If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Forensic information requested.
Does anyone here have the following two pieces of information that I am
looking for? The first piece is dealing with the more indepth shutdown process and exactly when does the regeistry get closed during that process and the second peice is dealing with information in depth about the sectors and clusters use. I was told that the physical sector 96 displays the hex charature 07 when the system is not properly shut down. I would like to know if that is true and at what was terminated before that is written to the disk. I am working onb a case where I believe the soon to be exwife had planted infromation that would hurt him and the police may have lost some very valuable information as they siezed the computer. Can anyone help? |
#2
|
|||
|
|||
Forensic information requested.
"KA1oxd" wrote in message ... Does anyone here have the following two pieces of information that I am looking for? The first piece is dealing with the more indepth shutdown process and exactly when does the regeistry get closed during that process and the second peice is dealing with information in depth about the sectors and clusters use. I was told that the physical sector 96 displays the hex charature 07 when the system is not properly shut down. I would like to know if that is true and at what was terminated before that is written to the disk. That's not true about "sector 96", and I don't really understand the other question. Microsoft Extensible Firmware Initiative FAT32 File System Specification (fatgen103.doc) http://www.microsoft.com/hwdev/downl.../FATGEN103.doc quote What are the two reserved clusters at the start of the FAT for? The first reserved cluster, FAT[0], contains the BPB_Media byte value in its low 8 bits, and all other bits are set to 1. For example, if the BPB_Media value is 0xF8, for FAT12 FAT[0] = 0x0FF8, for FAT16 FAT[0] = 0xFFF8, and for FAT32 FAT[0] = 0x0FFFFFF8. The second reserved cluster, FAT[1], is set by FORMAT to the EOC mark. On FAT12 volumes, it is not used and is simply always contains an EOC mark. For FAT16 and FAT32, the file system driver may use the high two bits of the FAT[1] entry for dirty volume flags (all other bits, are always left set to 1). Note that the bit location is different for FAT16 and FAT32, because they are the high 2 bits of the entry. For FAT16: ClnShutBitMask = 0x8000; HrdErrBitMask = 0x4000; For FAT32: ClnShutBitMask = 0x08000000; HrdErrBitMask = 0x04000000; Bit ClnShutBitMask - If bit is 1, volume is "clean". If bit is 0, volume is "dirty". This indicates that the file system driver did not Dismount the volume properly the last time it had the volume mounted. It would be a good idea to run a Chkdsk/Scandisk disk repair utility on it, because it may be damaged. Bit HrdErrBitMask - If this bit is 1, no disk read/write errors were encountered. If this bit is 0, the file system driver encountered a disk I/O error on the Volume the last time it was mounted, which is an indicator that some sectors may have gone bad on the volume. It would be a good idea to run a Chkdsk/Scandisk disk repair utility that does surface analysis on it to look for new bad sectors. /quote |
#3
|
|||
|
|||
Forensic information requested.
Thanks for that information, it is a big help, but for the other question
maybe I have to detail what was found first. According to the police seizure notes, they came to the house with the permission of the wife. The computer was on, in a screen saver, and a couple of applications were running. They only stated one of the applications was Internet Explorer. The time stamp of the system.dat and user.dat was about 5 minutes after they arrived on the screen. The State Police Lab states that the physical sector 96 displays the hex character�07" which reports the computer was not shut down properly. I use to know this and have the documents for it, but I thought the hard disk is not written to show that the system was shut down properly until other parts of the OS sub systems have been terminated. I believe that just before the OS shuts down the disk subsystem, it writes that information to the drive, terminates the disk subsystem, then terminates the win32 program as the last phase. What I am looking for is what is terminated, in sequence, until the computer shuts down. Does anyone have that information? From what I read in the police report, it sounds like they shut down the computer, not pulled the plug. They also did not go after any information that was in volatile memory. The copy of the police report that I have does not state any firewall devices, NAT or any other protection, but when they responded to my first report, they stated that this stuff was seized. I think they screwed up and now are protecting their butts. "Bill Blanton" wrote: "KA1oxd" wrote in message ... Does anyone here have the following two pieces of information that I am looking for? The first piece is dealing with the more indepth shutdown process and exactly when does the regeistry get closed during that process and the second peice is dealing with information in depth about the sectors and clusters use. I was told that the physical sector 96 displays the hex charature 07 when the system is not properly shut down. I would like to know if that is true and at what was terminated before that is written to the disk. That's not true about "sector 96", and I don't really understand the other question. Microsoft Extensible Firmware Initiative FAT32 File System Specification (fatgen103.doc) http://www.microsoft.com/hwdev/downl.../FATGEN103.doc quote What are the two reserved clusters at the start of the FAT for? The first reserved cluster, FAT[0], contains the BPB_Media byte value in its low 8 bits, and all other bits are set to 1. For example, if the BPB_Media value is 0xF8, for FAT12 FAT[0] = 0x0FF8, for FAT16 FAT[0] = 0xFFF8, and for FAT32 FAT[0] = 0x0FFFFFF8. The second reserved cluster, FAT[1], is set by FORMAT to the EOC mark. On FAT12 volumes, it is not used and is simply always contains an EOC mark. For FAT16 and FAT32, the file system driver may use the high two bits of the FAT[1] entry for dirty volume flags (all other bits, are always left set to 1). Note that the bit location is different for FAT16 and FAT32, because they are the high 2 bits of the entry. For FAT16: ClnShutBitMask = 0x8000; HrdErrBitMask = 0x4000; For FAT32: ClnShutBitMask = 0x08000000; HrdErrBitMask = 0x04000000; Bit ClnShutBitMask - If bit is 1, volume is "clean". If bit is 0, volume is "dirty". This indicates that the file system driver did not Dismount the volume properly the last time it had the volume mounted. It would be a good idea to run a Chkdsk/Scandisk disk repair utility on it, because it may be damaged. Bit HrdErrBitMask - If this bit is 1, no disk read/write errors were encountered. If this bit is 0, the file system driver encountered a disk I/O error on the Volume the last time it was mounted, which is an indicator that some sectors may have gone bad on the volume. It would be a good idea to run a Chkdsk/Scandisk disk repair utility that does surface analysis on it to look for new bad sectors. /quote |
#4
|
|||
|
|||
Forensic information requested.
This is Windows 9x right?
That does have a ring of truth to it. Absolute sector 95 is the most likely place for the first FAT of the first volume on a FAT32 drive. That's counting from 0, so you could say the 96th sector. 07h is the likely value for the byte in question when the ClnShutBitMask is cleared. (see below ref). Supposedly, Windows sets this bit when it loads and then clears it when it shuts down properly. Most likely one of its last acts. On the registry, it is *probably* written after you click whatever shutdown option. There are data forensic services, if you don't trust the police's expert. FAT32 First 2 reserved cluster entries Typical- F8 FF FF 0F - FF FF FF 0F (00001111b) HrdErrBitMask cleared.- F8 FF FF 0F - FF FF FF 0B (00001011b) ClnShutBitMask cleared.- F8 FF FF 0F - FF FF FF 07 (00000111b) HrdErrBitMask & ClnShutBitMask cleared.- F8 FF FF 0F - FF FF FF 03 (00000011b) "KA1oxd" wrote in message ... Thanks for that information, it is a big help, but for the other question maybe I have to detail what was found first. According to the police seizure notes, they came to the house with the permission of the wife. The computer was on, in a screen saver, and a couple of applications were running. They only stated one of the applications was Internet Explorer. The time stamp of the system.dat and user.dat was about 5 minutes after they arrived on the screen. The State Police Lab states that the physical sector 96 displays the hex character"07" which reports the computer was not shut down properly. I use to know this and have the documents for it, but I thought the hard disk is not written to show that the system was shut down properly until other parts of the OS sub systems have been terminated. I believe that just before the OS shuts down the disk subsystem, it writes that information to the drive, terminates the disk subsystem, then terminates the win32 program as the last phase. What I am looking for is what is terminated, in sequence, until the computer shuts down. Does anyone have that information? From what I read in the police report, it sounds like they shut down the computer, not pulled the plug. They also did not go after any information that was in volatile memory. The copy of the police report that I have does not state any firewall devices, NAT or any other protection, but when they responded to my first report, they stated that this stuff was seized. I think they screwed up and now are protecting their butts. "Bill Blanton" wrote: "KA1oxd" wrote in message ... Does anyone here have the following two pieces of information that I am looking for? The first piece is dealing with the more indepth shutdown process and exactly when does the regeistry get closed during that process and the second peice is dealing with information in depth about the sectors and clusters use. I was told that the physical sector 96 displays the hex charature 07 when the system is not properly shut down. I would like to know if that is true and at what was terminated before that is written to the disk. That's not true about "sector 96", and I don't really understand the other question. Microsoft Extensible Firmware Initiative FAT32 File System Specification (fatgen103.doc) http://www.microsoft.com/hwdev/downl.../FATGEN103.doc quote What are the two reserved clusters at the start of the FAT for? The first reserved cluster, FAT[0], contains the BPB_Media byte value in its low 8 bits, and all other bits are set to 1. For example, if the BPB_Media value is 0xF8, for FAT12 FAT[0] = 0x0FF8, for FAT16 FAT[0] = 0xFFF8, and for FAT32 FAT[0] = 0x0FFFFFF8. The second reserved cluster, FAT[1], is set by FORMAT to the EOC mark. On FAT12 volumes, it is not used and is simply always contains an EOC mark. For FAT16 and FAT32, the file system driver may use the high two bits of the FAT[1] entry for dirty volume flags (all other bits, are always left set to 1). Note that the bit location is different for FAT16 and FAT32, because they are the high 2 bits of the entry. For FAT16: ClnShutBitMask = 0x8000; HrdErrBitMask = 0x4000; For FAT32: ClnShutBitMask = 0x08000000; HrdErrBitMask = 0x04000000; Bit ClnShutBitMask - If bit is 1, volume is "clean". If bit is 0, volume is "dirty". This indicates that the file system driver did not Dismount the volume properly the last time it had the volume mounted. It would be a good idea to run a Chkdsk/Scandisk disk repair utility on it, because it may be damaged. Bit HrdErrBitMask - If this bit is 1, no disk read/write errors were encountered. If this bit is 0, the file system driver encountered a disk I/O error on the Volume the last time it was mounted, which is an indicator that some sectors may have gone bad on the volume. It would be a good idea to run a Chkdsk/Scandisk disk repair utility that does surface analysis on it to look for new bad sectors. /quote |
#5
|
|||
|
|||
Forensic information requested.
"KA1oxd" wrote in message ...
.. but I thought the hard disk is not written to show that the system was shut down properly until other parts of the OS sub systems have been terminated. I believe that just before the OS shuts down the disk subsystem, it writes that information to the drive, terminates the disk subsystem, then terminates the win32 program as the last phase. Probably generally correct. Of course, you can't write the "dirty/clean" flags without disk access. And you can't terminate Windows fully until the disk access is complete. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Can get device information from Server end to Client end when do network printing? | roguekid | Printing | 0 | January 15th 06 01:01 PM |
System information | Faldo | General | 10 | October 28th 05 01:01 AM |
JCORE.DLL: invalid page fault error | Dobsons | General | 14 | August 5th 04 03:39 AM |
HARDWARE INFORMATION DATABASE | THAGEN | Software & Applications | 1 | May 9th 04 03:54 PM |
Win 95/98/ME - Information, tips, and techniques | Lefty | Improving Performance | 0 | May 7th 04 04:15 AM |