Win98banter

Win98banter (http://www.win98banter.com/index.php)
-   Disk Drives (http://www.win98banter.com/forumdisplay.php?f=6)
-   -   Forensic information requested. (http://www.win98banter.com/showthread.php?t=34731)

KA1oxd February 26th 06 01:18 AM

Forensic information requested.
 
Does anyone here have the following two pieces of information that I am
looking for? The first piece is dealing with the more indepth shutdown
process and exactly when does the regeistry get closed during that process
and the second peice is dealing with information in depth about the sectors
and clusters use. I was told that the physical sector 96 displays the hex
charature 07 when the system is not properly shut down. I would like to know
if that is true and at what was terminated before that is written to the
disk.

I am working onb a case where I believe the soon to be exwife had planted
infromation that would hurt him and the police may have lost some very
valuable information as they siezed the computer. Can anyone help?

Bill Blanton February 26th 06 04:43 PM

Forensic information requested.
 

"KA1oxd" wrote in message ...
Does anyone here have the following two pieces of information that I am
looking for? The first piece is dealing with the more indepth shutdown
process and exactly when does the regeistry get closed during that process
and the second peice is dealing with information in depth about the sectors
and clusters use. I was told that the physical sector 96 displays the hex
charature 07 when the system is not properly shut down. I would like to know
if that is true and at what was terminated before that is written to the
disk.


That's not true about "sector 96", and I don't really understand the other
question.


Microsoft Extensible Firmware Initiative FAT32 File System Specification
(fatgen103.doc)
http://www.microsoft.com/hwdev/downl.../FATGEN103.doc


quote
What are the two reserved clusters at the start of the FAT for? The first
reserved cluster, FAT[0], contains the BPB_Media byte value in its low 8 bits,
and all other bits are set to 1. For example, if the BPB_Media value is 0xF8,
for FAT12 FAT[0] = 0x0FF8, for FAT16 FAT[0] = 0xFFF8, and for FAT32 FAT[0] =
0x0FFFFFF8. The second reserved cluster, FAT[1], is set by FORMAT to the EOC
mark. On FAT12 volumes, it is not used and is simply always contains an EOC
mark. For FAT16 and FAT32, the file system driver may use the high two bits of
the FAT[1] entry for dirty volume flags (all other bits, are always left set
to 1). Note that the bit location is different for FAT16 and FAT32, because
they are the high 2 bits of the entry.

For FAT16:
ClnShutBitMask = 0x8000;
HrdErrBitMask = 0x4000;

For FAT32:
ClnShutBitMask = 0x08000000;
HrdErrBitMask = 0x04000000;

Bit ClnShutBitMask - If bit is 1, volume is "clean".

If bit is 0, volume is "dirty". This indicates that
the file system driver did not Dismount the volume
properly the last time it had the volume mounted. It
would be a good idea to run a Chkdsk/Scandisk disk
repair utility on it, because it may be damaged.

Bit HrdErrBitMask - If this bit is 1, no disk read/write errors were encountered.

If this bit is 0, the file system driver encountered a
disk I/O error on the Volume the last time it was
mounted, which is an indicator that some sectors may
have gone bad on the volume. It would be a good idea
to run a Chkdsk/Scandisk disk repair utility that does
surface analysis on it to look for new bad sectors.

/quote





KA1oxd February 26th 06 06:01 PM

Forensic information requested.
 
Thanks for that information, it is a big help, but for the other question
maybe I have to detail what was found first. According to the police seizure
notes, they came to the house with the permission of the wife. The computer
was on, in a screen saver, and a couple of applications were running. They
only stated one of the applications was Internet Explorer. The time stamp of
the system.dat and user.dat was about 5 minutes after they arrived on the
screen. The State Police Lab states that the physical sector 96 displays the
hex character�07" which reports the computer was not shut down properly. I
use to know this and have the documents for it, but I thought the hard disk
is not written to show that the system was shut down properly until other
parts of the OS sub systems have been terminated. I believe that just before
the OS shuts down the disk subsystem, it writes that information to the
drive, terminates the disk subsystem, then terminates the win32 program as
the last phase. What I am looking for is what is terminated, in sequence,
until the computer shuts down. Does anyone have that information? From what
I read in the police report, it sounds like they shut down the computer, not
pulled the plug. They also did not go after any information that was in
volatile memory. The copy of the police report that I have does not state
any firewall devices, NAT or any other protection, but when they responded to
my first report, they stated that this stuff was seized. I think they
screwed up and now are protecting their butts.

"Bill Blanton" wrote:


"KA1oxd" wrote in message ...
Does anyone here have the following two pieces of information that I am
looking for? The first piece is dealing with the more indepth shutdown
process and exactly when does the regeistry get closed during that process
and the second peice is dealing with information in depth about the sectors
and clusters use. I was told that the physical sector 96 displays the hex
charature 07 when the system is not properly shut down. I would like to know
if that is true and at what was terminated before that is written to the
disk.


That's not true about "sector 96", and I don't really understand the other
question.


Microsoft Extensible Firmware Initiative FAT32 File System Specification
(fatgen103.doc)
http://www.microsoft.com/hwdev/downl.../FATGEN103.doc


quote
What are the two reserved clusters at the start of the FAT for? The first
reserved cluster, FAT[0], contains the BPB_Media byte value in its low 8 bits,
and all other bits are set to 1. For example, if the BPB_Media value is 0xF8,
for FAT12 FAT[0] = 0x0FF8, for FAT16 FAT[0] = 0xFFF8, and for FAT32 FAT[0] =
0x0FFFFFF8. The second reserved cluster, FAT[1], is set by FORMAT to the EOC
mark. On FAT12 volumes, it is not used and is simply always contains an EOC
mark. For FAT16 and FAT32, the file system driver may use the high two bits of
the FAT[1] entry for dirty volume flags (all other bits, are always left set
to 1). Note that the bit location is different for FAT16 and FAT32, because
they are the high 2 bits of the entry.

For FAT16:
ClnShutBitMask = 0x8000;
HrdErrBitMask = 0x4000;

For FAT32:
ClnShutBitMask = 0x08000000;
HrdErrBitMask = 0x04000000;

Bit ClnShutBitMask - If bit is 1, volume is "clean".

If bit is 0, volume is "dirty". This indicates that
the file system driver did not Dismount the volume
properly the last time it had the volume mounted. It
would be a good idea to run a Chkdsk/Scandisk disk
repair utility on it, because it may be damaged.

Bit HrdErrBitMask - If this bit is 1, no disk read/write errors were encountered.

If this bit is 0, the file system driver encountered a
disk I/O error on the Volume the last time it was
mounted, which is an indicator that some sectors may
have gone bad on the volume. It would be a good idea
to run a Chkdsk/Scandisk disk repair utility that does
surface analysis on it to look for new bad sectors.

/quote






Bill Blanton February 26th 06 10:53 PM

Forensic information requested.
 
This is Windows 9x right?

That does have a ring of truth to it. Absolute sector 95 is the most likely
place for the first FAT of the first volume on a FAT32 drive. That's counting from
0, so you could say the 96th sector. 07h is the likely value for the byte in question
when the ClnShutBitMask is cleared. (see below ref). Supposedly, Windows
sets this bit when it loads and then clears it when it shuts down properly. Most
likely one of its last acts.

On the registry, it is *probably* written after you click whatever shutdown option.

There are data forensic services, if you don't trust the police's expert.



FAT32
First 2 reserved cluster entries

Typical-
F8 FF FF 0F - FF FF FF 0F (00001111b)

HrdErrBitMask cleared.-
F8 FF FF 0F - FF FF FF 0B (00001011b)

ClnShutBitMask cleared.-
F8 FF FF 0F - FF FF FF 07 (00000111b)

HrdErrBitMask & ClnShutBitMask cleared.-
F8 FF FF 0F - FF FF FF 03 (00000011b)



"KA1oxd" wrote in message ...
Thanks for that information, it is a big help, but for the other question
maybe I have to detail what was found first. According to the police seizure
notes, they came to the house with the permission of the wife. The computer
was on, in a screen saver, and a couple of applications were running. They
only stated one of the applications was Internet Explorer. The time stamp of
the system.dat and user.dat was about 5 minutes after they arrived on the
screen. The State Police Lab states that the physical sector 96 displays the
hex character"07" which reports the computer was not shut down properly. I
use to know this and have the documents for it, but I thought the hard disk
is not written to show that the system was shut down properly until other
parts of the OS sub systems have been terminated. I believe that just before
the OS shuts down the disk subsystem, it writes that information to the
drive, terminates the disk subsystem, then terminates the win32 program as
the last phase. What I am looking for is what is terminated, in sequence,
until the computer shuts down. Does anyone have that information? From what
I read in the police report, it sounds like they shut down the computer, not
pulled the plug. They also did not go after any information that was in
volatile memory. The copy of the police report that I have does not state
any firewall devices, NAT or any other protection, but when they responded to
my first report, they stated that this stuff was seized. I think they
screwed up and now are protecting their butts.

"Bill Blanton" wrote:


"KA1oxd" wrote in message ...
Does anyone here have the following two pieces of information that I am
looking for? The first piece is dealing with the more indepth shutdown
process and exactly when does the regeistry get closed during that process
and the second peice is dealing with information in depth about the sectors
and clusters use. I was told that the physical sector 96 displays the hex
charature 07 when the system is not properly shut down. I would like to know
if that is true and at what was terminated before that is written to the
disk.


That's not true about "sector 96", and I don't really understand the other
question.


Microsoft Extensible Firmware Initiative FAT32 File System Specification
(fatgen103.doc)
http://www.microsoft.com/hwdev/downl.../FATGEN103.doc


quote
What are the two reserved clusters at the start of the FAT for? The first
reserved cluster, FAT[0], contains the BPB_Media byte value in its low 8 bits,
and all other bits are set to 1. For example, if the BPB_Media value is 0xF8,
for FAT12 FAT[0] = 0x0FF8, for FAT16 FAT[0] = 0xFFF8, and for FAT32 FAT[0] =
0x0FFFFFF8. The second reserved cluster, FAT[1], is set by FORMAT to the EOC
mark. On FAT12 volumes, it is not used and is simply always contains an EOC
mark. For FAT16 and FAT32, the file system driver may use the high two bits of
the FAT[1] entry for dirty volume flags (all other bits, are always left set
to 1). Note that the bit location is different for FAT16 and FAT32, because
they are the high 2 bits of the entry.

For FAT16:
ClnShutBitMask = 0x8000;
HrdErrBitMask = 0x4000;

For FAT32:
ClnShutBitMask = 0x08000000;
HrdErrBitMask = 0x04000000;

Bit ClnShutBitMask - If bit is 1, volume is "clean".

If bit is 0, volume is "dirty". This indicates that
the file system driver did not Dismount the volume
properly the last time it had the volume mounted. It
would be a good idea to run a Chkdsk/Scandisk disk
repair utility on it, because it may be damaged.

Bit HrdErrBitMask - If this bit is 1, no disk read/write errors were encountered.

If this bit is 0, the file system driver encountered a
disk I/O error on the Volume the last time it was
mounted, which is an indicator that some sectors may
have gone bad on the volume. It would be a good idea
to run a Chkdsk/Scandisk disk repair utility that does
surface analysis on it to look for new bad sectors.

/quote








Bill Blanton February 26th 06 10:59 PM

Forensic information requested.
 
"KA1oxd" wrote in message ...
.. but I thought the hard disk
is not written to show that the system was shut down properly until other
parts of the OS sub systems have been terminated. I believe that just before
the OS shuts down the disk subsystem, it writes that information to the
drive, terminates the disk subsystem, then terminates the win32 program as
the last phase.


Probably generally correct. Of course, you can't write the "dirty/clean" flags without
disk access. And you can't terminate Windows fully until the disk access is
complete.






All times are GMT +1. The time now is 12:11 AM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Win98Banter.com