Evidence of disk fo...
 
Notifications
Clear all

Evidence of disk formatting and/or (massive) file deletion  

  RSS
hlg33
(@hlg33)
New Member

Hi,

I have started investigating a laptop PC (Windows 7 Pro) that has most probably be "cleaned" before being given back to the employer.

I will need to find out

1) Whether its hard drive has been reformatted and, if yes, when that formatting occured,

2) When were files (lots of them) have been deleted, that it the date and time when these files were been deleted.

I have imaged the hard drive (Caine + Guymager) and used Autopsy to ingest the .dd file

When using its Timeline tool, I can definitely see two days of "intense" activity amidst a "desert" of no activity whatsoever in the days/weeks before and after these two days, but I'm afraid I do not know how how to identify among those thousands of lines, the ones that would tell me either here is the format command being launched, or here is the massive delete of entire folders command executed.

Recuva or photorec are very good at recovering deleted files, but (unless I'm mistaken), they don't give the date and time the files were deleted, but rather the date and time they were last modified.

Your help would/will be greatly appreciated,

Many thanks in advance,

Herve

Quote
Posted : 23/02/2014 8:17 pm
jaclaz
(@jaclaz)
Community Legend

I will need to find out

1) Whether its hard drive has been reformatted and, if yes, when that formatting occured,

2) When were files (lots of them) have been deleted, that it the date and time when these files were been deleted.

NO. 😯
Meaning that you seemingly need to have a clearer idea of the questions (or re-word them more accurately adding some further description of what actually you have in your hands and are looking at).

RE #1)
If it is a laptop, in 99.99% of cases it's hard disk drive is also the main boot device where the OS is installed, and in 99.99% of the above, there is (besides, often a "recovery partition") one single partition which is "boot" and "system" and "data" or - very often on Windows 7 installs - two partitions, one around 200 Mb which is "boot" ONLY, and a second one which is BOTH "system" and "data".
It is NOT possible to format or re-format a hard disk drive.
It is possible to format or re-format a partition or volume on it.
A hard disk drive can be partitioned or re-partitioned and new partition or volumes created by this process can then be formatted.
What gets a drive letter in Windows is NOT a "hard drive", it is a partition or volume.

RE #2)
Recuva or Photorec are aimed to file-based recovery (which is NOT what you are after), you are - in case - looking at the moment to file system activity recovery, if I get this right while assuming that files were just "plainly and simply" deleted through the OS built-in tools/commands.
It seems to me like you are also assuming that the date/time of deletion of a file is recorded inside the file system (which is not).
This may help you in clearing this concept
http//whereismydata.wordpress.com/2009/04/02/forensics-deleted-dates/

jaclaz

ReplyQuote
Posted : 23/02/2014 8:51 pm
mscotgrove
(@mscotgrove)
Senior Member

You came across deleted files. I assume these were part of the valid $MFT file which indicates that the disk was not formatted.

If the disk was formatted, a new $MFT would be created and would not contain deleted files. What you would find is old MFT entries that are not part of the current $MFT. These files would not be indicated as deleted - no requirement as they are not part of the file system.

As said above, the time of deletion is not recorded. To work out a possible time, you want go look at the most recent files and discover if they occupy the location of deleted files. This will show that new file 'A' was written after file 'B' was deleted. It will not say when file 'B' was deleted

ReplyQuote
Posted : 23/02/2014 9:31 pm
jaclaz
(@jaclaz)
Community Legend

…. which indicates that the disk was not formatted.

If the disk was formatted, ….

Hmmm.
I just spent a few paragraphs to try disambiguating about the fact that the disk CANNOT be formatted. (

jaclaz

ReplyQuote
Posted : 23/02/2014 11:17 pm
mscotgrove
(@mscotgrove)
Senior Member

…. which indicates that the disk was not formatted.

If the disk was formatted, ….

Hmmm.
I just spent a few paragraphs to try disambiguating about the fact that the disk CANNOT be formatted. (

jaclaz

So we are saying the same thing, but from different angles.

ReplyQuote
Posted : 24/02/2014 11:03 am
jaclaz
(@jaclaz)
Community Legend

So we are saying the same thing, but from different angles.

Not really.
I was trying to use exact terms (because it seemed to me like the OP had not much clear the actual terminology) and you promptly managed to re-mix (shaken not stirred) them again in no time.

jaclaz

ReplyQuote
Posted : 24/02/2014 2:32 pm
Belkasoft
(@belkasoft)
Active Member

1) Whether its hard drive has been reformatted and, if yes, when that formatting occured,

2) When were files (lots of them) have been deleted, that it the date and time when these files were been deleted.

1) In NTFS, everything including the file system is a file. Have a look at $MFT attrubutes. If this file was recently created, this is a sign of a partition being formatted (and that file creation date attribute will give you the date and time of the format operation). This is a quick and dirty way; you can further analyze $MFT entries to find out more about it.

2) Generally there's no way of telling *when* the files were deleted other than by analyzing entries in the NTFS $LogFile. Note that this file has a limited number of entries.

ReplyQuote
Posted : 24/02/2014 3:48 pm
Share: