it mean? That files were deleted? > That files relevant to the case were deleted? The statement is that relevant files were deleted and that there is evidence of this on the drive I am looking at. The lawyer does not want to give us too many details. She thinks it will damage our impartiality. What I have been told: source code files were copied from a remote site to the server this drive was on. The source code was sent to various other 3rd parties. The source code was deleted from the server. I have been asked: prove it or disprove it. Any other questions about what the code was for or what language it was in or where it was copied from or where it was sent to have met with no answers. > > > > > My question is this: how can such evidence be found when the file > > system is not mountable? If there is not a recognized file system to > > provide the references and pointers to files and file names, how can > > you know what was deleted and what was still a file? > > Depends on what the file system is. If it is FAT32, then the first > character of filenames will be changed when they are deleted. You > might recover directory entries even if the file system is not > recoverable. > > Or do they mean that they think there has been intentional running of > a sanitization tool? This was not clarified. The only person I get information from is my manager who gets information from the lawyer. > > > > > I see large sections of the disk that are just 0x00, but that is > > normal for areas that have never been written to. > > It's also normal for areas that have 0x00s in them. You will find a > lot of them in file systems. > > > > Other areas have suspicious patterns such as 00 01 02 03 04 05 06 07 > > 08 09 0a 0b 0c 0d 0e 0f 00, etc. I honestly don't know what would > > cause that naturally. > > TIFF files. Data. Who knows? > > > > > But since I cannot mount the drive and look at the file system > > directly, I can only make inferences. > > > > I imagine the disk was inside a Windows server, so the original file > > system was likely NTFS. > > Why do you imagine this? > This is from a company server and 95% of our servers run a Windows OS. > > > > Is there anyway I can force any of the sleuthkit tools to see it as > > such and extract a real file list from it? > > > > Or am I completely out of luck? I cannot search for file names, > > only strings. > > > > What would be the best way to search for the MFT by strings alone? > > Honestly, I think that you're going to need to bring in somebody who > has more experience than you do at this sort of thing. > That's what my boss said, but another manager-type in my department assured the lawyers and law enforcement that we could do whatever they wanted before my boss even knew about the case or the work needed. -Jason -- + + + NO CARRIER |
