Category Archives: Windows

Being the “Timothy McGee” of the family

As a fan of NCIS, I have often seen how Timothy McGee and Abby Sciuto is doing their forensic work on computers, where they need to find some information to solve a case. Of cause they are in a crises, and have some magical graphical interfaces telling them all sort of information extremely fast. In the real world things is a bit different.

I decided to write this post, while recovering some mails for my uncle. He had an old computer, which started spontaneous shutdowns because of a thermal event. So he bought a new computer and asked me for help with getting the old mails. At that point I thought it was an easy job, just involving getting the hard drive, put it in my disk cradle, copy the outlook data file to the new computer and import it. When I dismantled the computer, I noticed the hard drive was a bit older then first expected. It had an IDE interface instead of a SATA interface, so my disk cradle idea did not work. No problem, I will just put it in a computer with IDE interface and access the files from this computer. Though luck, when I booted in Windows 7 check disk failed, and asked if I wanted to format the hard drive. Not the question I had hoped for.

The task just got bigger than first imagined. So the first thing would be to prevent any more damage to the data and file system on the disk. So I put the hard drive in my trusty Gentoo Linux machine and did a raw copy of the partition using dd.

sudo dd if=/dev/sdi1 of=/home/frosteyes/charlie/Bo/diskImage.img

Now having the disk image, I can work on getting the mails without risking to destroy anything on the physical disc. I am using testdisk and photorec. They can be installed by emerge testdisk on Gentoo Linux.

Using testdisk on the image, it shows that the MFT and MFT mirror are bad. Failed to repair them. This was identical with what chkdsk had reported earlier. So no usable master file table (MFT).

The next task was to run photorec on the disc image as seen below. photorec is a recovery program, which among other file types can detect pst files without having a file sytem on the disk. It resulted in a huge number of folders with files, including a number of pst files.

photorecRunning
photorec is running on the disc image

An then finding the pst files I was looking for.

frosteyes@stas ~/charlie/Bo $ find ./ -iname *.pst | xargs ls -l
-rw-r--r-- 1 frosteyes users 81282048  5 maj 17:16 ./recup_dir.133/f9541960.pst
-rw-r--r-- 1 frosteyes users   271360  5 maj 17:19 ./recup_dir.171/f13814104.pst
-rw-r--r-- 1 frosteyes users 24396800  5 maj 18:46 ./recup_dir.374/f47280112.pst
-rw-r--r-- 1 frosteyes users  1033216  5 maj 18:49 ./recup_dir.414/f54353688.pst
-rw-r--r-- 1 frosteyes users   271360  5 maj 18:50 ./recup_dir.416/f55373800.pst

Before handing over the files to my uncle I just tested the files using lspst from libpst. Can be installed with emerge libpst on my Gentoo system. It showed that the pst files contains the needed emails.

So all in all it ended up being more forensic work than expected, but quite fun and I felt a bit like McGee from NCIS.

Restoring Windows environment variable

Sunday I had a problem after installing GHDL on my Windows 7 at work. Instead of appending to the PATH variable, it changed it to only contain GHDL. When I found out a couple of days later, I needed to figure out to get the PATH back. First I found out that the PATH is located in the registry under HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ and the registry data itself is located under %systemroot%\System32\Config\ in the SYSTEM file. So I needed a backup of the registration database file. I noticed that inside the Config folder there is a RegBack folder containing a backup of the registry from some days before. As I was working over remote desktop, and the file was locked, I needed a way for copying them. So by using ShadowCopy from Runtime, I made a copy of the system file, and by using regedit I loaded this file into a new key, and found my old path. Later I figured out that I might had been able to find the old path in the ControlSet00X instead of looking in CurrentControlSet, bud none the less I figured out a way to get it back.