FAT32 odd file allocation

[mscotgrove]

I am investigating a 250GB FAT32 disk which has had many files deleted
- the suspicion is that the deleting was malicous. The disk is in good
working condition, with not errors.

On the disk is about 25GB of data and this is at the start of the
disk. The middle 85%(approx) of the disk is untouched, and all
sectors are blank, (filled with zeros). What is odd is there is data
from a deleted directory in the final 2GB of the disk. All the files
are from a single deleted subdirectory, or 'System volume
information'. The system volume information is not deleted.

Has anyone seen this rather odd allocation before, and is there any
reason for it?

There are many deleted files on the first part of the hard drive - as
one would expect.

Michael
www.cnwrecovery.com

 

[Arno Wagner]

I am investigating a 250GB FAT32 disk which has had many files deleted
- the suspicion is that the deleting was malicous. The disk is in good
working condition, with not errors.

On the disk is about 25GB of data and this is at the start of the
disk. The middle 85%(approx) of the disk is untouched, and all
sectors are blank, (filled with zeros). What is odd is there is data
from a deleted directory in the final 2GB of the disk. All the files
are from a single deleted subdirectory, or 'System volume
information'. The system volume information is not deleted.

Has anyone seen this rather odd allocation before, and is there any
reason for it?

There are many deleted files on the first part of the hard drive - as
one would expect.

Michael
www.cnwrecovery.com

Is the disk filesystem structure intact? If so, maybe somebody just
wiped the empty space by writing several large files containing only
zeros...

Arno

 

[mscotgrove]

Is the disk filesystem structure intact? If so, maybe somebody just
wiped the empty space by writing several large files containing only
zeros...

Arno- Hide quoted text -

- Show quoted text -

Everything looks intact. The top 2GB starts data with the first
sector of a file. Writing a large zero length file would be hard to
stop at a valid location. I would also like to think that I would
find the 200GB deleted file full of zeros - well it would have to be
50 x 4GB files being FAT32, and even more chance to find them.

Michael

 

[Arno Wagner]

Everything looks intact. The top 2GB starts data with the first
sector of a file. Writing a large zero length file would be hard to
stop at a valid location. I would also like to think that I would
find the 200GB deleted file full of zeros - well it would have to be
50 x 4GB files being FAT32, and even more chance to find them.

Not necessarily. If they were put into a subdirectory, and removed
again, either by writing the same or alarger number of other
files (entries are recucled) or by removing the subdirectory
and re-creating it (should at least blank its first sector),
you would find no trace of the zero-content files. There are also
tools that overwrite all unallocated sectors with zeros, in
which case there never were directory entries.

One possibility for the deleted directory being there in the top
is that it was actually not deleted when the overwriting
occured, but later on.

The general pattern, however, is that something large was written in a
continuous fashion (i.e. no other data written in between) and then
removed and the free space overwritten in some fashion.

To speculate (no need to confirm or deny anything), it looks as if
somebody has put 200GB of the files you are looking for in one step on
the disk, after the 25GB at the start were already there. From what I
have seen of typical FAT allocation strategies, this would put the
files into the configuration of empty space you see. The system volume
info was then written to the disk later. In a second step the 200GB
were deleted and the free space on the disk overwritten. The system
volume information was deleted later.

For the overwriting, I tend to suspect a free space wiper. Somebody
writing files with zeros and then carefully removing the directory
these files were in sounds inconsistent. Wiping the free space
directly is far easier and requires both less competence and less
effort. In addition, there would be no way to demonstrate conclusively
that this is what was done. An allocation pattern consistent
with this having happened is not enough. You would need to demonstrate
thet the OSes the disk was used with cannot generate this allocation
pattern under other circumstances.

Here is one scenario that would could create this pattern without
anything ever having been wiped, only deleted: 1. Put 200GB files on
disk 2. put system vol info there, 3. delete 200GB files.
Copy disk with disk imager to an empty disks 5. remove system
volume directory. This would require a sector imager that only
copies allocated sectors. Such applications should be available.

Arno

 

[mscotgrove]

- Show quoted text -

Arno,

I have read your ideas with interest.

I agree that a free space wiping program is the only consistant way to
get all zeros sectors and leave no trace. However, I just don't see
how one alarge amount of a single deleted subdirectory ends up at the
end of the disk. If a wiping program was used, I would expect more
gaps elsewhere on the disk.

Also of interest, all the subdirectories, for this subdirectory are
stored in the final 2GB.

I would suspect something odd with the drive, but all the cluster
pointers etc tie up, and file contents match the file name.

So far your speculations don't convince me, but I appreciate your
thoughts.

In my experience with FAT disks is that they fill from the start, and
that the end of a lightly used disk is always blank. The same with
NTFS, except for the final partition check block.

I will play more, and let you know if I have any 'brain' waves'

Michael
ps The customer is happy with data recovered

 

[Arno Wagner]

I have read your ideas with interest.

I agree that a free space wiping program is the only consistant way to
get all zeros sectors and leave no trace. However, I just don't see
how one alarge amount of a single deleted subdirectory ends up at the
end of the disk. If a wiping program was used, I would expect more
gaps elsewhere on the disk.

Also of interest, all the subdirectories, for this subdirectory are
stored in the final 2GB.

Ok, think of it this way: The 200GB were put on disk without any gaps
in them. A single copy operation to never before used space can do
that.

The directroy at the end was put there afterwards and no ither space
was available on the disk at that time. The 25GB at the start may have
been put there in a similar fashion and hence there may have been no
gaps for the 200GB to fill (and later be wiped). I take it you
have looked for all-zero areas in the first 25GB?

I would suspect something odd with the drive, but all the cluster
pointers etc tie up, and file contents match the file name.

So far your speculations don't convince me, but I appreciate your
thoughts.

No problem. After all it will be your analysis, not mine. I
can do completely risk-free brainstorming here.

In my experience with FAT disks is that they fill from the start, and
that the end of a lightly used disk is always blank. The same with
NTFS, except for the final partition check block.

Yes, but the disk may have been allmost full when the directory was
placed. It would then go to the very end.

I will play more, and let you know if I have any 'brain' waves'
;-)

Michael
ps The customer is happy with data recovered

Very good.

Arno

 

[Folkert Rienstra]

(e-mail address removed) wrote in

I am investigating a 250GB FAT32 disk which has had many files deleted
- the suspicion is that the deleting was malicous. The disk is in good
working condition, with not errors.

On the disk is about 25GB of data and this is at the start of the
disk. The middle 85%(approx) of the disk is untouched, and all
sectors are blank, (filled with zeros). What is odd is there is data
from a deleted directory in the final 2GB of the disk. All the files
are from a single deleted subdirectory, or 'System volume
information'. The system volume information is not deleted.

Has anyone seen this rather odd allocation before, and is there any
reason for it?

There are many deleted files on the first part of the hard drive - as
one would expect.

Michael
www.cnwrecovery.com

If I were *speculating*, I would say someone did an earlier
recovery attempt of some sort.
I find the name of that subdirectory particularly suspicious.
Or that a partition resize operation was underway, or a defrag.

Or any operation that involves saving important data in a free or
secluded space while a potentially risky operation is underway.

 

[Folkert Rienstra]

(e-mail address removed) wrote in

Arno,

I have read your ideas with interest.

I agree that a free space wiping program is the only consistant way to
get all zeros sectors and leave no trace. However, I just don't see
how one alarge amount of a single deleted subdirectory ends up at the
end of the disk. If a wiping program was used, I would expect more
gaps elsewhere on the disk.

Also of interest, all the subdirectories, for this subdirectory are
stored in the final 2GB.

I would suspect something odd with the drive, but all the cluster
pointers etc tie up, and file contents match the file name.

So far your speculations don't convince me, but I appreciate your
thoughts.

The babblebot is on a 24-7 posting spree again. It's the caffeine talking.
Maybe even speed.

 

[Folkert Rienstra]

Arno Wagner wrote in news:[email protected]

Not necessarily. If they were put into a subdirectory, and removed
again, either by writing the same or alarger number of other
files (entries are recucled) or by removing the subdirectory
and re-creating it (should at least blank its first sector),
you would find no trace of the zero-content files. There are also
tools that overwrite all unallocated sectors with zeros, in
which case there never were directory entries.

One possibility for the deleted directory being there in the top
is that it was actually not deleted when the overwriting
occured, but later on.

The general pattern, however, is that something large was written in a
continuous fashion (i.e. no other data written in between) and then
removed and the free space overwritten in some fashion.

To speculate (no need to confirm or deny anything), it looks as if
somebody has put 200GB of the files you are looking for in one step on
the disk, after the 25GB at the start were already there. From what I
have seen of typical FAT allocation strategies, this would put the
files into the configuration of empty space you see. The system volume
info was then written to the disk later. In a second step the 200GB
were deleted and the free space on the disk overwritten. The system
volume information was deleted later.

For the overwriting, I tend to suspect a free space wiper. Somebody
writing files with zeros and then carefully removing the directory
these files were in sounds inconsistent.

Wiping the free space directly is far easier and requires both less
competence and less effort.

Bwahahah.