Help recognising a ...
 
Notifications
Clear all

Help recognising a file system please...

22 Posts
7 Users
0 Likes
1,140 Views
(@mctriv)
Posts: 5
Active Member
Topic starter
 

I have a HDD to examine which I think is encrypted. (?) Encase doesn't recognise it, FTK doesn't, when mounted it comes up as 'unrecognised file system'.

One particular chunk of text repeats throughout when you look at the 'unused disk area' that Encase shows in text view which is 'ŠsaP·|ãFÈÝkJ'. I have googled this and cannot find anything that helps. Hex version is \8A \73 \61 \50 \05 \8D \E3 \46 \C8 \DD \6B \4A

I have used Nevis (but don't really know what I'm doing) which can see partitions but can't tell me any more.

I have also thrown IEF Encrypted disk detector at it (when mounted in FTK) which found three partitions which were possibly encrypted or had damaged MBR.

At no point has any software I've used given me the opportunity to enter a password.

I've not seen anything like this before so am curious to know whether it's definitely encryped or whether I'm being an idiot and missing something obvious!

Thanks in advance.

 
Posted : 15/08/2016 6:57 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Please post the hex header of the disk. Can you give details where is this disk from ?

It could be an encrypted drive, but it also could be closed format for DVR/NVR CCTV recordings, where you see some codec header repeating.

 
Posted : 15/08/2016 7:27 pm
(@mctriv)
Posts: 5
Active Member
Topic starter
 

Header reads

·ˆé)ŠsaP·|ãFÈÝkJ

in text view or

14 88 E9 29 8A 73 61 50 05 8D E3 46 C8 DD 6B 4A

and that then repeats throughout the file.

And no I can't say where it's from.

Thanks.

 
Posted : 15/08/2016 7:40 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

And no I can't say where it's from.

The question does not open the possibility of breaking privacy or confidentiality.

It's not "where it's from" in the sense of anything "personal", more like is it from
1) a PC (if yes laptop or desktop)
2) a DVR
3) another device

As well another couple questions not compromising anything is
Is it MBR or GPT style partitioned?
Was it used as boot device or only for data storage.

Please also do not confuse the disk (the whole thing) with the partitions or volumes on it, in any case in the context of a disk or of a partition/volume the term "header" is meaningless, a disk is a "block device" and thus the minimum unit that needs to be analyzed is a "block" or "sector" usually 512 bytes in size (more rarely but nonetheless possible nowadays 4096 bytes).

jaclaz

 
Posted : 15/08/2016 8:43 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

I haver seen a lot WD drives from a WD enclosure (eg myBook, but I am not sure which model) that uses encryption.

The encryption is controlled by the USB interface card, and may be unique for each drive enclosure.

Typical features are that blank data appears as the same 16 byte block of data. One can sometimes recognise the type of disk by seeing blank 16 byte rows of data.

It can be read by putting back into the original case, or I gather PC3000 has tools to assist. You may find a key near the end of the disk. The final section of the disk is not encrypted.

What you have described could be consistent with this. Only personally seen on 3.5" drives.

 
Posted : 15/08/2016 10:49 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

I asked for disk header, because some CCTV related DVR/NVR recorders use raw disk for saving data. Even if there isn't any kind of encryption, since we don't know the exact structure for storing data, the disk might look like encrypted.

@jaclaz thanks for clarifying my previous "where is from" question!

 
Posted : 16/08/2016 12:42 am
(@mscotgrove)
Posts: 938
Prominent Member
 

I asked for disk header, because some CCTV related DVR/NVR recorders use raw disk for saving data. Even if there isn't any kind of encryption, since we don't know the exact structure for storing data, the disk might look like encrypted.

Raw data would not be such a repeating pattern

 
Posted : 16/08/2016 2:44 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

I have used Nevis (but don't really know what I'm doing) which can see partitions but can't tell me any more.

I have also thrown IEF Encrypted disk detector at it (when mounted in FTK) which found three partitions which were possibly encrypted or had damaged MBR.

Do these partitions seem legitimate? Are they possible in terms of partition size and/or starting sector?
I ask this because some software will attempt to build partitions assuming the partition table is intact, when in fact this might be encrypted too.

Can you post the first sector / MBR in it's entirety? Or is it all just that repeated series?

I second what mscotgrove said as well - if it's from a USB enclosure, try replacing it into the enclosure then connecting via USB mount blocker.

 
Posted : 16/08/2016 12:00 pm
(@mctriv)
Posts: 5
Active Member
Topic starter
 

Hi thanks for all of your responses.

First of all, to clarify, the HDD (it's ok, I know about partitions and volumes, I got that far), the drive was seized on it's own, not near any device, just a drive, nothing else.

It's 40GB so it's not huge and there is no recognisable MBR structure.

As for whether the partitions seem legitimate, I'm not sure how I would know from the data I can see? The only reason I think partitions are present is because Nevis and EDD said so!

 
Posted : 16/08/2016 1:35 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

I asked for disk header, because some CCTV related DVR/NVR recorders use raw disk for saving data. Even if there isn't any kind of encryption, since we don't know the exact structure for storing data, the disk might look like encrypted.

Raw data would not be such a repeating pattern

Can you explain a bit why not ? I had hard disk from CCTV DVR which was initialized under windows (by novice user) and later on the whole data recovery was made based on the repeating H.264 codec signatures, which were repeating.

Since it is off-topic to the OP, if you got time, please PM me your opinions, I'd be happy to know them.

 
Posted : 16/08/2016 1:37 pm
Page 1 / 3
Share: