Free space filled w...
 
Notifications
Clear all

Free space filled with E5 hex

12 Posts
4 Users
0 Likes
2,041 Views
(@fraudit)
Posts: 72
Trusted Member
Topic starter
 

I need some advice as I'm working on some evidence where the whole free space on a FAT16 partition is filled in with hex value E5.

Of course I know the value itself as a deleted item marker but honestly it's the first time I've come across "a forest" of E5s on the drive… 😉 I have certainly not seen much yet, but…

Can you provide me with any comments on that? Does such situation have any special meaning?

I've suspected some wiping software have been used but I guess it'd rather fill the space with zeros or pseudo-random characters. But maybe there are some patterns that use E5.

 
Posted : 10/09/2013 9:46 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

E5 used to be referred to as format pattern and was common on floppies etc.

 
Posted : 10/09/2013 10:05 pm
(@fraudit)
Posts: 72
Trusted Member
Topic starter
 

Thank you! Then - can I assume the drive was simply empty / just formatted? Or is this assumption going too far?

 
Posted : 10/09/2013 10:32 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Your assumption may be going to far…from
http//www.beginningtoseethelight.org/fat16/index.htm

"…if the entry is deleted the first byte is changed to e5."

This FAT16 partition is located…where? Is there an OS associated with it somehow? For example, is the FAT16 partition from a thumb drive, and can you tie the thumb drive to a specific system? Or, is this a separate partition on a system? What I'm getting at is, is there an OS you can analyze for user activity in order to determine if a user ran a wiping tool?

 
Posted : 10/09/2013 10:41 pm
(@fraudit)
Posts: 72
Trusted Member
Topic starter
 

It's a hard drive with extended partitions. There are three partitions, one primary and two extended, all with FAT 16. In fact it's an ancient Win98 system )

There are remnants of BCWipePD to be used but I'm not sure whether it had such overwriting scheme implemented.

Yes, I'm fully aware of "standard" single E5 meaning, I'm just confused by the number of those hex values I see. )

 
Posted : 10/09/2013 10:45 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

I'm getting old - in a flash, well sort of dull glow - of memory I remembered that 0xF6 was format pattern. So ignore my last post oops

 
Posted : 10/09/2013 11:45 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I'm getting old - in a flash, well sort of dull glow - of memory I remembered that 0xF6 was format pattern. So ignore my last post oops

Oww, come on, don't be so hard with yourself. )

The bad news is that you are so old wink that you remember 8" floppies and CPM! 😯
http//en.wikipedia.org/wiki/Talk%3ADisk_formatting

For example, 8-inch CP/M floppies typically came pre-formatted with a format filler value of E5h, this was also implemented in Digital Research formatting tools, and thereby this value also found its way to Atari ST and some Amstrad/Schneider formatted FAT media. Amstrad also used a format filler value of F4h

.

Just for the record, the F6 was used mostly on floppy, with the noticeable exception of FDISK under Win98
http//www.forensicfocus.com/Forums/viewtopic/p=6560078/#6560078

jaclaz

 
Posted : 11/09/2013 12:47 am
(@fraudit)
Posts: 72
Trusted Member
Topic starter
 

I've managed to find some relevant information in the Tableau TD3 (and earlier) manual - see here.

It says
When performing a Blank Check, the TD3 reads sectors in the Master Boot Record, the Primary GPT, and the Secondary GPT. A sector is considered to be blank if it contains only a repeating pattern such as 00h, E5h, or FFh. Any non-repeating pattern is considered to be non-blank. If all sectors read by the TD3 have repeating patterns (though not necessarily the same repeating pattern), the TD3 concludes the drive may be blank.
However, I still cannot say whether in my case it simply means the drive was empty and was only partially written…

 
Posted : 11/09/2013 1:07 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

However, I still cannot say whether in my case it simply means the drive was empty and was only partially written…

Well, actualy it's worse than that 😯 , usually "brand new" disks are filled with zeroes (and not E5 and not FF) and noone seems to remember a "common" tool that uses not 00's.

jaclaz

 
Posted : 11/09/2013 1:17 am
(@fraudit)
Posts: 72
Trusted Member
Topic starter
 

Yep… ? Well, I just may write in my report about free space with no details, but it somehow bothers me…

 
Posted : 11/09/2013 1:20 am
Page 1 / 2
Share: