I made an 8 MB FAT-16 partition on the disk:
#Prodiscover basic crash windows
Machine, running Windows XP, and using a real I tested this using a real computer, not a virtual This is not a proper forensic wipe at all! (I redacted the image to avoid interfering with This floppy contains data of a potentially
This might seem like a small problem, but it'sĪll the data, it just overwrote the active data. The root directory still contains most of an The second FAT also contains the F0 FF FF mark, but nothing The first FAT contains the F0 FF FF mark, but nothing I expected the disk to be zeroed, but that's I used ProDiscover Basic's "Tools", "Secure Wipe"
#Prodiscover basic crash windows 7
VMware Windows 7 machine, formatted the floppy,Īnd filled it with text files containing many HxD also shows that all the sectors between 1 and 10 areīut ProDiscover shows them filled with data, Here's sector 10, starting with the F0 FF FF: Here's sector 1, starting with the F0 FF FF: What's going on? I opened the original image.dd The results say it should be in cluster A. This article tells me to expect the second copy of the FATīut this is what ProDiscover shows in sector A-the It begins with the three bytes F0 FF FF, as explained Here's the second sector-the start of the FAT. I viewed the image.dd file in Cluster view, which shows Here's the version of ProDiscover I used: I started ProDiscover Basic and loaded the image.dd file. Here's the MD5 hash of the unzipped image.dd raw file: I downloaded it, verified the MD5, and unzipped it. I am using Windows 7 in a Fusion virtual machine, I am using a floppy disk image from honeynet:
Suppose, a file of 512 bytes is saved, then it occupies more than one sector on the disk. This "canned algorithm" is creating problem. The issue with the logical floppy secure wipe was that we are using a third party algorithm to erase logical disks, to be DoD compliant for logical secure wipes. We have fixed this issue by handling reading logic for the first two clusters. We were not handling them properly in that we were only reading first 512 bytes (one sector) of these group of sectors and displaying information. In FAT12, cluster numbers start with 2, the 0th cluster being the boot information and the first cluster is directory structure. The first issue is problem with reading first two clusters in FAT12 partitions. We have reviewed and tested the issues you reported. I don't completely understand the explanation-it doesn't I notified Chris Brown privately, and he responded with ProDiscover Problems ProDiscover Problems Video Summarizing the Problem