I am still expanding my knowledge in FAT32 and going about editing the files as suggested by JimC, but I am having difficulties…so I may need a bit more guidance if possible. I am trying to test this on my own to see what possibilities could have been used to hide the files.
Yep, but you need to provide some data.
How big (EXACTLY, in BYTES) is the actual device?
How big (EXACTLY, in BYTES) is the actual volume you can access?
How many bytes are listed in a DIR command as used?
How many bytes are listed as available in a DIR command?
Then check the VBR using a disk editor/viewer.
How many FAT's? 2 or 1?
How large are they(it) ?
How many sectors are reserved?
Which extents (offset+size) are used by the contents of the "Documents" hidden folder (i.e. are they all at the end of the volume, or past its end as defined in the VBR, or "here and there"?)
Which filesystem tools are you familiar with?
For most of the checks above you can use DMDE
https://dmde.com/
or *any* disk editor you may be more familiar with that has a template for a FAT32 VBR.
jaclaz
Hello Everyone.
I am working a CP case in which the suspect used a method (still unidentified) to hide hundreds of folders
Do you have any evidence or information about the technical skills of the suspect? Is he working in IT or is he a lawyer - as an example? How likely is it to find an advanced hiding technic from someone who is not technical skilled?
Perhaps the solution is really attrib +H $foldername or any similar trick out of the `90?
I always ask for details about the profession and technical skills to see how deep to go with my investigation. Last year i had a suspect working as Windows Server Admin and so he really made a good job in cleaning all evidence… but not good enough, he has a new job now 😉
regards,
Robin
I don't want to teach anyone to suck eggs.
A simple answer may be that the folders have been tagged as "Hidden" on a previous windows machine.
The examination computer folder options are set not to show hidden files and folders
Therefore Windows File explorer will not show the folders or the contents as hidden but ftk will show them
The OP stated that they had checked for normal hidden files
I checked to see if the user set the folders to be hidden (as a Windows protected file or hidden folder) and this was not the case.
This is something else. Maybe a mangled FAT directory entry or an orphaned directory. If the OP is familiar with the FAT file system or can post a sanitised screenshot of the relevant FAT directory entries it should become clear.
Jim
sorry just re read the OP post
I speed read it initially
My apologies
Hello Everyone,
A few more details….
The suspect , while no longer working in the Computer Science field, he used to be a programmer in the 90's. So there is a potential that he was familiar with FAT32 and used his knowledge to hide these files. *As a side note… I am attempting to obtain a forensic image from a 128GB thumb drive for this same case… and I am running into issues also… it could be coincidence… or that every piece of evidence seized will be a challenge and not your regular "I save everything into cataloged folders on my desktop" type of case…
To answer the question about the FTK error… I will be reaching out to AD to confirm. When I navigate to the Documents folder, I get the error, but the directory is still displayed. I can still see the data contained within, which includes CP. However, I cannot say whether that is all the data, or not.
Also… to answer a previous question, I see FAT1 and FAT2 among the tables. Along with VBR.
I will review all of these suggestions in more detail and see what else I can come up with.
Maybe I'll be able to post some of the HEX I see on the root and VBR in the upcoming days.
Thanks Again.
FWIW, I had a similar error with FTK. Mine simply stated "Block index out of bounds".
This was a Micro SD Card, formatted Fat32 found in a ZTE cell phone. The phone was not reading the card except to ID is as a Toshiba brand card that needed to be 'set up' to be used. When connected (Via Write blocker of course) to windows, windows wouldn't even try and only wanted to format the card.
Initially I considered this to be a corruption issue with the card, but FTK, and EnCase both saw two partitions, one named android_meta and the other android_expand.
Android_meta was only 16Mb and contained a semi readable folder structure and several files, all of which were deleted/over written and some of whom had a logical size far exceeding the 16Mb capacity of that partition.
Android_expand was 3.6GB and appeared encrypted/corrupted.
From what research I did it appears that this card is setup to be 'adopted storage' from another phone before being moved to the ZTE phone.
But I digress enough. It's not too huge a deal for my case so I kinda dismissed the FTK error as having something to do with the card being encrypted or the way in which 'adopted storage' works. But in reading this thread I thought I'm mention it in case my 'off topic' story jogged a thought with someone.
[…
No. The folder structure screams Windows to me but I could be wrong. …
The above statement makes me wonder if you examined the partition structure?
It's quite common to have a partition that Windows can't handle so it ignores it.