Good Morning,
Is there any way to determine if FDisk was used on a drive and if so when.
I am working on a case where something was done to the drive to hide or perhaps destroy the contents. I can see there are/were 3 partitions on the drive with data. is there anyway to determine what might have been done to the drive looking at the evidence to destroy the contents.
The drive does not appear it was formatted obviously as there is allot of data on the drive and it is not full of 1's and 0's
I can not find any partition type software on the system so I am suspecting FDisk would be the logical choice
Thanks
FDisk is a Dos utility, so it doesn't leave many clues as to it's use.
First you will want to rebuild those partitions if that is possible. Find the MFT entry for any system file that would be updated each time the system was booted (search for the filename in unicode). Look at the embedded dates and times within that entry. Or, try and recover the registry files. Check the last shutdown time.
These techniques are not perfect. It could have been a year between the time the computer was last booted and the time the partitions were fdisked.
… there are/were 3 partitions on the drive with data…
Can you tell what kind of data you're looking at? Do you have any information regarding the operating system?
I can not find any partition type software on the system so I am suspecting FDisk would be the logical choice
Perhaps, perhaps not. You said, "I am working on a case where something was done to the drive to hide or perhaps destroy the contents", but you didn't provide any additional information beyond that.
What I mean is this..I was once handed an image, with no additional information. Turns out, not only was the drive formatted using AIX, but it was one of several drives in a RAID array. Running strings on the image, I could see references to the FAT file system, and I could see reference to other strings that indicated AIX, but the image, by itself, was pretty useless.
So, my point is…what is it that you *think* you've got? What tool(s) are you using to look at your data/image/drive/whatever?
Also, have you definitely ruled out things like a power surge, corrupted drive, etc.? I ask, b/c I guess I'm missing some information that led to your finding of fdisk being used…
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
Hey all,
thanks for your responces, I have some updates here.
First off I am now using FTK and am able to see the 3 partitions and the files would be consistant with the Windows 98 OS. Going through the data I have found instances to the BCWipe utility.
My reasoning behind the thought FDisk was used was that in FTK Imager I was seeing the space as unpartitioned but could see there was some sort of data on the media.
Thanks
My reasoning behind the thought FDisk was used was that in FTK Imager I was seeing the space as unpartitioned but could see there was some sort of data on the media.
Please excuse me, but I'm still not seeing the leap on logic. I'm familiar with disk wiping utilities, and fdisk (as well as other partition management tools), but I'm still not clear on how unpartitioned space with that appears to be data is an indicator that fdisk was used.
Again…were you able to rule out a power surge? How about partition/drive corruption?
All this may be OBE now that you've found BCWipe, though…
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
Keydet89,
Pardon me if perhaps I came across wrong, my earlier presumption of FDisk being used was a preliminary question if you will as I was not seeing any indications of a file table. FDisk was the first tool (of many) I was looking for evidence of being used as I mentioned in my initial statement. My reasoning to look for FDisk first was the fact it was easily accessible.
Once again, sorry if I came across in a different manner