Dear All
I am presently working on a case (320GB Samsung HDD) where i am facing the following problems
1. All .pst files have a logical size of over 1Gb. After processing the case in Encase (focus on signature analysis), all the .pst files are marked as BAD SIGNATURE files. In the hex view of the files, i can see nothing but zero values. File slack also has nothing.
2. I am facing the same issue with many (almost all) the documents as well.
I am not sure if something has been done deliberately here. I am using Encase, FTK and Magnet AXIOM at the moment but results are same with all. What confuses me the most is why the files logical size is 1GB or more but yet i can't see anything in hex value.
** I have examined the slack space also but haven't found anything relevant.
Your advices are highly appreciated.
Thanks in advance.
What OS and filesystem are on the target drive? What tool did you use to create the image? Or are you working off the original drive directly?
Two possibilities
1) The files were wiped.
2) The target drive was running data deduplication under Windows. The tools I've worked with (EnCase, FTK Imager) do not understand deduplication so they show files impacted by deduplication as being zero-filled. Deduplication is available on Windows 2012 and 2016; some people have apparently been successful in moving the feature to Windows 8.1 and Windows 10 but it's not supported out of the box. If you think this is the case, let me know and I'll tell you how to handle it.
Also, are you sure the .PST file are zero filled throughout? It's hard to gauge visually but you could write a script/program to copy the files and remove all consecutive zero bytes. That would tell you pretty quickly if there is anything else in there.
What OS and filesystem are on the target drive? What tool did you use to create the image? Or are you working off the original drive directly?
Hi
The file system is NTFS and i am not running the investigation on the hard drive directly. The image was created using TD3. And yes the .pst files are zero filled throughout. Can you kindly explain more about the script you have mentioned please and the way to handle deduplication? You can PM me as well.
Thanks
Also, are you sure the .PST file are zero filled throughout? It's hard to gauge visually but you could write a script/program to copy the files and remove all consecutive zero bytes. That would tell you pretty quickly if there is anything else in there.
Under linux/osx you can use the xxd command with the -a option to hide all lines that are filled with zeroes
Can you examine the disk directly rather than the image and confirm that the files are zeroed out?
Be sure the image is good, after imaging check the TD3 generated signature of the image against the original hard disk signature.
We had similar problems with one of our tasks, the files were corrupt, because the customer got some crypto virus, which encrypted all the data. This is just a hint, usually you should not have this )
Can you examine the disk directly rather than the image and confirm that the files are zeroed out?
Unfortunately i do not have the access to original hard drive now and cant even get it again. I really appreciate your advise, but do you see any other way of doing this. Also according to the policy of our company i will not be allowed to work on the original evidence at all.
However i can assure that the image has been acquired accurately with all the hashes matching.
Be sure the image is good, after imaging check the TD3 generated signature of the image against the original hard disk signature.
We had similar problems with one of our tasks, the files were corrupt, because the customer got some crypto virus, which encrypted all the data. This is just a hint, usually you should not have this )
The hashes match against each other and the evidence has been verified without any errors. Also if there must have been any kind of encryption, it should not have zero fill the hex sectors. But i will take your advice and still look for the malwares and viruses. However i have done the hash analysis of the files and till now i have not been able to see any malware or virus containing files. This is in fact turning out to be a unique case in itself.
In worst case scenario, we will request for the reacquisition of the evidence if we cant figure out anything else.
The file system is NTFS and i am not running the investigation on the hard drive directly. The image was created using TD3. And yes the .pst files are zero filled throughout. Can you kindly explain more about the script you have mentioned please and the way to handle deduplication? You can PM me as well.
Thanks
What version of Windows was it running?
If deduplication is on, you're going to need to boot from your drive image or load it into a VM that has deduplication available. Do this on a working copy, not your original image because you will make changes. When I did this, I was working with VMDK files from the start so I didn't have to convert a forensic image into something bootable, I just copied the VMDK.
You do not just want to disable dedup; it won't "rehydrate" your files. Instead, you'll need to use the PowerShell command Start-DedupJob to turn it off and you need deduplication enabled on the volume when you run it.
The command is
Start-DedupJob -Volume "D" -Type Unoptimization
Substitute the correct volume letter for D.
Full Instructions
I'm posting here for the benefit of any future google warriors who stumble across this thread, as I did.
I have performed some testing of Data Deduplication in 2012/2016 and various methods to access data from acquired images, this testing has been written up to help anyone who finds themselves needing to do it in the context of forensic analysis. A primer on the feature is available
I'm posting here for the benefit of any future google warriors who stumble across this thread, as I did.
I have performed some testing of Data Deduplication in 2012/2016 and various methods to access data from acquired images, this testing has been written up to help anyone who finds themselves needing to do it in the context of forensic analysis. A primer on the feature is available
here and the post detailing a couple of methods to handle data deduplication is available here.
Nice ) , thank you.
As a side note, re
Once a volume has been optimized (deduplicated) it can of course be unoptimized (why Microsoft didn’t settle on dededuplicated as a term of reference I will never understand).
I have seen "rehydrated" and "rehydration" also used. 😯
jaclaz