I need some advice as I'm working on some evidence where the whole free space on a FAT16 partition is filled in with hex value E5.
Of course I know the value itself as a deleted item marker but honestly it's the first time I've come across "a forest" of E5s on the drive… 😉 I have certainly not seen much yet, but…
Can you provide me with any comments on that? Does such situation have any special meaning?
I've suspected some wiping software have been used but I guess it'd rather fill the space with zeros or pseudo-random characters. But maybe there are some patterns that use E5.
E5 used to be referred to as format pattern and was common on floppies etc.
Thank you! Then - can I assume the drive was simply empty / just formatted? Or is this assumption going too far?
Your assumption may be going to far…from
http//
"…if the entry is deleted the first byte is changed to e5."
This FAT16 partition is located…where? Is there an OS associated with it somehow? For example, is the FAT16 partition from a thumb drive, and can you tie the thumb drive to a specific system? Or, is this a separate partition on a system? What I'm getting at is, is there an OS you can analyze for user activity in order to determine if a user ran a wiping tool?
It's a hard drive with extended partitions. There are three partitions, one primary and two extended, all with FAT 16. In fact it's an ancient Win98 system )
There are remnants of BCWipePD to be used but I'm not sure whether it had such overwriting scheme implemented.
Yes, I'm fully aware of "standard" single E5 meaning, I'm just confused by the number of those hex values I see. )
I'm getting old - in a flash, well sort of dull glow - of memory I remembered that 0xF6 was format pattern. So ignore my last post oops
I'm getting old - in a flash, well sort of dull glow - of memory I remembered that 0xF6 was format pattern. So ignore my last post oops
Oww, come on, don't be so hard with yourself. )
The bad news is that you are so old wink that you remember 8" floppies and CPM! 😯
http//
For example, 8-inch CP/M floppies typically came pre-formatted with a format filler value of E5h, this was also implemented in Digital Research formatting tools, and thereby this value also found its way to Atari ST and some Amstrad/Schneider formatted FAT media. Amstrad also used a format filler value of F4h
.
Just for the record, the F6 was used mostly on floppy, with the noticeable exception of FDISK under Win98
http//www.forensicfocus.com/Forums/viewtopic/p=6560078/#6560078
jaclaz
I've managed to find some relevant information in the Tableau TD3 (and earlier) manual - see
It saysWhen performing a Blank Check, the TD3 reads sectors in the Master Boot Record, the Primary GPT, and the Secondary GPT. A sector is considered to be blank if it contains only a repeating pattern such as 00h, E5h, or FFh. Any non-repeating pattern is considered to be non-blank. If all sectors read by the TD3 have repeating patterns (though not necessarily the same repeating pattern), the TD3 concludes the drive may be blank.
However, I still cannot say whether in my case it simply means the drive was empty and was only partially written…
However, I still cannot say whether in my case it simply means the drive was empty and was only partially written…
Well, actualy it's worse than that 😯 , usually "brand new" disks are filled with zeroes (and not E5 and not FF) and noone seems to remember a "common" tool that uses not 00's.
jaclaz
Yep… ? Well, I just may write in my report about free space with no details, but it somehow bothers me…