SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 - Windows XP)

I have seen the following Windows Prefetch entries in nearly every Windows XP / Vista machine that I have reviewed over the past several years. Their existence always reminds me of the imperfect nature of information gained via individual artifacts. Does this mean that a user ran the Microsoft Defragmenter application on July 16, 2009 at 1:19PM? Or was the defragmenter started automatically by Windows? The defragmenter tool has been used very effectively as an anti-forensic tool since it was first introduced. In cases where data spoliation could be important, it is critical for the examiner to be able to identify any overt actions by a user. Complicating this is that starting with Windows XP, the operating system conducts limited defragmentation approximately every three days. [1] This post seeks to identify forensic artifacts which can help us determine if a user initiated the defrag

... Continue reading De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 - Windows XP)

A big FAT lie part 2

Last week we looked at the next file in our disk image (next file according to the output from fls). We saw that though the file was 15585 bytes, istat reported only a single sector for the file. Based on our cluster/sector size of 512 bytes, the file should have occupied 31 sectors (15585/512=30.439..., round up).

We theorized that we may have a broken or missing FAT cluster chain. Knowing the file should occupy 31 clusters, we used the blkstat command to carve out 31 clusters of data beginning at sector 834. We found only nulls.

At this point, most sane investigators probably would have reached for their favorite


A big FAT lie

In the last post in our quest to restore the tampered FAT file system to its untainted state, we rebuilt the cluster chain in the File Allocation Table so we could copy out the file from the mounted file system. Let's move on to the next file in our image.fls ouput from usbkey.img

Let's see about "cover page.jpg." For starters, let's copy the file out of the mounted file system:

MIAT for Symbian & Windows Mobile Forensics

I recently became interested in mobile device forensics. This area covers a lot of ground, but a particularly interesting subfield is the forensics of Windows Mobile. As far as I was able to discover, not much has been written about this, which makes it perfect for a blog posting.

After a significant amount of Google research, I found a paper presented at the 2008 DFRWS conference. In it, the authors discuss a Mobile Internal Acquisition Tool, MIAT. They created this tool for extracting files from Smartphones running Symbian or Windows Mobile, and saving them to removable media. Another reference to the same work is presented here.

I was unable to locate a download site for the tool, so I contacted one of the presenters, Alessandro Distefano, as


Rebuilding FAT cluster chains

For those reading this entry and not familiar with the others in the series, a brief bit of background is in order. This post is the fourth in a series about the FAT file system. We have a disk image taken from a suspect's USB key, but some of the metadata has been modified to make getting at the evidence more difficult, though only slightly. We're attempting to undo the modifications our suspect has made and restore the image to its unaltered state.

I did a little digging over the weekend and discovered a couple links that may be of interest to those playing along at home. First, Mike Murr, of Code-X Technologies and, has covered some aspects concerning our image on his blog