View Single Post
  #3  
Old February 26th 06, 06:01 PM posted to microsoft.public.win98.disks.general
external usenet poster
 
Posts: n/a
Default Forensic information requested.

Thanks for that information, it is a big help, but for the other question
maybe I have to detail what was found first. According to the police seizure
notes, they came to the house with the permission of the wife. The computer
was on, in a screen saver, and a couple of applications were running. They
only stated one of the applications was Internet Explorer. The time stamp of
the system.dat and user.dat was about 5 minutes after they arrived on the
screen. The State Police Lab states that the physical sector 96 displays the
hex character�07" which reports the computer was not shut down properly. I
use to know this and have the documents for it, but I thought the hard disk
is not written to show that the system was shut down properly until other
parts of the OS sub systems have been terminated. I believe that just before
the OS shuts down the disk subsystem, it writes that information to the
drive, terminates the disk subsystem, then terminates the win32 program as
the last phase. What I am looking for is what is terminated, in sequence,
until the computer shuts down. Does anyone have that information? From what
I read in the police report, it sounds like they shut down the computer, not
pulled the plug. They also did not go after any information that was in
volatile memory. The copy of the police report that I have does not state
any firewall devices, NAT or any other protection, but when they responded to
my first report, they stated that this stuff was seized. I think they
screwed up and now are protecting their butts.

"Bill Blanton" wrote:


"KA1oxd" wrote in message ...
Does anyone here have the following two pieces of information that I am
looking for? The first piece is dealing with the more indepth shutdown
process and exactly when does the regeistry get closed during that process
and the second peice is dealing with information in depth about the sectors
and clusters use. I was told that the physical sector 96 displays the hex
charature 07 when the system is not properly shut down. I would like to know
if that is true and at what was terminated before that is written to the
disk.


That's not true about "sector 96", and I don't really understand the other
question.


Microsoft Extensible Firmware Initiative FAT32 File System Specification
(fatgen103.doc)
http://www.microsoft.com/hwdev/downl.../FATGEN103.doc


quote
What are the two reserved clusters at the start of the FAT for? The first
reserved cluster, FAT[0], contains the BPB_Media byte value in its low 8 bits,
and all other bits are set to 1. For example, if the BPB_Media value is 0xF8,
for FAT12 FAT[0] = 0x0FF8, for FAT16 FAT[0] = 0xFFF8, and for FAT32 FAT[0] =
0x0FFFFFF8. The second reserved cluster, FAT[1], is set by FORMAT to the EOC
mark. On FAT12 volumes, it is not used and is simply always contains an EOC
mark. For FAT16 and FAT32, the file system driver may use the high two bits of
the FAT[1] entry for dirty volume flags (all other bits, are always left set
to 1). Note that the bit location is different for FAT16 and FAT32, because
they are the high 2 bits of the entry.

For FAT16:
ClnShutBitMask = 0x8000;
HrdErrBitMask = 0x4000;

For FAT32:
ClnShutBitMask = 0x08000000;
HrdErrBitMask = 0x04000000;

Bit ClnShutBitMask - If bit is 1, volume is "clean".

If bit is 0, volume is "dirty". This indicates that
the file system driver did not Dismount the volume
properly the last time it had the volume mounted. It
would be a good idea to run a Chkdsk/Scandisk disk
repair utility on it, because it may be damaged.

Bit HrdErrBitMask - If this bit is 1, no disk read/write errors were encountered.

If this bit is 0, the file system driver encountered a
disk I/O error on the Volume the last time it was
mounted, which is an indicator that some sectors may
have gone bad on the volume. It would be a good idea
to run a Chkdsk/Scandisk disk repair utility that does
surface analysis on it to look for new bad sectors.

/quote