Join Us!

forensic analysis o...
Clear all

forensic analysis on drive that won't boot.  

New Member

Hi everyone, I'm a noob here.

Funny I posted this already but it didn't show up. Weird.

To make a long story short. I have a drive that I have to look at to find out how someone got online account info from.
This drive is not the most forensically sound image. I told our security manager that the way to do it would be boot with my Helix CD (or whatever alternative he'd prefer), and use some derivative of dd to make an image(s) to another connected disk, samba share or netcat socket.

He balked when I guessed it would take all day to do if it was a large drive. He sent one of our field service reps out to do it with Norton Ghost (and I doubt that he used the most secure imaging technique too).

Well the drive doesn't boot. If it was an image, I understand I'm suppose to mount it on the linux loopback device anyway.

However, eveything I seen on tools to get info from the registry, scheduled tasks, eventlogs, etc seems to think one would be booting into the target system. For insance using tools dump audit logs, the registry or using utilities like showbinarymfr.exe from Microsoft. (Oh, yeah, forgot to mention, it's a WinXP Pro machine, SP unknown).

I suppose I can get MAC times, using if I booted using Helix, mounted the ntfs drive (it has a boot.ini file ==> ntfs), and looked on Helix for the appropriate tool, but I'm not sure what it's system time would be set as.

How would one approach doing forensics on this?

Thanks for any advice,

Posted : 30/03/2005 11:51 am
Community Legend

If the drive doesn't boot, but does power up and is an image, I'd suggest using tools such as ProDiscover or EnCase to do your file carving…

H. Carvey
"Windows Forensics and Incident Recovery"

Posted : 30/03/2005 12:34 pm
Active Member

If you are looking for information from the registry, you do not need any special tools as such. You say you are using HELIX - so mount the drive or volume in HELIX (that is if you can see it and read it as a device) and copy out the users NTUSER.DAT file (found at %\Documents and Settings\*username*\) and the entire CONFIG folder (found at %\Windows\System32\config) to another drive or store. These contain all the registry files.

You can then use a Windows XP OS with your store attached and impliment regedt32 to import the registry hives from the CONFIG folder.

Also you can import all the event log activity into your Windows Event viewer in XP.

Also (no disrespect here intended), it might be prudent to employ professional services, as the job has possibly been mishandled from the start, as it doesn't sound like your field service rep has imaged it correctly and someone who practices FC may be able to save it.


Posted : 30/03/2005 12:37 pm
New Member

If your looking for how someone got an online account, it might not even be on the drive. Social engineering, public info and other things might be the culprit.
Can you let us know the details of the hacked account? We might be able to at least help find what might a good place to look..

Paris Hilton says "never use your famous pets name as an account reset answer" 🙄

Posted : 31/03/2005 3:19 am