Wednesday, August 21, 2013

Windows OEM ID Information

MSWIN4.0 - Windows 95
MSWIN4.1 - Windows 95 OEM Service Release 2 (OSR2), Windows 98, and Windows Me

Windows Server 2003 does not use the OEM ID field in the boot sector except for verifying NTFS volumes.

Thursday, August 1, 2013

Forensic Artifacts - Slack

File Slack
File slack is data that starts from the end of the file written and continues to the end of the sectors designated to the file. There are two types of file slack, RAM slack and Residual slack.


RAM Slack
RAM slack starts from the end of the file and goes to the end of that sector (NOT the cluster). RAM slack is no longer relevant to most modern Windows PCs as RAM now contains zeros rather than residual data from the RAM, thus there are no forensic artifacts that can be found in RAM slack for modern Windows systems.

Residual Slack
Residual slack then starts at the next sector and goes to the end of the cluster allocated for the file. File slack is a helpful tool when analyzing a hard drive because the old data that is not overwritten by the new file is still in tact. For examples, go to:

http://www.pcguide.com/ref/hdd/file/partSizes-c.html

MFT Record Slack
An MFT entry is allotted a fixed space of  1024 bytes, as standard. If the MFT entry is less than 1024 bytes, e.g 1000 bytes, the remaining bytes are MFT slack. The contents of this MFT slack will depend, as with file slack, on what was there before it.  Commonly the MFT slack contains the contents of the MFT entry before it was created, this can be particularly interesting for computer forensic examiners if there was resident data.

Drive Slack
Drive slack is the data in unused sectors in the last cluster allocated to a file and consists of data which previously existed in those sectors.

Volume Slack
Volume slack is the unused space between the end of file system and end of the partition where the file system resides - also defined as sectors at the end of the volume or partition that cannot be allocated to a cluster.

Hard Drive Structures

Partition
A partition is an area of hard disk reserved for use via an entry in the partition table of that hard disk. Each operating system may recognize and use partitions of various types; the 'partition' concept is system-wide, not limited to a particular operating system.

Partition (definition 2)
A partition is a structure on a hard drive that divides the media into separate storage units. Partitions are a universal format recognized by all operating systems, although different OSes may not be able to recognize the volumes that exist on those partitions. Most manufacturers ship their drives with a single prepared partition, but if you need to change this structure, you can do so through Windows 7’s Control Panel. Select System and Security, and you will find the option to alter partitions under the Administrative Tools heading. You can also alter a drive’s partition structure as part of the Windows installation procedure.

Partition Types
There are two types of partitions: primary and extended. Most operating systems require a primary partition for proper function, and each primary partition may house one volume. An extended partition is a special type of partition that can contain as many volumes as you like, up to the total space available on the device. You can have up to four partitions on one physical drive, one of which may be an extended partition.

Volume
The term "volume" is synonymous with "drive," representing a coherent data storage area with a file system. A logical volume is a section of storage which may exist on a hard disk or may span more than one physical disk yet behaves as one drive.

NTFS File System Hidden Data

While verifying forensic definitions such as Volume Slack, I saw the attached resource.  Useful . . .

http://www.forensicfocus.com/downloads/ntfs-hidden-data-analysis.pdf

Thursday, July 18, 2013

Is CNET Serving Malware with Software Downloads?


Today I heard reports that computers are getting malware when downloading software from CNET using the CNET downloader.  I believe I saw this recently, when a friend's computer encountered problems shortly after installing software downloaded from CNET.  Clearly the problem may not have come from CNET, but it makes me wonder.

The problem the friend encountered was that his AntiVirus software was disabled and could not be deleted or reinstalled.  Ironically, the solution was found by installing Hitman Pro which was downloaded from CNET.

The link below details the CNET malware reports.  The additional irony is that this report is in the CNET forums.  Strange and stranger . . .


Laptop Screen Rotation?

I never knew laptop screens could rotate.  It seems I learn most things about technology when I encounter problems or someone asks for help.  In this case, a teenager was wiping her laptop and screen when the screen display rotated.

The answer?  Apparently there are key combinations that rotate the display on some laptops.  The most common key combination I saw (without looking too deeply) was Crtl Alt ArrowUp.  In the event this doesn't work, follow this link:

http://h10025.www1.hp.com/ewfrf/wc/document?docname=c01676226&tmp_task=setupCategory&lc=en&dlc=en&cc=us&lang=en&product=4054398

Sunday, July 7, 2013

Friday, January 18, 2013

Web-based Computer Sharing

I recently learned about a web-based tool for gaining remote access to a computer.  Join.me allows a computer user to give another computer-user one-time access to his or her computer.  This is useful for helping a friend or family member with a computer problem or other similar scenarios, and you can use this for free!

Read this description from LifeHacker.

Saturday, January 5, 2013

Recovering Deleted Files

So today I was uploading pictures from my SD card to my Mac.  When the upload completed, I chose the option to delete the pictures from the SD card.  Within 5 minutes, I had deleted a file from iPhoto, and I couldn't recover it.  I have access to forensic tools, but I thought that would be overkill for the simple recovery of a single file.  A quick google search led me to an article about 15 Free File Recovery Software Programs.

http://pcsupport.about.com/od/filerecovery/tp/free-file-recovery-programs.htm

I chose the first recommendation - Recuva - and was happy to see that a tool can be free, easy to use and can get the job done quickly.  You can download Recuva directly from this link:  http://pcsupport.about.com/od/filerecovery/gr/recuva-review.htm.