Good morning everyone (first post here),

I am working on a computer forensics case where the computer had two hard drives within it. I removed both from the system following protocol and imaged what was drive "A". When performing forensics on the image using FTK I noticed I could only pull the NTUSER and software hives, the system, sam, and security were not present on the drive. My first assumption was that they would be contained on drive "B", but when I tried to image drive "B" it couldn't be read.... My write block wouldn't even detect the drive (I tried multiple write blocks and PC's).

Does anyone have thoughts, ideas, or answers pertaining to this!?

Thanks for all your help!!

Steve  

Welcome, first time poster!

- sverronneau

When performing forensics on the image using FTK I noticed I could only pull the NTUSER and software hives, the system, sam, and security were not present on the drive.

I had a hard time parsing the quoted sentence. What could you pull and what was not present? At some point in the sentence it switched; you might try replacing a comma with a semicolon.

Is it possible the drive you're able to access was at one point a boot drive, then was repurposed as a data drive? This sometimes happens when a system is upgraded or when Windows becomes so unstable that the user replaces the system drive but keeps the original for the data. Can you make that determination? What else about the OS was present or missing?
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 

Steve,

- sverronneau

I am working on a computer forensics case where the computer had two hard drives within it. I removed both from the system following protocol and imaged what was drive "A". When performing forensics on the image using FTK I noticed I could only pull the NTUSER and software hives, the system, sam, and security were not present on the drive. My first assumption was that they would be contained on drive "B", but when I tried to image drive "B" it couldn't be read.... My write block wouldn't even detect the drive (I tried multiple write blocks and PC's).

Does anyone have thoughts, ideas, or answers pertaining to this!?

What was the OS installed on the system? What was the nature of drive A? Is/was it the system drive?

What steps did you use to attempt to retrieve the Registry hives in question? Where did you find the ones you were able to retrieve, and where did you look for the ones you were not able to retrieve?  

Thanks for the reply!

To clarify, I was able to pull the NTUSER and software hives. The sam, security, and system hives were not present.

It is possible that the drive is just a data drive. The OS was updated in 2010 by a user, but I am not sure that this client added the second drive because of an unstable OS, but I will email the Attorney to double check this theory.

In regard to any other missing information... I cannot determine that anything else is missing.

Any further thoughts as to why the second drive or the "B" drive cannot be detected by my machine.

Thanks!  

Is the "B" drive spinning up? If so is it making any strange noises - clicking or a noise similar to a ping pong ball bouncing?

It could also be that the controller card on the drive has died.

If you can get an identical working drive and swap the controller cards over this may sort the problem out.  

The OS is Windows XP. I am assuming that the "A" drive is the system drive. I found them in FTK by plating the whole evidence file and filtering by Registry Files.


The "B" drive does spin up and sounds goods.  

- sverronneau

The OS is Windows XP. I am assuming that the "A" drive is the system drive. I found them in FTK by plating the whole evidence file and filtering by Registry Files.


The "B" drive does spin up and sounds goods.

It is not a good idea to make assumptions in this profession.

Create a theory, and test it.

A drive might have previously been a system drive, how would you test that?

Or, it might have gotten hit by malware, how would you test that.

Don't assume.