Lost folders/files ...
 
Notifications
Clear all

Lost folders/files on OS HDD

10 Posts
5 Users
0 Likes
665 Views
(@sn0wstorm)
Posts: 7
Active Member
Topic starter
 

Hi all,

I am examining what I believe to be a main OS hard drive but when hooking up to a write-blocker in windows it doesn't give it a drive letter and the disk manager won't let me manually assign one to it either. As far as the OS is concerned the hard drive isn't addressable and looking at it in EnCase or FTK, it doesn't have a general operating system file structure, it just has hundreds of "lost files" and "lost folder" entries but that's it. The software reports them as 0 bytes in size but when looking at it in hex view you can see there IS data there (albeit garbled with no legible words or phrases to identify anything) it does have unallocated clusters which have both a physical and logical size but carving them proves to no avail. Would this be a case of a) encryption b) the hard drive been completely trashed prior to seizure or c) the HDD was taken from an enclosure and needs a proprietary board to be connected to in order to be addressed and read correctly (like some external HDDs) , is there anything else that could be tried in order to make it readable? Thanks!

 
Posted : 01/10/2014 11:56 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Is the disk found in Disk Manager? (and reported with the right size)?
If yes, then it is unlikely that there is a "special board" issue.

Can you see in Disk Manager one or more partitions/volumes?
If no, you cannot assign a drive letter to any of them.

So, from what you report (or more exactly from what I understand from your report), you have a disk which has not a valid MBR or a valid partition table in it.

You should first thing verify the contents of first sector (the MBR) with any suitable tool, like a hex/disk editor supporting templates (with a MBR template).

An encrypted "bootable" hard disk normally has anyway a partition table in the MBR, so it is unlikely that this is the case.

The "lost files" that you can see in Encase or FTK are seemingly the result of carving (the whole disk is "unallocated space").

If none of those found files make sense/are recognized, there are several possibilities

  • the hard disk was encrypted and either was not a "bootable" (main OS) hard disk (and a peculiar encryption software was used on it) or that it has been further changed/hexedited/whatever
  • the hard disk was part of a RAID (and it is not the first disk of the RAID) and was encrypted
  • the hard disk itself (hardware) has some issues

You should make a dd image of the disk and then work on the image, however.

Can you post some more details?
Where (which kind of computer) it was taken from, what make/model/bus the disk is, which write blocker are you using, which OS are you running, etc.?

jaclaz

 
Posted : 01/10/2014 3:04 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

As already stated, I would start looking at sector 0 (and sector 1).

I would also run a data carving program to see if there are files that can be read.

 
Posted : 01/10/2014 4:39 pm
(@Anonymous)
Posts: 0
Guest
 

Hi,
Before providing a solution, I would like to ask you, if Encase software have created an image of Hard Drive.
If yes, please let me.

———-
Thanks and Regards

 
Posted : 01/10/2014 5:44 pm
(@sn0wstorm)
Posts: 7
Active Member
Topic starter
 

Is the disk found in Disk Manager? (and reported with the right size)?
If yes, then it is unlikely that there is a "special board" issue.

Can you see in Disk Manager one or more partitions/volumes?
If no, you cannot assign a drive letter to any of them.

So, from what you report (or more exactly from what I understand from your report), you have a disk which has not a valid MBR or a valid partition table in it.

You should first thing verify the contents of first sector (the MBR) with any suitable tool, like a hex/disk editor supporting templates (with a MBR template).

An encrypted "bootable" hard disk normally has anyway a partition table in the MBR, so it is unlikely that this is the case.

The "lost files" that you can see in Encase or FTK are seemingly the result of carving (the whole disk is "unallocated space").

If none of those found files make sense/are recognized, there are several possibilities

  • the hard disk was encrypted and either was not a "bootable" (main OS) hard disk (and a peculiar encryption software was used on it) or that it has been further changed/hexedited/whatever
  • the hard disk was part of a RAID (and it is not the first disk of the RAID) and was encrypted
  • the hard disk itself (hardware) has some issues

You should make a dd image of the disk and then work on the image, however.

Can you post some more details?
Where (which kind of computer) it was taken from, what make/model/bus the disk is, which write blocker are you using, which OS are you running, etc.?

jaclaz

Hi jaclaz,

Yes the disk does show up in Disk Manager as a single volume and at the correct size, however because it isn't given a drive letter it doesn't show up in 'My Computer' and other tools won't detect it, except for FTK and EnCase.

That is a plausible problem yes, every file is blanked with zeroes for the first couple of offsets and then seemingly the "data" starts. I have already taken a dd image of the disk in order to try some things, are there any tools you would recommend in order to make some sense of whats going on with the hard drive, as like I mentioned above, most tools won't detect it because it doesn't have a drive letter (and one cannot be assigned to it). From my knowledge the drive was taken from a Windows machine (with a possible Linux dual boot) it is a Hitachi SATA drive and I am using a Tableau on Windows 7.

Hi,
Before providing a solution, I would like to ask you, if Encase software have created an image of Hard Drive.
If yes, please let me.

Hi EvaMendis, yes I have already created a working copy of the hard drive to work on, I would be interested to hear your solution.

 
Posted : 02/10/2014 12:50 am
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

You need to start with the partition table and manually walk it and subsequent boot sectors to find out what is going on. If you can't follow the pointers from partition to boot to NTFS MFT (or what ever other filesystem structure) then the operating system wont be able to do it either.

Anything else is guess work and although you may get data back, you won't know what is causing the issue.

 
Posted : 02/10/2014 2:33 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Yes the disk does show up in Disk Manager as a single volume and at the correct size, however because it isn't given a drive letter it doesn't show up in 'My Computer' and other tools won't detect it, except for FTK and EnCase.

With all due respect ) , allow me to doubt this 😯 , there is something that you are missing to describe or that you are describing improperly.

The normal behaviour in Disk Management IF a volume exists is to assign to it a drive letter.

Think when you start from a completely 00ed disk.

When you open the disk in Disk Manager you are prompted to initialize the disk (this is "triggered" by the missing magic bytes 55AA at the end of sector LBA0.

If you do not initialize the disk, the disk graphical representation has a black border and a "not initialized" tag on the left.
http//www.techotopia.com/images/d/de/Windows_server_2008_r2_disk_manager.jpg

Then you initialize the disk, the border is still black, but there is not anymore the "not initialized" tag, and the area will sport a "unallocated" tag.

Then you create a Primary partition spanning the whole volume, the disk area has now a blue border AND a drive letter is assigned to it and the tag will become "healthy", and if you right click on it and choose "Properties", it will have "0 bytes" as both "used space" and "free space".

This is normal because after this step you can close disk manager and open the drive letter in Explorer (which will ask you to format the volume), since the volume has been created, a drive letter has been assigned to it (but no filesystem has been yet written to the volume).

There may be some cases in which a drive letter is not assigned automatically, but you can right click on the volume and assign one manually.

In other words, if a proper partition entry exists in the MBR, the corresponding volume will get a drive letter, even if it is made of all 00's.

This is where your description is somehow differing form common experience.

On the other hand, it is possible that the partition ID in the MBR is not one that Windows can recognize, hence it is needed to manually inspect the MBR and partition table in it to check what is actually there, first thing.

jaclaz

 
Posted : 02/10/2014 3:36 pm
(@sn0wstorm)
Posts: 7
Active Member
Topic starter
 

Jaclaz,

This is why I'm just as confused as you. In all my experience I have never encountered something like this. There is no prompt to 'initialize' the disk, the disk shows up in Disk Manager with a blue box but no stripes (like the system reserved partition does in your screenshot) but it's size is the entire disk. Hence the no addressable drive letter. Right clicking on the disk in the manager, every option is greyed out. I cannot initialize, set a new volume, assign a drive letter, nothing. EnCase detects hundreds of thousands of files but fails to display anything except lost files or lost folders (like you mentioned could be due to the partition table corrupt/missing) I'll have another look at it today in the office using X-ways or something, this has genuinely got me stumped! 😯

 
Posted : 03/10/2014 12:01 pm
(@Anonymous)
Posts: 0
Guest
 

Hi,

The working image of HDD will obviously be in E01 file format. So, I would suggest you to use E01 file viewer.This type of tool provides you the facility to explore all the file ,which you are unable to see.you can view all the text files,pdf files,doc files etc. option are available for the tools and few of them are
1) Systools E01 file viewer

2)OS forensic E01 file viewer.

Try these tools for your problem. Also, Please provide the proper Snapshots for better assistance.

 
Posted : 03/10/2014 1:57 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Jaclaz,

This is why I'm just as confused as you. In all my experience I have never encountered something like this. There is no prompt to 'initialize' the disk, the disk shows up in Disk Manager with a blue box but no stripes (like the system reserved partition does in your screenshot) but it's size is the entire disk. Hence the no addressable drive letter. Right clicking on the disk in the manager, every option is greyed out. I cannot initialize, set a new volume, assign a drive letter, nothing. EnCase detects hundreds of thousands of files but fails to display anything except lost files or lost folders (like you mentioned could be due to the partition table corrupt/missing) I'll have another look at it today in the office using X-ways or something, this has genuinely got me stumped! 😯

I would be curious to have a look a the MBR contents of that disk.

@Evamendis
There is no Law requiring the image to be E01, as a matter of fact on a doubtful issue like this I would use a RAW image instead, nothing "obviously E01".

jaclaz

 
Posted : 05/10/2014 2:54 pm
Share: