March 12th, 2004, 06:36 AM
Hidden info on a Floppy
We got a cool assignment today in my Network Security class.. Here is the scenario:
@ 2:05pm the FBI arrested what is thought to be a drug lord. No drugs were found on the dealer. He has been in contact with known drug dealers. A flopy disk was found on the subject. He tried to flee from the scene so he might of dropped something to incriminate him on drug charges....
I have to give a report that a computer forensics investigator would write.. I need a program to work with XP that can read the entire floppy disk. I am guessing there is plenty of information hidden on the disk that would incriminate him. The teacher hinted at this hard. He said that it would be better to us Linux to check out the disk. He wasnt sure if there was a good Hex editor that would read the entire disk. I dont know though
My biggest question is, what is the best way to read this file on the floppy. And what is on the Floppy disk.
March 12th, 2004, 07:00 AM
You have to create your own program? Or, can you use other software?
I've not done a whole lot of forensics... but I have been reading Incident Responce . (Awesome book!)
It seems that the "best" tool that they use is called "EnCase". However... it costs a pretty penny. You can request an fully functional demo/evaluation CD from here. They don't have it for download.
I recommend you check out this article.
If you have the $$... you should def. get the Incident Reponse. Its a great book.
Also, check out the following searches. There are too many links to post here.
Can't get them to link right here... so go to google and type in
"computer forensics site:www.securityfocus.com"
"computer forensics site:www.sans.org"
Do those searches without the " "
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
March 12th, 2004, 08:05 AM
If you want to do some low-level reading of a floppy disk, there are programs that let you view low-level data, such as deleted files, etc.
I can explain some reasoning behind why this low-level reading of the disk works. When you delete a file, it isn't really deleted. On a floppy disk, a FAT partition system (filesystem) is used, and the filesystem keeps track of stuff on the disk, like where files are, where bad sectors are, etc. When you delete a file, it Windows usually puts it in the recycle bin. What really happens is that the name is given a question mark as the first character (?). You can't use that in normal files; Windows won't let you since it marks a deleted file. But the data isn't erased, the area of the disk where the file is, is simply marked empty in that file table. So the data can still exist, and if you search the disk you could find this data. It is possible that it was overwritten and the data is corrupt, but if it was a text file you should be able to make out the text no problem, and see where it was overwritten.
Hopefully I didn't go off in some rant or another. Just get the program and learn how it works, and you can find all sorts of files that you thought you deleted. It has two views, folder list (it can show some deleted files) and low level view, which shows low level data including the HEX values of data, along with ASCII values (text that you can read).
Edit: Is this a real situation? Sounds cool if it is. I originally thought it was a hypothetical... I wish I got to do that instead of imaging computers...
BTW, make sure the disk is in read-only. There are a ton of things you have to acturally do for it to be admitted as evidence. In hacks/break-ins, usually an admin has to follow special procedure to image and duplicate a HDD and play with the duplicate, for it to be allowed as evidence. I don't know how to do this with a floppy disk though, so if this is a real situation, please realize that there are some things that you have to follow, and I don't happen to know what they are...
March 12th, 2004, 08:07 AM
We can use any software... We just have to come up with as much evidence as possible with only having this Floppy disk to examine
March 12th, 2004, 08:10 AM
It's a project for my Network Security class. I'm a little behind because I am suppose to take this at the end of my 2nd year and I'm in the middle of my 1st year... a great class though!
March 12th, 2004, 12:06 PM
Can you mirror the disk then compress it and either post it here or attach it to a personal message (PM)?
Looks like an interesting one?..........so when we have inserted the launch codes for trident ICBMs...........he will get a lot more than your average drug dealer?
I would like to try a few tools on it................not realistic I know, but still worthwhile if you can create a true mirror?
March 12th, 2004, 12:57 PM
You need a hex editor and you are going to read the previous deleted material.
If you want to cheat, I would suggest using a Windows 95 system and use Norton's Disk Editor. All you are doing is reviewing the uncovered material that was deleted off the disk. We all know floppies make the material unavailable, but do not delete it unless it is overwritten. Unless he used a secure delete system, then we may have to attack it at a higher level, but I have a feeling it was just a text document that was deleted and not over written. This will be readable with any ASCII viewer, I suggest using winhex. You can get a free trial of it, which will allow you to read the material. If you need any further assistance PM me. I have been through a few computer forensics classes myself.
March 12th, 2004, 01:56 PM
The reason your instructor said linux would be a good choice is probably because of the dd utility. It'll allow you to quickly image a floppy.
I dunno though. If I were a drug lord, I'd make sure that if I carried that diskette around, to keep a high-powered magnet in my other pocket. That way, when I hear sirens, I could put both in the same pocket and help garble all the data on it. It would have been encrypted too, but that's besides the point.
I'm assuming that srug dealers aren't quite bright enough to do that though.
Anyways, I agree with the previous posters and have used many of the tools they mentioned. I would recommend that if you have a linux or BSD distro lying around to load it up, use dd on it, compress the image (tar with whatever parameters for compression), put the data onto an MsDOS disk (i'm pretty sure this is viable as you can mount an msdos disk so i'd assume you can put a file on it) and then use your windows tools to hack it apart. I recommend Hiew, Hackman 7.0, and A.X.E. That's largely because they're good and best of all, FREE.
Is there a sum of an inifinite geometric series? Well, that all depends on what you consider a negligible amount.
March 12th, 2004, 02:46 PM
I have used a program for Windows called "Drive Rescue" It seems to work real well but it is pretty slow. This is Freeware and you can get it from: http://home.nexgo.de/christian_grau/rescue/index.html
....... I just checked my link .... This software is now called File Recovery and is no longer free. The standard version is around $60 and the Professional version is around $100.
I have attached an older "freeware" version.
BTW: This program was recommended to me by one of the Investigators for the U.S. Department of Labor
I hope this helps!
March 12th, 2004, 02:57 PM
HI also take a look at how forensics are conducted such as not actually using the disk but making an exact image of it (due to evidence laws)
And also dates and times of documents if you mail me @ email@example.com ill be able to send you a number of PDF files on this.
(but i am on holiday from monday to next friday)
[pong][gloworange]665[/gloworange] Next door to the [glowpurple]devil[/glowpurple][/pong]