Hello everyone,
I am examining a hard drive removed from a computer and it is a windows xp professional installed hard drive with two partitions. I wanted to check the program files folder and saw something interesting. The "program files" folder is missing. There is no program files folder anywhere on the hard drive.
Secondly, I noticed the "administrator" folder which should be in "Documents and settings" is missing, too. Only there are following folders
- allusers
- default user
- allusers.windows
- defaultuser.windows
So, I got the impression that the user tried to reinstall windows without formatting the hard drive and the installation was interrrupted somewhere and it was not completed, which is why program files and administrator folder is missing.
Do you agree or do you think something else might have caused this?
Regards,
Do you have anything else to support your theory?
For example, have you done any file carving? Have you parsed the SAM hive, as well as the ProfileList key in the Software hive? What profiles _should_ exist?
Could the absence of the two artifacts that you mention be the result of something else? For example, could they have been deleted?
I would suggest that simply the absence of the two folders does not, by themselves, necessarily solely support the theory that the user tried to reinstall the OS and failed. Before progressing with those conclusions, I'd attempt to find out why those two folders are not there, by creating a timeline of system activity.
My advice would be to look into the SAM hive, as Harlan mentioned. You should also check out the SAM hives from Restore Points to see if you can find a time when the user account(s) you're interested in existed on the machine. In my opinion, RegRipper would be the easiest way to do this, specifically using RipXP.
Have you checked for deleted files etc
With data carving you can see if you find any files that you expect to be in the Programs File.
Scan all MFTs to see if there are any expected files there.
ie Try data recovery techniques first. It could just be a few failed sectors corrupting the directory structure, or maybe deliberate deleting.
Other findings that support my theory is as follows
1. Under "Documents and Settings", I have the following file.
- allusers
- default user
- allusers.windows
- defaultuser.windows
As you can see, normally "allusers.windows" and "defaultuser.windows" folder names do not exitst. We should have "allusers" not "allusers.windows". Based on my research, the suffix ".windows." at the end of "allusers", "defaultusers" is created when windows is reinstalled without formatting the previous drive and the newly installed windows tried to keep the previous alluser and default user content.
2. Normally, you can not delete "program files" in regular ways as windows won't let you do it saying that it is a system folder. And I checked the deleted folders also.
3. I parsed SAM and software hive. There is no "administrator" account in the profile_list key, nor the "guest" account. The accounts are as follows
- Alluserprofile - Allusers.WINDOWS
- Defaultuserprofile. - Defaultuser.WINDOWS
4. I tried to boot the suspect drive via Virtual Forensic computing and it did not boot and gave an error message.
5. I parsed related registry hives and some keys related to the usage of windows do not exist. For instance there is no "last shutdown time" or "last user logged in". These might indicate that no account has logged in and used it. Owner and organization name which must be entered during installation shows "value not set" in the registry.
6. And CD key is shown as BBBBB - BBBBB- BBBBB- BBBBB which is definitely wrong. And if you don't enter a proper key during installation, you can't complete windows installation.
7. Timezone and productID in the registry is shown as "not available". If the windows were completed properly these info should already exist.
So, all these indication gives me the impression that windows installation without formatting was interrupted.
Other findings that support my theory is as follows
1. Under "Documents and Settings", I have the following file.
Hhhhmmm…interesting. You should have folders, not files.
- allusers
- default user
- allusers.windows
- defaultuser.windowsAs you can see, normally "allusers.windows" and "defaultuser.windows" folder names do not exitst. We should have "allusers" not "allusers.windows". Based on my research, the suffix ".windows." at the end of "allusers", "defaultusers" is created when windows is reinstalled without formatting the previous drive and the newly installed windows tried to keep the previous alluser and default user content.
Yes, that's correct…I've seen this, as well.
2. Normally, you can not delete "program files" in regular ways as windows won't let you do it saying that it is a system folder. And I checked the deleted folders also.
???
3. I parsed SAM and software hive. There is no "administrator" account in the profile_list key, nor the "guest" account. The accounts are as follows
- Alluserprofile - Allusers.WINDOWS
- Defaultuserprofile. - Defaultuser.WINDOWS
The key within the Software hiave that you were interested in was "ProfileList". The fact that you found a "profile_list" key is odd, because that key does not normally exist in the context of what we're addressing.
What did you find in the SAM hive?
4. I tried to boot the suspect drive via Virtual Forensic computing and it did not boot and gave an error message.
What was the error message?
Also, have you tried LiveView?
5. I parsed related registry hives and some keys related to the usage of windows do not exist. For instance there is no "last shutdown time" or "last user logged in". These might indicate that no account has logged in and used it.
The names you mention are most often associated with Registry values…I mention this only because if you're looking for keys with these names, you are not likely to find them. Also, it depends on where you're looking.
In retrospect, I know that this makes me sound like some kind of "spelling n@zi", but the fact is that if you're looking for a key or folder, when you should be looking for a value or file (with the Registry or file system, respectively), the tools and search parameters you use can return very different results.
Owner and organization name which must be entered during installation shows "value not set" in the registry.
This is not unusual…none of the systems I have have these values set.
6. And CD key is shown as BBBBB - BBBBB- BBBBB- BBBBB which is definitely wrong. And if you don't enter a proper key during installation, you can't complete windows installation.
Where did you find this data?
7. Timezone and productID in the registry is shown as "not available". If the windows were completed properly these info should already exist.
Perhaps…but it's also not as if Windows runs through setting up the values without data during installation. One might think that it would be more likely that you would have a partially completed Registry, rather than having these particular keys and values, with no data.
So, all these indication gives me the impression that windows installation without formatting was interrupted.
Well, I'm not disagreeing with you, but I will ask, have you created a timeline? This would help you view events in some sort of context.
HTH