Hi,
I am investigating an issue where somebody has formatted a Hard Disk and then securely erased the free space.
I only have access to free tools so I am using Autopsy/TSK for my analysis.
I am trying to determine which OS formatted the disk.
Autopsy reports the disk as
OEM Type NTFS
Version Windows XP
From some experimenting, I have confirmed Autopsy can identify the difference between a Win2K and WinXP formatted disk, but not WinXP and Win7 formatted disk. Windows 7 formatted disks are listed as Windows XP.
So my question, does anybody know of a method to identify if a Disk has been formatted by WinXP, Vista, or Win7?
Thanks
I am not sure to understand.
The MBR code is the same in 2K and in XP/2003
The Vista one is different.
The 7 one is different.
Of course if only a "format" took place the MBR won't give you any meanigful info
http//
The bootsector code is AFAICR the same for 2K and XP/2003 and invokes NTLDR. (with a minor exception of an early release of 2K, changed in SP2 or 3)
The bootsector code of Vista and 7 is the same and invokes BOOTMGR.
Some useful reference
http//
It is relatively easy to verify BOTH the MBR and the bootsector.
The code used is inside a handful of "system files"
http//
in windows Vista and 7 look also in the bootsect.exe tool.
The NTFS version used is another thing
http//
the NTFS used in winodws 2000 is v3.0 whilst the one used in XP and later is v3.1
Probably the tools you used only look at this part and can only distinguish between 2k vs. "XP and all later".
If the disk was also partitioned, partition alignment may give you a further hint
http//
Please also take note how the effect of the FORMAT command has been dramatically changed in Windows Vista and 7
http//
http//
http//
It is possible that if Vista or 7 was used a "normal" FORMAT (without /Q) command was issued and this action alone securely erased freespace, without the use of any other "dedicated" program.
jaclaz