Hello ppl. I am a sysadmin at the company I work for (the you-are-the-admin-you-can-do-that-and-even-more type -( )
One of our user seems to have erased/wiped his pc. Dban comes in mind as he have mentioned it at a previous discussion. But I cant tell for sure (and I dont care to find the tool he used)
The hdd is completely wiped. No OS or any other data can be found.
Is there any way to find out exactly when did he erased it ??
Thank you very much for you time.
1. Ask him.
2. Assuming a Windows domain or AD architecture, go back and determine the last time he logged in…he would have likely wiped the drive at some point after that.
3. Depending on how the drive was wiped, image it, and see if you can reconstruct the MFT, and for the NTUSER.DAT hive, follow the data runs and reconstruct the file. Then reassemble the file and parse the UserAssist key contents.
Just to avoid possible misunderstandings, this
The hdd is completely wiped.
means
EACH and EVERY single sector accessible on the disk drive is made of 512 digital 0's or hex 00.
No OS or any other data can be found.
This is NOT the same thing as the above.
In other words, if the first happened, the second is a consequence of the first, if the second is what you experience (but NOT the first) it is NOT *necessarily* a "wiped" disk drive.
jaclaz
First off all thank you for your replies.
@jaclaz You are correct. I checked it with a hex editor and that seems to be the case. (i am talking about the zeros)
@keydet89 Can I still reconstruct the MFT after that ?
The guy seems to have done another thing to a second laptop. I might open a 2nd post if needed.
Thank you very much guys for your replies and for your help !!
If the whole drive has been wiped you are going to have difficulty finding out that information from that machine. As Harlan says you should be able to determine the last time the user logged in if you have the set the right auditing options.
The only thing with that is that you then only have a timeframe in which the hard drive could have been wiped, from the last time that he logged in, to the time that the computer was found wiped.
That is about as much as you can do at that point unless he's willing to cooperate.
There may be data recovery specialists that say they can recover the data from the drive but don't fall into the trap. A lot of smart people have done a lot of research into finding data from wiped drives and the general consensus is that it can't be done and, even if it can be done, the tiny amount of data recovered will likely mean very little and have no context.
Is there any way to find out exactly when did he erased it ??
You may want to investigate the BIOS in the computer. Some have some rudimentary logging (not always enabled, though), which may help restricting the possible time frames when it could have happened.
Similarly, there may be a DHCP logs or networks somewhere in the network that might help, or logs from local file servers.
@keydet89 Can I still reconstruct the MFT after that ?
If the drive is all zeros, and this has been verified, then the answer would clearly be "no".
The guy seems to have done another thing to a second laptop. I might open a 2nd post if needed.
Awesome! I love it when a guy does another thing to a laptop!!
As to the 'when' of the first system, I'd agree that you'd have to seek other sources of data. However, if the drive was wiped and all bytes were replaced zeros, then at that point, does the "when" really matter?
if the drive was wiped and all bytes were replaced zeros, then at that point, does the "when" really matter?
If you're looking at a spoliation issue, then it absolutely does matter.
Destroy data before an incident giving rise to litigation and in compliance with data retention (destruction) policies and you're generally fine. Do it after litigation or the potential for it has been identified and notified and welcome to sanctions.
(Insert IANAL, not legal advice disclaimer here.)
I agree from a technical viewpoint that you're not going to get anything useful from the drive to answer that for you if it is in fact all zeros, but depending on the environment there may be outside indicators as other posters have indicated.
If you're looking at a spoliation issue, then it absolutely does matter.
You're quite right, Patrick…*IF*. There's no indication that this is the case here.
"Labmice" is, as stated, a sysadmin. You're bringing up legal issues…though valid, labmice has given no indication of any such issues at this point. No legal representative, nor corporate counsel was mentioned.
I'm not saying that legal issues aren't valid…quite the opposite. What I am saying is that in this instance, and in this thread, there's been no indication of any legal issues at all.
What I'm trying to understand here is if the user logs in, and there is some indication of that activity, or activity that occurs afterward (ie, web surfing, checking email, etc.) and then at some point the drive is wiped, from the perspective of what labmice has stated in the posts so far, does it matter that the drive was wiped at 43232pm, or does "…sometime between lunch and COB on Tues" suffice?
Not really what you would like to hear cry , but the ONLY actual reliable data you will get from that 00'ed hard disk is that it was UNDOUBTEDLY wiped (whichever comes last wink )
- NOT before 000000 UTC on 1 january 1601
- NOT before manufacturing date on label of hard disk
Which leaves you anyway with a rather large timeframe….. roll
jaclaz
Just for the record, the 1601 date comes from the "most ancient" recordable date (AFAIK it's the NTFS one)
- 000000 UTC on 1 January 1970 (Unix)
- 000000 UTC on 1 january 1980 (DOS/FAT)
- 000000 UTC on 1 january 1601 (NTFS)