Features
- Examine all data on a
hard drive or diskette, at the sector level!
- Use SectorSpyXP forensically to find
and retrieve incriminating evidence!
- SectorSpyXP will not write any
information to the media, avoiding contamination! You can override
this with a key.
- Retrieve lost information,
text that has been deleted and removed from the recycle bin, like e-mails,
Word documents, notepad and WordPad documents, Excel spreadsheets, database
text data, and any text data that has been written to the hard drive, and
not yet overwritten by the operating system!
- Append text information
evidence to
a text file.
- Search for keywords!
- Navigate the sectors!
Why Use SectorSpyXP?
This is a
serious tool that can be used by detectives and law enforcement to search for
and retrieve incriminating evidence left on computer hard drives and
diskettes. Though not as powerful and flexible as EnCase (the premier tool
for such purposes, and very expensive), SectorSpyXP is nevertheless very
powerful and free!
It can also be used to retrieve lost, corrupted, or deleted data. Or, as a
learning tool to see what is written at the low level to your hard drives.
SectorSpyXP should be used as
the last resort in finding information. There are many other programs that
can retrieve corrupted or deleted files at a higher level, and these tools
should be used first. SectorSpyXP works at a lower level, and can retrieve
text information that other programs cannot see.
SectorSpy98
Reference in this
User's Guide will be made to SectorSpyXP, but SectorSpy98 operates exactly the
same way. Optional text files , like "SectorSpyXPFilePath.txt"
used by SectorSpy98 will use the SectorSpyXP
designation to remain compatible with SectorSpyXP.
Basic Tutorial
I will take you on a tour of
SectorSpyXP, through my eyes,
and at times as though I have never used this
program. I will ask the kinds of questions you might ask, and answer them
as well.
Question:
Before I begin, are there specific computer requirements I should know about?
SectorSpyXP will
operate with Windows 2000 and XP operating systems, and supports FAT16, FAT32 and NTFS hard
drives, and 3 1/2" diskettes. SectorSpy98 will
operate with Windows95/98 operating systems, and supports FAT16 and FAT32 hard
drives, and 3 1/2" diskettes.
Question:
How do I install
SectorSpyXP?
Just copy the files
into a folder, that's it! Double-click on SectorSpyXP.exe to run the
program, double-click on SectorSpyXP.htm to view the user's guide. If you
have Microsoft HTML Help installed, you may prefer to double-click on
SectorSpyXP.chm to view the user's guide.
SectorSpyXP
Start Up
There are two steps
that SectorSpyXP performs when you start running it:
- It reads your A: drive
diskette, if one is available, and determines if a key exists. The key
allows SectorSpyXP to write evidence files to any drive you desire.
Without the key, SectorSpyXP will only write evidence files to a
diskette.
- It examines all the hard
drives it can see, and determines which ones it can read. The drives
that it can read are made available to the user, and those that it cannot,
are not available.
Question:
Why the key?
Forensic analysis of
media requires that the software tools used, not add or delete, or modify, in
any way, that media. The key significantly reduces the chance for
accidental drive modification.
Question:
What are evidence files?
When the SectorSpyXP user
discovers interesting information, the displayed
information can be appended to a text file, and used as evidence. Or, it
can simply be used as a recovery mechanism for lost data.
Parts of the program
I will first explain the
various parts of SectorSpyXP,
then later show you how to use them in an example.
Main Display
This is the upper part of the main display. On the left is a 16 x 32 grid
of digital bytes (512 total). The total displayed grid of 512 bytes
constitutes a drive sector. A drive sector is the lowest level of
organization on a hard drive or diskette. Whenever the drive is read, a
minimum of one sector (512 bytes) is read. This should not be confused
with disk allocation (cluster) units, which can be 512, 1024, 2048, or 4096
bytes. The drive sector size cannot be changed and is a standardized 512
bytes for most hard drives.
Let's go off on a tangent for
a moment. When you format a drive, you have the option of setting the
allocation unit size. This is the minimum size in bytes that a file can
occupy on a disk. If you choose 512, a file written to that drive will
have a minimum size of 512 bytes, even if the file is only 10 bytes long.
As with many things in life, there are tradeoffs in choosing the allocation unit
size. If you have a lot of small files, 512 may be a good choice because
there will be more available drive space. But, it is more likely that the
files will become fragmented, slowing down performance. Larger allocation
unit sizes reduce the available drive space, but are less likely to fragment.
Back to the display. On
the right hand side is a direct text interpretation of the sector bytes to the
left. The sector bytes can be interpreted as numbers or as text
values. Most of the text interpretations will show junk on the
screen. The gold nuggets are those sector bytes that actually do represent
text, and this is what you will be looking for and retrieving. If you want
to learn more about this kind of text interpretation, you should read up on the
ASCII codes. In the main display example above, on the first line, the
sector byte 4E represents the ASCII hex value of 'N'. Likewise, 54 =>
'T', 46 => 'F', and 53 => 'S'. The displayed drive uses the NTFS
file system as you can see from the text on the right side of the main display.
Question:
Would the hex value 4E always represent the letter 'N'?
Good question! The
answer is no. That value could just as well be part of a number.
SectorSpyXP has no idea if 4E represents text, or part of a number. It
could be text, therefore SectorSpyXP displays it's textual representation.
It is up to the human viewing the text to make sense of it. As you can see
in the main display example, there a couple of 3s, question marks, etc. that
don't seem to make much sense. Just disregard them.
Drive Information
 |
- Drive:
Select the drive to analyze.
- Drive Size:
The total size of the hard drive in bytes.
- Total sectors:
The total number of sectors on the hard drive.
- File System:
The file system used by the drive (FAT, FAT16, FAT32, NTFS).
- Begin Sector:, End Sector:
You can select a range of sectors to analyze. The default is the
entire drive partition. The Begin Sector value can be from zero
up to one less than the End Sector value. The End Sector value
can be from one greater than the Begin Sector value up to one less
than the total number of drive sectors.
|
Question:
The Begin Sector, End Sector thing is confusing, can you
please explain it using an example?
You may want to focus on
a specific part of the drive. For example, you could set Begin
Sector: to 12000 and End Sector: to 14000. You will see later that
you can use buttons to quickly move to the Begin/End sectors you have
selected. Also, later you will be selecting a range of sectors to
automatically append text information, found within the range, to an
evidence file.
Question:
Why is the maximum End Sector: value one less than the total number of drive sectors?
Because the first sector
starts at zero, not one. |
Evidence File (or data recovery file) Information
Retrieval of information from SectorSpyXP
is accomplished by writing to a text file called the evidence file (or data
recovery file for those not using the program forensically). The
name of the evidence file will always be SectorSpyXP.txt, and will be written to
an A: drive diskette, as the default.
You do not have to write to
the diskette. If you are analyzing a diskette in the A: drive, then you
must write the data to another drive. Or, you may not be concerned with
contaminating the hard drives you are working with, and would like to write to
the hard drives instead of to a diskette. I will explain how to do this in
a moment.
When SectorSpyXP is launched,
it immediately looks on drive A: for a diskette with a key on it. If a
diskette is not found, or the key is not found, SectorSpyXP assumes you
want the evidence file
to be written to drive A:. If you do not want to write to a diskette in
the A: drive, follow the directions below:
Writing the evidence file to a location other than the A: drive
To write the evidence file to
a location other than to a diskette on the A: drive requires you to create a
simple text file (must be called SectorSpyXPFilePath.txt) that contains the path
name for the location where you would like the evidence file to be
written. This is the key that SectorSpyXP looks for when it is
launched. Follow these simple steps:
- Create a text file called SectorSpyXPFilePath.txt
- On the first line,
type the full path name for the location where you would like the evidence
file to be written.
- Example 1:
I want the file to be located in the root directory of my D: drive.
You would type: D:\
- Example 2:
I want the file to be located in "D:\My Evidence File"
You would type: D:\My Evidence File\
- Always remember to put the
last '\' at the end of the path name.
- Do not include the name of
the text file.
- Save the file and copy it
to a diskette.
- Make sure the diskette is
inserted when you start up SectorSpyXP.
- You may remove the diskette
once you've started SectorSpyXP.
You cannot change the evidence file path name without restarting SectorSpyXP.
This is another safeguard.
Analyzing a diskette
If you are analyzing a
diskette, you will not want to be writing the evidence file to the
diskette. Follow the directions above to write the evidence file to
another location. Insert the diskette with the SectorSpyXPFilePath.txt
key file, then start up SectorSpyXP. Remove the diskette and replace it
with the one you want to analyze.
Evidence file tools within SectorSpyXP
 |
- Append current sector
to file:
Click this button to append the currently displayed sector text
information, found on the right side of the display, to the evidence
file.
- Append range of
sectors to file:
Click this button to append the sector text information from all of
the sectors found within the selected range (Begin Sector:/End
Sector:), to the evidence
file.
- View file:
Click here to view the evidence
file from Notepad.
- Output File Path:
The path pointing to the location of the evidence
file.
|
Evidence File (or data recovery file) Header Information
You have the option to include
a header (shown below) before each sector written to the evidence file.
--------------------------------------------------------------------------------------------
Date: 10/17/02
Time: 23:05:20
Drive: C:
Sector: 0
----------------
If you prefer not to have the header in the output file, uncheck the
"Include header in file" check box in "Options" as shown
below:
Searching for Specific Information within the Sectors
There are two ways to search
for specific information.
Method 1
Type in the text you would
like to search and click the Find Next button (in the example shown the search
text is Lexun Freeware). Find Next will find the first occurrence of Lexun
Freeware within a sector, starting at the currently displayed sector, and
highlight the text in red. It will not highlight other occurrences of
Lexun Freeware within the same sector. When you click Find Next again, it
will look for the first occurrence of Lexun Freeware within the next
sector. This avoids repeatedly clicking Find Next when Lexun Freeware
exists many times within a sector. Explained in another way, Find Next
will seek the first occurrence of Lexun Freeware within the next sector that it
encounters. It will stop looking for Lexun Freeware in the current sector
once it has found the first occurrence of it. You can only search in the
forward direction.
The Case Sensitive button of
course determines if the search text is case sensitive or not. In the
example shown, the Case Sensitive button is pressed, and any searches for Lexun
Freeware will result in hits, only if the capitalization matches exactly.
For example, lexun freeware would not be a hit in this example, but would be if
the Case Sensitive button were not pressed.
Method 2
You can search for a list of
keywords you have entered in a text file. Follow this procedure:
- Create a text file called
"findnextlist.txt" and within that file type keywords one per
line. For example:
keyword1
keyword2
keyword3
- Place that file where the
evidence file will be written.
- To use the list in
searches, type findnextlist in the "Find Next" edit box as shown
above.
- SectorSpyXP will stop and
display any one of the keywords it finds.
Searching for General Text within the Sectors
You can search for sectors
that contain any readable text by pressing the "Find Next" button with
no entry in the edit box as shown below:
You can control the relative
amount of text to find within a sector. It's easiest to explain this with
an example:
Within "Options",
you can set the Text Count. The Text Count is a number between 2 and
512. There are 512 bytes (characters) per sector. In the example
above, the Text Count is set to 512. This means that SectorSpyXP will
search for the next sector that has every byte (all 512 bytes) as readable
text. If the Text Count is set to 200, then SectorSpyXP will search for
the next sector that has at least 200 bytes out of 512 that are readable text.
This feature allows you to
find concentrated areas of text, skipping sectors that have very little or no
text.
Navigating the Sectors Using the Mouse
- > Button:
Forward button. Moves to the next sector.
- >> Button:
Fast forward scan button (described in detail below).
- < Button:
Back button. Moves to the previous sector.
- << Button:
Fast backward scan button (described in detail below).
- |< Button:
Move to beginning sector button. Moves to the sector defined in the
"Begin Sector:" text box.
- >| Button:
Move to end sector button. Moves to the sector defined in the
"End
Sector:" text box.
Pressing the >>
or <<
scan buttons will start an automatic scan process. SectorSpyXP will
display consecutive sectors (forward or backward) at a time interval (Scan
Speed) set by you within Options, as shown below:
The Scan Speed is the amount
of time (in milliseconds) a sector will be displayed on the screen during a
scan. In the example above, the Scan Speed is set to 750 milliseconds,
which is 3/4 of a second. A value of 1000 would be one second. A
value of 500 would be 1/2 second. Set the value to what is comfortable for
you. To stop the scan, press the "Cancel action" button.
Navigating the Sectors Using the Keyboard
You can quickly scan sectors
using the keyboard:
To move forward:
Page Down
key and +
key on the keypad. Holding down the key moves you very quickly through the
sectors.
To move backward: Page Up
key and -
key on the keypad. Holding down the key moves you very quickly through the
sectors.
To move to the beginning:
Home
key.
To move to the end: End
key.
Miscellaneous
- Cancel action:
You can cancel long searches, scans, or cancel "appending a range of sectors
to the evidence file" by clicking this button.
- Current Sector:
Displays the currently displayed sector number.
- Exit:
Exit the program.
Example Using SectorSpyXP
Examining a hard drive for evidence
I have a computer with one
hard drive, partitioned as C: and D:, and D: is empty of data. One of my
agents just handed me a suspect's hard drive and wants me to analyze the drive
for incriminating evidence. I've been provided with a list of keywords and
topics to search. The first thing I do is install the suspect's hard drive
into my computer. The drive is assigned the logical drive designation
E:. There are several approaches I can take from here. They include:
- Copy the suspect's hard
drive to my D: drive using xcopy or DrvClonerXP. This prevents me from
accidentally destroying data on the suspect's drive.
- I could use Microsoft's
WinPE (Windows Pre-installation Environment) CD to boot up XP, and analyze
the E: drive without fear that XP will write anything to the E: drive.
- I could boot up onto my C:
drive and analyze E: from there. There's an excellent chance that
nothing will get written to the E: drive, but not guaranteed.
I decide to copy the suspect's
hard drive to my D: drive using DrvClonerXP. I remove the suspect's drive,
boot up on my C: drive and analyze D: from there. If I had WinPE, I could
boot from there, further isolating myself from D:.
Question:
What is WinPE and how do I purchase it?
WinPE is a product that
Microsoft wrote that allows you to boot XP from a CD. This means that XP
runs off of the CD, not from your hard drive. This totally isolates the
operating system from your hard drives. This is a great tool that
Microsoft won't let you have unless you license it from them as an OEM (Original
Equipment Manufacturer). Why this wasn't included free with XP is totally
beyond my comprehension! Well, I think dollar signs may have something to
do with it! Unless you are an OEM, you cannot have it! Insane!
Ok, I insert a blank diskette,
and run SectorSpyXP, which is located on my C: drive. I will be writing
evidence files to diskettes so they can be introduced as evidence. Within
SectorSpyXP, I select the D: drive with the suspect's data on it, and here is
what I see:
This drive has 5,124,672
sectors. That means 5,124,672 screens of data! It would take weeks
for me to look at every sector! I'll use the search capabilities to find
the information, then use the navigation buttons to look around those
areas. As I find incriminating evidence, I'll append it to the evidence
file on the diskette.
The first keyword I need to
search for is "carolina.rr.com" which is a web site that this suspect
has somehow been involved with, so I enter "carolina.rr.com" as
follows (case insensitive) (later I type all my keywords into the
findnextlist.txt file and search for all the keywords at once):
press the Find Next button,
and I've got a hit! First, this message appears:
and I click No because I want
to look around at this point. Right now Begin Sector: shows a value of
zero (the first sector):
I set Begin Sector: to sector
8579 (the current sector),
so I can continue the search from here later. The little button to the
right of "Begin Sector:" when clicked sets the Begin Sector: value to
the currently displayed sector value.
Let's look at the main display
that shows the
hit:
I use the navigation buttons
(or keyboard) to look at the sectors before and after, and determine there are many sectors in
a row that have very useful information, starting with sector 8579 and ending
with sector 8603. I could append the text from each sector to the evidence
file, individually, but why bother when I can select the range of sectors and
have SectorSpyXP do the rest of the work. I select the range as follows:
and press the "Append
range of sectors to file" button and that's it! All that data was
written to the diskette automatically. When SectorSpyXP is completed
appending the text, it moves back to the Begin Sector: value (8579). I
press the "View file" button to make sure my evidence is being
written. (Make sure "Word Wrap" is turned on within Notepad,
under the menu selection "Format").
I continue this same approach
over and over, methodically, and thoroughly, examining the hard drive. I
was appending to the evidence file when I got this message:
No problem! It's just
letting me know that the diskette is full, so I replace it with a new blank one,
press OK, and the append continues where it left off.
During one of my searches, I
made the mistake of misspelling a keyword I was searching for and pressed the
"Find Next" button. I simply pressed the "Cancel
action" button to stop the search.
Examining a diskette for evidence
Analyzing a diskette is done
exactly like a hard drive, except you will want to write the evidence file to a
location other than the diskette. Read the section above entitled "Writing
the evidence file to a location other than the A: drive".
To Uninstall
Just delete the folder where
you installed SectorSpyXP/98 and it's contents.
Contact Information
If
you want to contact me (Nick) to offer improvements to SectorSpyXP/98, or to report
problems, spelling/grammar errors, or just ask about any computer related
problems, contact me at:
E-mail:
LexunFreeware@carolina.rr.com
Donations
Welcomed!
See web site for details.
Other Lexun
Freeware
Web site: http://home.carolina.rr.com/lexunfreeware
Copyright © 2003 Lexun Freeware. All rights reserved.
|