±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36228
New Yesterday: 5 Visitors: 126

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Free space filled with E5 hex

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

fraudit
Senior Member
 

Free space filled with E5 hex

Post Posted: Sep 10, 13 21:46

I need some advice as I'm working on some evidence where the whole free space on a FAT16 partition is filled in with hex value E5.

Of course I know the value itself as a deleted item marker but honestly it's the first time I've come across "a forest" of E5s on the drive... Wink I have certainly not seen much yet, but...

Can you provide me with any comments on that? Does such situation have any special meaning?

I've suspected some wiping software have been used but I guess it'd rather fill the space with zeros or pseudo-random characters. But maybe there are some patterns that use E5.  
 
  

PaulSanderson
Senior Member
 

Re: Free space filled with E5 hex

Post Posted: Sep 10, 13 22:05

E5 used to be referred to as format pattern and was common on floppies etc.
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 
 
  

fraudit
Senior Member
 

Re: Free space filled with E5 hex

Post Posted: Sep 10, 13 22:32

Thank you! Then - can I assume the drive was simply empty / just formatted? Or is this assumption going too far?  
 
  

keydet89
Senior Member
 

Re: Free space filled with E5 hex

Post Posted: Sep 10, 13 22:41

Your assumption may be going to far...from:
www.beginningtoseethel.../index.htm

"...if the entry is deleted the first byte is changed to e5."

This FAT16 partition is located...where? Is there an OS associated with it somehow? For example, is the FAT16 partition from a thumb drive, and can you tie the thumb drive to a specific system? Or, is this a separate partition on a system? What I'm getting at is, is there an OS you can analyze for user activity in order to determine if a user ran a wiping tool?  
 
  

fraudit
Senior Member
 

Re: Free space filled with E5 hex

Post Posted: Sep 10, 13 22:45

It's a hard drive with extended partitions. There are three partitions, one primary and two extended, all with FAT 16. In fact it's an ancient Win98 system Smile

There are remnants of BCWipePD to be used but I'm not sure whether it had such overwriting scheme implemented.

Yes, I'm fully aware of "standard" single E5 meaning, I'm just confused by the number of those hex values I see. Smile  
 
  

PaulSanderson
Senior Member
 

Re: Free space filled with E5 hex

Post Posted: Sep 10, 13 23:45

I'm getting old - in a flash, well sort of dull glow - of memory I remembered that 0xF6 was format pattern. So ignore my last post Embarassed
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 
 
  

jaclaz
Senior Member
 

Re: Free space filled with E5 hex

Post Posted: Sep 11, 13 00:47

- PaulSanderson
I'm getting old - in a flash, well sort of dull glow - of memory I remembered that 0xF6 was format pattern. So ignore my last post Embarassed


Oww, come on, don't be so hard with yourself. Smile

The bad news is that you are so old Wink that you remember 8" floppies and CPM! Shocked
en.wikipedia.org/wiki/...formatting
For example, 8-inch CP/M floppies typically came pre-formatted with a format filler value of E5h, this was also implemented in Digital Research formatting tools, and thereby this value also found its way to Atari ST and some Amstrad/Schneider formatted FAT media. Amstrad also used a format filler value of F4h
.

Just for the record, the F6 was used mostly on floppy, with the noticeable exception of FDISK under Win98:
www.forensicfocus.com/...8/#6560078

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 2
Page 1, 2  Next