FAT32 odd file allocation - Storage

This is a discussion on FAT32 odd file allocation - Storage ; I am investigating a 250GB FAT32 disk which has had many files deleted - the suspicion is that the deleting was malicous. The disk is in good working condition, with not errors. On the disk is about 25GB of data ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: FAT32 odd file allocation

  1. FAT32 odd file allocation

    I am investigating a 250GB FAT32 disk which has had many files deleted
    - the suspicion is that the deleting was malicous. The disk is in good
    working condition, with not errors.

    On the disk is about 25GB of data and this is at the start of the
    disk. The middle 85%(approx) of the disk is untouched, and all
    sectors are blank, (filled with zeros). What is odd is there is data
    from a deleted directory in the final 2GB of the disk. All the files
    are from a single deleted subdirectory, or 'System volume
    information'. The system volume information is not deleted.

    Has anyone seen this rather odd allocation before, and is there any
    reason for it?

    There are many deleted files on the first part of the hard drive - as
    one would expect.

    Michael
    www.cnwrecovery.com

  2. Re: FAT32 odd file allocation

    Previously mscotgrove@aol.com wrote:
    > I am investigating a 250GB FAT32 disk which has had many files deleted
    > - the suspicion is that the deleting was malicous. The disk is in good
    > working condition, with not errors.


    > On the disk is about 25GB of data and this is at the start of the
    > disk. The middle 85%(approx) of the disk is untouched, and all
    > sectors are blank, (filled with zeros). What is odd is there is data
    > from a deleted directory in the final 2GB of the disk. All the files
    > are from a single deleted subdirectory, or 'System volume
    > information'. The system volume information is not deleted.


    > Has anyone seen this rather odd allocation before, and is there any
    > reason for it?


    > There are many deleted files on the first part of the hard drive - as
    > one would expect.


    > Michael
    > www.cnwrecovery.com


    Is the disk filesystem structure intact? If so, maybe somebody just
    wiped the empty space by writing several large files containing only
    zeros...

    Arno

  3. Re: FAT32 odd file allocation

    On Jan 9, 11:12*am, Arno Wagner wrote:
    > Previously mscotgr...@aol.com wrote:
    > > I am investigating a 250GB FAT32 disk which has had many files deleted
    > > - the suspicion is that the deleting was malicous. The disk is in good
    > > working condition, with not errors.
    > > On the disk is about 25GB of data and this is at the start of the
    > > disk. The middle 85%(approx) *of the disk is untouched, and all
    > > sectors are blank, (filled with zeros). *What is odd is there is data
    > > from a deleted directory in the final 2GB of the disk. *All the files
    > > are from a single deleted subdirectory, or 'System volume
    > > information'. The system volume information is not deleted.
    > > Has anyone seen this rather odd allocation before, and is there any
    > > reason for it?
    > > There are many deleted files on the first part of the hard drive - as
    > > one would expect.
    > > Michael
    > >www.cnwrecovery.com

    >
    > Is the disk filesystem structure intact? If so, maybe somebody just
    > wiped the empty space by writing several large files containing only
    > zeros...
    >
    > Arno- Hide quoted text -
    >
    > - Show quoted text -


    Everything looks intact. The top 2GB starts data with the first
    sector of a file. Writing a large zero length file would be hard to
    stop at a valid location. I would also like to think that I would
    find the 200GB deleted file full of zeros - well it would have to be
    50 x 4GB files being FAT32, and even more chance to find them.

    Michael

  4. Re: FAT32 odd file allocation

    Previously mscotgrove@aol.com wrote:
    > On Jan 9, 11:12*am, Arno Wagner wrote:
    >> Previously mscotgr...@aol.com wrote:
    >> > I am investigating a 250GB FAT32 disk which has had many files deleted
    >> > - the suspicion is that the deleting was malicous. The disk is in good
    >> > working condition, with not errors.
    >> > On the disk is about 25GB of data and this is at the start of the
    >> > disk. The middle 85%(approx) *of the disk is untouched, and all
    >> > sectors are blank, (filled with zeros). *What is odd is there is data
    >> > from a deleted directory in the final 2GB of the disk. *All the files
    >> > are from a single deleted subdirectory, or 'System volume
    >> > information'. The system volume information is not deleted.
    >> > Has anyone seen this rather odd allocation before, and is there any
    >> > reason for it?
    >> > There are many deleted files on the first part of the hard drive - as
    >> > one would expect.
    >> > Michael
    >> >www.cnwrecovery.com

    >>
    >> Is the disk filesystem structure intact? If so, maybe somebody just
    >> wiped the empty space by writing several large files containing only
    >> zeros...
    >>
    >> Arno- Hide quoted text -
    >>
    >> - Show quoted text -


    > Everything looks intact. The top 2GB starts data with the first
    > sector of a file. Writing a large zero length file would be hard to
    > stop at a valid location. I would also like to think that I would
    > find the 200GB deleted file full of zeros - well it would have to be
    > 50 x 4GB files being FAT32, and even more chance to find them.


    Not necessarily. If they were put into a subdirectory, and removed
    again, either by writing the same or alarger number of other
    files (entries are recucled) or by removing the subdirectory
    and re-creating it (should at least blank its first sector),
    you would find no trace of the zero-content files. There are also
    tools that overwrite all unallocated sectors with zeros, in
    which case there never were directory entries.

    One possibility for the deleted directory being there in the top
    is that it was actually not deleted when the overwriting
    occured, but later on.

    The general pattern, however, is that something large was written in a
    continuous fashion (i.e. no other data written in between) and then
    removed and the free space overwritten in some fashion.

    To speculate (no need to confirm or deny anything), it looks as if
    somebody has put 200GB of the files you are looking for in one step on
    the disk, after the 25GB at the start were already there. From what I
    have seen of typical FAT allocation strategies, this would put the
    files into the configuration of empty space you see. The system volume
    info was then written to the disk later. In a second step the 200GB
    were deleted and the free space on the disk overwritten. The system
    volume information was deleted later.

    For the overwriting, I tend to suspect a free space wiper. Somebody
    writing files with zeros and then carefully removing the directory
    these files were in sounds inconsistent. Wiping the free space
    directly is far easier and requires both less competence and less
    effort. In addition, there would be no way to demonstrate conclusively
    that this is what was done. An allocation pattern consistent
    with this having happened is not enough. You would need to demonstrate
    thet the OSes the disk was used with cannot generate this allocation
    pattern under other circumstances.

    Here is one scenario that would could create this pattern without
    anything ever having been wiped, only deleted: 1. Put 200GB files on
    disk 2. put system vol info there, 3. delete 200GB files.
    Copy disk with disk imager to an empty disks 5. remove system
    volume directory. This would require a sector imager that only
    copies allocated sectors. Such applications should be available.

    Arno

  5. Re: FAT32 odd file allocation

    > - Show quoted text -

    Arno,

    I have read your ideas with interest.

    I agree that a free space wiping program is the only consistant way to
    get all zeros sectors and leave no trace. However, I just don't see
    how one alarge amount of a single deleted subdirectory ends up at the
    end of the disk. If a wiping program was used, I would expect more
    gaps elsewhere on the disk.

    Also of interest, all the subdirectories, for this subdirectory are
    stored in the final 2GB.

    I would suspect something odd with the drive, but all the cluster
    pointers etc tie up, and file contents match the file name.

    So far your speculations don't convince me, but I appreciate your
    thoughts.

    In my experience with FAT disks is that they fill from the start, and
    that the end of a lightly used disk is always blank. The same with
    NTFS, except for the final partition check block.

    I will play more, and let you know if I have any 'brain' waves'

    Michael
    ps The customer is happy with data recovered

  6. Re: FAT32 odd file allocation

    Previously mscotgrove@aol.com wrote:
    >> - Show quoted text -


    > Arno,


    > I have read your ideas with interest.


    > I agree that a free space wiping program is the only consistant way to
    > get all zeros sectors and leave no trace. However, I just don't see
    > how one alarge amount of a single deleted subdirectory ends up at the
    > end of the disk. If a wiping program was used, I would expect more
    > gaps elsewhere on the disk.


    > Also of interest, all the subdirectories, for this subdirectory are
    > stored in the final 2GB.


    Ok, think of it this way: The 200GB were put on disk without any gaps
    in them. A single copy operation to never before used space can do
    that.

    The directroy at the end was put there afterwards and no ither space
    was available on the disk at that time. The 25GB at the start may have
    been put there in a similar fashion and hence there may have been no
    gaps for the 200GB to fill (and later be wiped). I take it you
    have looked for all-zero areas in the first 25GB?

    > I would suspect something odd with the drive, but all the cluster
    > pointers etc tie up, and file contents match the file name.


    > So far your speculations don't convince me, but I appreciate your
    > thoughts.


    No problem. After all it will be your analysis, not mine. I
    can do completely risk-free brainstorming here.

    > In my experience with FAT disks is that they fill from the start, and
    > that the end of a lightly used disk is always blank. The same with
    > NTFS, except for the final partition check block.


    Yes, but the disk may have been allmost full when the directory was
    placed. It would then go to the very end.

    > I will play more, and let you know if I have any 'brain' waves'


    ;-)

    > Michael
    > ps The customer is happy with data recovered


    Very good.

    Arno

  7. Re: FAT32 odd file allocation

    mscotgrove@aol.com wrote in
    news:79e2f03f-a927-40a8-ac6e-a7709a029328@i7g2000prf.googlegroups.com
    > I am investigating a 250GB FAT32 disk which has had many files deleted
    > - the suspicion is that the deleting was malicous. The disk is in good
    > working condition, with not errors.
    >
    > On the disk is about 25GB of data and this is at the start of the
    > disk. The middle 85%(approx) of the disk is untouched, and all
    > sectors are blank, (filled with zeros). What is odd is there is data
    > from a deleted directory in the final 2GB of the disk. All the files
    > are from a single deleted subdirectory, or 'System volume
    > information'. The system volume information is not deleted.
    >
    > Has anyone seen this rather odd allocation before, and is there any
    > reason for it?
    >
    > There are many deleted files on the first part of the hard drive - as
    > one would expect.
    >
    > Michael
    > www.cnwrecovery.com


    If I were *speculating*, I would say someone did an earlier
    recovery attempt of some sort.
    I find the name of that subdirectory particularly suspicious.
    Or that a partition resize operation was underway, or a defrag.

    Or any operation that involves saving important data in a free or
    secluded space while a potentially risky operation is underway.


  8. Re: FAT32 odd file allocation

    mscotgrove@aol.com wrote in
    news:7b48a1cc-ac63-4528-a9c6-99e03a9825a4@j78g2000hsd.googlegroups.com
    > > - Show quoted text -

    >
    > Arno,
    >
    > I have read your ideas with interest.
    >
    > I agree that a free space wiping program is the only consistant way to
    > get all zeros sectors and leave no trace. However, I just don't see
    > how one alarge amount of a single deleted subdirectory ends up at the
    > end of the disk. If a wiping program was used, I would expect more
    > gaps elsewhere on the disk.
    >
    > Also of interest, all the subdirectories, for this subdirectory are
    > stored in the final 2GB.
    >
    > I would suspect something odd with the drive, but all the cluster
    > pointers etc tie up, and file contents match the file name.
    >
    > So far your speculations don't convince me, but I appreciate your
    > thoughts.


    The babblebot is on a 24-7 posting spree again. It's the caffeine talking.
    Maybe even speed.

    >
    > In my experience with FAT disks is that they fill from the start, and
    > that the end of a lightly used disk is always blank. The same with
    > NTFS, except for the final partition check block.
    >
    > I will play more, and let you know if I have any 'brain' waves'
    >
    > Michael
    > ps The customer is happy with data recovered


  9. Re: FAT32 odd file allocation

    Arno Wagner wrote in news:5ujqu2F1ig3chU1@mid.individual.net
    > Previously mscotgrove@aol.com wrote:
    > > On Jan 9, 11:12 am, Arno Wagner wrote:
    > > > Previously mscotgr...@aol.com wrote:
    > > > > I am investigating a 250GB FAT32 disk which has had many files deleted
    > > > > - the suspicion is that the deleting was malicous. The disk is in good
    > > > > working condition, with not errors.
    > > > > On the disk is about 25GB of data and this is at the start of the
    > > > > disk. The middle 85%(approx) of the disk is untouched, and all
    > > > > sectors are blank, (filled with zeros). What is odd is there is data
    > > > > from a deleted directory in the final 2GB of the disk. All the files
    > > > > are from a single deleted subdirectory, or 'System volume
    > > > > information'. The system volume information is not deleted.
    > > > > Has anyone seen this rather odd allocation before, and is there any
    > > > > reason for it?
    > > > > There are many deleted files on the first part of the hard drive - as
    > > > > one would expect.
    > > > > Michael
    > > > >
    > > >
    > > > Is the disk filesystem structure intact? If so, maybe somebody just
    > > > wiped the empty space by writing several large files containing only
    > > > zeros...
    > > >
    > > > Arno- Hide quoted text -
    > > >
    > > > - Show quoted text -

    >
    > > Everything looks intact. The top 2GB starts data with the first
    > > sector of a file. Writing a large zero length file would be hard to
    > > stop at a valid location. I would also like to think that I would
    > > find the 200GB deleted file full of zeros - well it would have to be
    > > 50 x 4GB files being FAT32, and even more chance to find them.

    >
    > Not necessarily. If they were put into a subdirectory, and removed
    > again, either by writing the same or alarger number of other
    > files (entries are recucled) or by removing the subdirectory
    > and re-creating it (should at least blank its first sector),
    > you would find no trace of the zero-content files. There are also
    > tools that overwrite all unallocated sectors with zeros, in
    > which case there never were directory entries.
    >
    > One possibility for the deleted directory being there in the top
    > is that it was actually not deleted when the overwriting
    > occured, but later on.
    >
    > The general pattern, however, is that something large was written in a
    > continuous fashion (i.e. no other data written in between) and then
    > removed and the free space overwritten in some fashion.
    >
    > To speculate (no need to confirm or deny anything), it looks as if
    > somebody has put 200GB of the files you are looking for in one step on
    > the disk, after the 25GB at the start were already there. From what I
    > have seen of typical FAT allocation strategies, this would put the
    > files into the configuration of empty space you see. The system volume
    > info was then written to the disk later. In a second step the 200GB
    > were deleted and the free space on the disk overwritten. The system
    > volume information was deleted later.
    >
    > For the overwriting, I tend to suspect a free space wiper. Somebody
    > writing files with zeros and then carefully removing the directory
    > these files were in sounds inconsistent.


    > Wiping the free space directly is far easier and requires both less
    > competence and less effort.


    Bwahahah.


+ Reply to Thread