Notifications
Clear all

Bad Signature Files

10 Posts
6 Users
0 Likes
1,703 Views
(@harshbehl)
Posts: 67
Trusted Member
Topic starter
 

Dear All

I am presently working on a case (320GB Samsung HDD) where i am facing the following problems

1. All .pst files have a logical size of over 1Gb. After processing the case in Encase (focus on signature analysis), all the .pst files are marked as BAD SIGNATURE files. In the hex view of the files, i can see nothing but zero values. File slack also has nothing.

2. I am facing the same issue with many (almost all) the documents as well.

I am not sure if something has been done deliberately here. I am using Encase, FTK and Magnet AXIOM at the moment but results are same with all. What confuses me the most is why the files logical size is 1GB or more but yet i can't see anything in hex value.

** I have examined the slack space also but haven't found anything relevant.

Your advices are highly appreciated.

Thanks in advance.

 
Posted : 02/08/2016 1:23 am
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

What OS and filesystem are on the target drive? What tool did you use to create the image? Or are you working off the original drive directly?

Two possibilities

1) The files were wiped.

2) The target drive was running data deduplication under Windows. The tools I've worked with (EnCase, FTK Imager) do not understand deduplication so they show files impacted by deduplication as being zero-filled. Deduplication is available on Windows 2012 and 2016; some people have apparently been successful in moving the feature to Windows 8.1 and Windows 10 but it's not supported out of the box. If you think this is the case, let me know and I'll tell you how to handle it.

Also, are you sure the .PST file are zero filled throughout? It's hard to gauge visually but you could write a script/program to copy the files and remove all consecutive zero bytes. That would tell you pretty quickly if there is anything else in there.

 
Posted : 02/08/2016 2:31 am
(@harshbehl)
Posts: 67
Trusted Member
Topic starter
 

What OS and filesystem are on the target drive? What tool did you use to create the image? Or are you working off the original drive directly?

Hi
The file system is NTFS and i am not running the investigation on the hard drive directly. The image was created using TD3. And yes the .pst files are zero filled throughout. Can you kindly explain more about the script you have mentioned please and the way to handle deduplication? You can PM me as well.

Thanks

 
Posted : 02/08/2016 11:03 am
(@randomaccess)
Posts: 385
Reputable Member
 

Also, are you sure the .PST file are zero filled throughout? It's hard to gauge visually but you could write a script/program to copy the files and remove all consecutive zero bytes. That would tell you pretty quickly if there is anything else in there.

Under linux/osx you can use the xxd command with the -a option to hide all lines that are filled with zeroes

Can you examine the disk directly rather than the image and confirm that the files are zeroed out?

 
Posted : 02/08/2016 2:21 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Be sure the image is good, after imaging check the TD3 generated signature of the image against the original hard disk signature.

We had similar problems with one of our tasks, the files were corrupt, because the customer got some crypto virus, which encrypted all the data. This is just a hint, usually you should not have this )

 
Posted : 02/08/2016 2:23 pm
(@harshbehl)
Posts: 67
Trusted Member
Topic starter
 

Can you examine the disk directly rather than the image and confirm that the files are zeroed out?

Unfortunately i do not have the access to original hard drive now and cant even get it again. I really appreciate your advise, but do you see any other way of doing this. Also according to the policy of our company i will not be allowed to work on the original evidence at all.

However i can assure that the image has been acquired accurately with all the hashes matching.

 
Posted : 02/08/2016 4:12 pm
(@harshbehl)
Posts: 67
Trusted Member
Topic starter
 

Be sure the image is good, after imaging check the TD3 generated signature of the image against the original hard disk signature.

We had similar problems with one of our tasks, the files were corrupt, because the customer got some crypto virus, which encrypted all the data. This is just a hint, usually you should not have this )

The hashes match against each other and the evidence has been verified without any errors. Also if there must have been any kind of encryption, it should not have zero fill the hex sectors. But i will take your advice and still look for the malwares and viruses. However i have done the hash analysis of the files and till now i have not been able to see any malware or virus containing files. This is in fact turning out to be a unique case in itself.

In worst case scenario, we will request for the reacquisition of the evidence if we cant figure out anything else.

 
Posted : 02/08/2016 4:19 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

The file system is NTFS and i am not running the investigation on the hard drive directly. The image was created using TD3. And yes the .pst files are zero filled throughout. Can you kindly explain more about the script you have mentioned please and the way to handle deduplication? You can PM me as well.

Thanks

What version of Windows was it running?

If deduplication is on, you're going to need to boot from your drive image or load it into a VM that has deduplication available. Do this on a working copy, not your original image because you will make changes. When I did this, I was working with VMDK files from the start so I didn't have to convert a forensic image into something bootable, I just copied the VMDK.

You do not just want to disable dedup; it won't "rehydrate" your files. Instead, you'll need to use the PowerShell command Start-DedupJob to turn it off and you need deduplication enabled on the volume when you run it.

The command is

Start-DedupJob -Volume "D" -Type Unoptimization

Substitute the correct volume letter for D.

Full Instructions
Disabling Data Deduplication

Recovering your Deduped files on Windows 10

 
Posted : 02/08/2016 11:38 pm
harrisonamj
(@harrisonamj)
Posts: 3
New Member
 

I'm posting here for the benefit of any future google warriors who stumble across this thread, as I did.

I have performed some testing of Data Deduplication in 2012/2016 and various methods to access data from acquired images, this testing has been written up to help anyone who finds themselves needing to do it in the context of forensic analysis. A primer on the feature is available here and the post detailing a couple of methods to handle data deduplication is available here.

 
Posted : 04/09/2017 9:53 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I'm posting here for the benefit of any future google warriors who stumble across this thread, as I did.

I have performed some testing of Data Deduplication in 2012/2016 and various methods to access data from acquired images, this testing has been written up to help anyone who finds themselves needing to do it in the context of forensic analysis. A primer on the feature is available here and the post detailing a couple of methods to handle data deduplication is available here.

Nice ) , thank you.
As a side note, re

Once a volume has been optimized (deduplicated) it can of course be unoptimized (why Microsoft didn’t settle on dededuplicated as a term of reference I will never understand).

I have seen "rehydrated" and "rehydration" also used. 😯

jaclaz

 
Posted : 04/09/2017 11:24 am
Share: