Join Us!

Free space filled w...
 
Notifications
Clear all

Free space filled with E5 hex  

  RSS
fraudit
(@fraudit)
Member

I need some advice as I'm working on some evidence where the whole free space on a FAT16 partition is filled in with hex value E5.

Of course I know the value itself as a deleted item marker but honestly it's the first time I've come across "a forest" of E5s on the drive… 😉 I have certainly not seen much yet, but…

Can you provide me with any comments on that? Does such situation have any special meaning?

I've suspected some wiping software have been used but I guess it'd rather fill the space with zeros or pseudo-random characters. But maybe there are some patterns that use E5.

Quote
Posted : 10/09/2013 10:46 pm
PaulSanderson
(@paulsanderson)
Senior Member

E5 used to be referred to as format pattern and was common on floppies etc.

ReplyQuote
Posted : 10/09/2013 11:05 pm
fraudit
(@fraudit)
Member

Thank you! Then - can I assume the drive was simply empty / just formatted? Or is this assumption going too far?

ReplyQuote
Posted : 10/09/2013 11:32 pm
keydet89
(@keydet89)
Community Legend

Your assumption may be going to far…from
http//www.beginningtoseethelight.org/fat16/index.htm

"…if the entry is deleted the first byte is changed to e5."

This FAT16 partition is located…where? Is there an OS associated with it somehow? For example, is the FAT16 partition from a thumb drive, and can you tie the thumb drive to a specific system? Or, is this a separate partition on a system? What I'm getting at is, is there an OS you can analyze for user activity in order to determine if a user ran a wiping tool?

ReplyQuote
Posted : 10/09/2013 11:41 pm
fraudit
(@fraudit)
Member

It's a hard drive with extended partitions. There are three partitions, one primary and two extended, all with FAT 16. In fact it's an ancient Win98 system )

There are remnants of BCWipePD to be used but I'm not sure whether it had such overwriting scheme implemented.

Yes, I'm fully aware of "standard" single E5 meaning, I'm just confused by the number of those hex values I see. )

ReplyQuote
Posted : 10/09/2013 11:45 pm
PaulSanderson
(@paulsanderson)
Senior Member

I'm getting old - in a flash, well sort of dull glow - of memory I remembered that 0xF6 was format pattern. So ignore my last post oops

ReplyQuote
Posted : 11/09/2013 12:45 am
jaclaz
(@jaclaz)
Community Legend

I'm getting old - in a flash, well sort of dull glow - of memory I remembered that 0xF6 was format pattern. So ignore my last post oops

Oww, come on, don't be so hard with yourself. )

The bad news is that you are so old wink that you remember 8" floppies and CPM! 😯
http//en.wikipedia.org/wiki/Talk%3ADisk_formatting

For example, 8-inch CP/M floppies typically came pre-formatted with a format filler value of E5h, this was also implemented in Digital Research formatting tools, and thereby this value also found its way to Atari ST and some Amstrad/Schneider formatted FAT media. Amstrad also used a format filler value of F4h

.

Just for the record, the F6 was used mostly on floppy, with the noticeable exception of FDISK under Win98
http//www.forensicfocus.com/Forums/viewtopic/p=6560078/#6560078

jaclaz

ReplyQuote
Posted : 11/09/2013 1:47 am
fraudit
(@fraudit)
Member

I've managed to find some relevant information in the Tableau TD3 (and earlier) manual - see here.

It says
When performing a Blank Check, the TD3 reads sectors in the Master Boot Record, the Primary GPT, and the Secondary GPT. A sector is considered to be blank if it contains only a repeating pattern such as 00h, E5h, or FFh. Any non-repeating pattern is considered to be non-blank. If all sectors read by the TD3 have repeating patterns (though not necessarily the same repeating pattern), the TD3 concludes the drive may be blank.
However, I still cannot say whether in my case it simply means the drive was empty and was only partially written…

ReplyQuote
Posted : 11/09/2013 2:07 am
jaclaz
(@jaclaz)
Community Legend

However, I still cannot say whether in my case it simply means the drive was empty and was only partially written…

Well, actualy it's worse than that 😯 , usually "brand new" disks are filled with zeroes (and not E5 and not FF) and noone seems to remember a "common" tool that uses not 00's.

jaclaz

ReplyQuote
Posted : 11/09/2013 2:17 am
fraudit
(@fraudit)
Member

Yep… ? Well, I just may write in my report about free space with no details, but it somehow bothers me…

ReplyQuote
Posted : 11/09/2013 2:20 am
keydet89
(@keydet89)
Community Legend

Yep… ? Well, I just may write in my report about free space with no details, but it somehow bothers me…

Wow.

ReplyQuote
Posted : 11/09/2013 5:04 pm
fraudit
(@fraudit)
Member

Wow.

Any help still appreciated wink

I've gone through some papers about disk wipers looking whether there's one that produces E5h as output but found none. I even re-imaged the original disk to make sure no trouble was caused by my media (event though it had been wiped before, as usual), but E5s are still there. IT guys from the customer do not know a thing about it…

ReplyQuote
Posted : 11/09/2013 5:12 pm
Share: