SectorSpyXP/98 v2.0
Professional forensic analysis and data recovery tool for computer hard drives and diskettes


  Features  

  Why Use SectorSpyXP?  

This is a serious tool that can be used by detectives and law enforcement to search for and retrieve incriminating evidence left on computer hard drives and diskettes.  Though not as powerful and flexible as EnCase (the premier tool for such purposes, and very expensive), SectorSpyXP is nevertheless very powerful and free!

It can also be used to retrieve lost, corrupted, or deleted data.  Or, as a learning tool to see what is written at the low level to your hard drives.

SectorSpyXP should be used as the last resort in finding information.  There are many other programs that can retrieve corrupted or deleted files at a higher level, and these tools should be used first.  SectorSpyXP works at a lower level, and can retrieve text information that other programs cannot see.

  SectorSpy98  
Reference in this User's Guide will be made to SectorSpyXP, but SectorSpy98 operates exactly the same way.  Optional text files , like "SectorSpyXPFilePath.txt" used by SectorSpy98 will use the SectorSpyXP designation to remain compatible with SectorSpyXP.

  Basic Tutorial  

I will take you on a tour of SectorSpyXP, through my eyes, and at times as though I have never used this program.  I will ask the kinds of questions you might ask, and answer them as well.

 Question:  Before I begin, are there specific computer requirements I should know about? 
SectorSpyXP will operate with Windows 2000 and XP operating systems, and supports FAT16, FAT32 and NTFS hard drives, and 3 1/2" diskettes.  SectorSpy98 will operate with Windows95/98 operating systems, and supports FAT16 and FAT32 hard drives, and 3 1/2" diskettes.

 Question:  How do I install SectorSpyXP? 
Just copy the files into a folder, that's it!  Double-click on SectorSpyXP.exe to run the program, double-click on SectorSpyXP.htm to view the user's guide.  If you have Microsoft HTML Help installed, you may prefer to double-click on SectorSpyXP.chm to view the user's guide.

  SectorSpyXP Start Up  

There are two steps that SectorSpyXP performs when you start running it:

 Question:  Why the key? 
Forensic analysis of media requires that the software tools used, not add or delete, or modify, in any way, that media.  The key significantly reduces the chance for accidental drive modification.

 Question:  What are evidence files? 
When the SectorSpyXP user discovers interesting information, the displayed information can be appended to a text file, and used as evidence.  Or, it can simply be used as a recovery mechanism for lost data.

  Parts of the program  

I will first explain the various parts of SectorSpyXP, then later show you how to use them in an example.

  Main Display  



This is the upper part of the main display.  On the left is a 16 x 32 grid of digital bytes (512 total).  The total displayed grid of 512 bytes constitutes a drive sector.  A drive sector is the lowest level of organization on a hard drive or diskette.  Whenever the drive is read, a minimum of one sector (512 bytes) is read.  This should not be confused with disk allocation (cluster) units, which can be 512, 1024, 2048, or 4096 bytes.  The drive sector size cannot be changed and is a standardized 512 bytes for most hard drives.

Let's go off on a tangent for a moment.  When you format a drive, you have the option of setting the allocation unit size.  This is the minimum size in bytes that a file can occupy on a disk.  If you choose 512, a file written to that drive will have a minimum size of 512 bytes, even if the file is only 10 bytes long.  As with many things in life, there are tradeoffs in choosing the allocation unit size.  If you have a lot of small files, 512 may be a good choice because there will be more available drive space.  But, it is more likely that the files will become fragmented, slowing down performance.  Larger allocation unit sizes reduce the available drive space, but are less likely to fragment.

Back to the display.  On the right hand side is a direct text interpretation of the sector bytes to the left.  The sector bytes can be interpreted as numbers or as text values.  Most of the text interpretations will show junk on the screen.  The gold nuggets are those sector bytes that actually do represent text, and this is what you will be looking for and retrieving.  If you want to learn more about this kind of text interpretation, you should read up on the ASCII codes.  In the main display example above, on the first line, the sector byte 4E represents the ASCII hex value of 'N'.  Likewise, 54 => 'T', 46 => 'F', and 53 => 'S'.  The displayed drive uses the NTFS file system as you can see from the text on the right side of the main display.

 Question:  Would the hex value 4E always represent the letter 'N'? 
 Good question!  The answer is no.  That value could just as well be part of a number.  SectorSpyXP has no idea if 4E represents text, or part of a number.  It could be text, therefore SectorSpyXP displays it's textual representation.  It is up to the human viewing the text to make sense of it.  As you can see in the main display example, there a couple of 3s, question marks, etc. that don't seem to make much sense.  Just disregard them.

  Drive Information  

  • Drive:  Select the drive to analyze.
  • Drive Size:  The total size of the hard drive in bytes.
  • Total sectors:  The total number of sectors on the hard drive.
  • File System:  The file system used by the drive (FAT, FAT16, FAT32, NTFS).
  • Begin Sector:, End Sector:  You can select a range of sectors to analyze.  The default is the entire drive partition.  The Begin Sector value can be from zero up to one less than the End Sector value.  The End Sector value can be from one greater than the Begin Sector value up to one less than the total number of drive sectors.
 Question:  The Begin Sector, End Sector thing is confusing, can you please explain it using an example? 

You may want to focus on a specific part of the drive.  For example, you could set Begin Sector: to 12000 and End Sector: to 14000.  You will see later that you can use buttons to quickly move to the Begin/End sectors you have selected.  Also, later you will be selecting a range of sectors to automatically append text information, found within the range, to an evidence file.

Question:  Why is the maximum End Sector: value one less than the total number of drive sectors? 

Because the first sector starts at zero, not one.

  Evidence File (or data recovery file) Information  

Retrieval of information from SectorSpyXP is accomplished by writing to a text file called the evidence file (or data recovery file for those not using the program forensically).  The name of the evidence file will always be SectorSpyXP.txt, and will be written to an A: drive diskette, as the default.  

You do not have to write to the diskette.  If you are analyzing a diskette in the A: drive, then you must write the data to another drive.  Or, you may not be concerned with contaminating the hard drives you are working with, and would like to write to the hard drives instead of to a diskette.  I will explain how to do this in a moment.

When SectorSpyXP is launched, it immediately looks on drive A: for a diskette with a key on it.  If a diskette is not found, or the key is not found,  SectorSpyXP assumes you want the evidence file to be written to drive A:.  If you do not want to write to a diskette in the A: drive, follow the directions below:

  Writing the evidence file to a location other than the A: drive  

To write the evidence file to a location other than to a diskette on the A: drive requires you to create a simple text file (must be called SectorSpyXPFilePath.txt) that contains the path name for the location where you would like the evidence file to be written.  This is the key that SectorSpyXP looks for when it is launched.  Follow these simple steps:

  Analyzing a diskette  

If you are analyzing a diskette, you will not want to be writing the evidence file to the diskette.  Follow the directions above to write the evidence file to another location.  Insert the diskette with the SectorSpyXPFilePath.txt key file, then start up SectorSpyXP.  Remove the diskette and replace it with the one you want to analyze.

  Evidence file tools within SectorSpyXP  

  • Append current sector to file:  Click this button to append the currently displayed sector text information, found on the right side of the display, to the evidence file.
  • Append range of sectors to file:  Click this button to append the sector text information from all of the sectors found within the selected range (Begin Sector:/End Sector:), to the evidence file.
  • View file:  Click here to view the evidence file from Notepad.
  • Output File Path:  The path pointing to the location of the evidence file.

  Evidence File (or data recovery file) Header Information  

You have the option to include a header (shown below) before each sector written to the evidence file.

--------------------------------------------------------------------------------------------
Date: 10/17/02
Time: 23:05:20
Drive: C:
Sector: 0
----------------

If you prefer not to have the header in the output file, uncheck the "Include header in file" check box in "Options" as shown below:

  Searching for Specific Information within the Sectors  

There are two ways to search for specific information.  

Method 1

Type in the text you would like to search and click the Find Next button (in the example shown the search text is Lexun Freeware).  Find Next will find the first occurrence of Lexun Freeware within a sector, starting at the currently displayed sector, and highlight the text in red.  It will not highlight other occurrences of Lexun Freeware within the same sector.  When you click Find Next again, it will look for the first occurrence of Lexun Freeware within the next sector.  This avoids repeatedly clicking Find Next when Lexun Freeware exists many times within a sector.  Explained in another way, Find Next will seek the first occurrence of Lexun Freeware within the next sector that it encounters.  It will stop looking for Lexun Freeware in the current sector once it has found the first occurrence of it.  You can only search in the forward direction.

The Case Sensitive button of course determines if the search text is case sensitive or not.  In the example shown, the Case Sensitive button is pressed, and any searches for Lexun Freeware will result in hits, only if the capitalization matches exactly.  For example, lexun freeware would not be a hit in this example, but would be if the Case Sensitive button were not pressed.

Method 2

You can search for a list of keywords you have entered in a text file.  Follow this procedure:

  Searching for General Text within the Sectors  

You can search for sectors that contain any readable text by pressing the "Find Next" button with no entry in the edit box as shown below:

You can control the relative amount of text to find within a sector.  It's easiest to explain this with an example:

Within "Options", you can set the Text Count.  The Text Count is a number between 2 and 512.  There are 512 bytes (characters) per sector.  In the example above, the Text Count is set to 512.  This means that SectorSpyXP will search for the next sector that has every byte (all 512 bytes) as readable text.  If the Text Count is set to 200, then SectorSpyXP will search for the next sector that has at least 200 bytes out of 512 that are readable text.

This feature allows you to find concentrated areas of text, skipping sectors that have very little or no text.

  Navigating the Sectors Using the Mouse  

Pressing the >> or << scan buttons will start an automatic scan process.  SectorSpyXP will display consecutive sectors (forward or backward) at a time interval (Scan Speed) set by you within Options, as shown below:

The Scan Speed is the amount of time (in milliseconds) a sector will be displayed on the screen during a scan.  In the example above, the Scan Speed is set to 750 milliseconds, which is 3/4 of a second.  A value of 1000 would be one second.  A value of 500 would be 1/2 second.  Set the value to what is comfortable for you.  To stop the scan, press the "Cancel action" button.

  Navigating the Sectors Using the Keyboard  

You can quickly scan sectors using the keyboard:

To move forward:  Page Down key and + key on the keypad.  Holding down the key moves you very quickly through the sectors.
To move backward:  Page Up key and - key on the keypad.  Holding down the key moves you very quickly through the sectors.
To move to the beginning:  Home key.
To move to the end:  End key.

  Miscellaneous  

  Example Using SectorSpyXP  

  Examining a hard drive for evidence  

I have a computer with one hard drive, partitioned as C: and D:, and D: is empty of data.  One of my agents just handed me a suspect's hard drive and wants me to analyze the drive for incriminating evidence.  I've been provided with a list of keywords and topics to search.  The first thing I do is install the suspect's hard drive into my computer.  The drive is assigned the logical drive designation E:.  There are several approaches I can take from here.  They include:

I decide to copy the suspect's hard drive to my D: drive using DrvClonerXP.  I remove the suspect's drive, boot up on my C: drive and analyze D: from there.  If I had WinPE, I could boot from there, further isolating myself from D:.

 Question:  What is WinPE and how do I purchase it? 

WinPE is a product that Microsoft wrote that allows you to boot XP from a CD.  This means that XP runs off of the CD, not from your hard drive.  This totally isolates the operating system from your hard drives.  This is a great tool that Microsoft won't let you have unless you license it from them as an OEM (Original Equipment Manufacturer).  Why this wasn't included free with XP is totally beyond my comprehension!  Well, I think dollar signs may have something to do with it!  Unless you are an OEM, you cannot have it!  Insane!

Ok, I insert a blank diskette, and run SectorSpyXP, which is located on my C: drive.  I will be writing evidence files to diskettes so they can be introduced as evidence.  Within SectorSpyXP, I select the D: drive with the suspect's data on it, and here is what I see:

This drive has 5,124,672 sectors.  That means 5,124,672 screens of data!  It would take weeks for me to look at every sector!  I'll use the search capabilities to find the information, then use the navigation buttons to look around those areas.  As I find incriminating evidence, I'll append it to the evidence file on the diskette.

The first keyword I need to search for is "carolina.rr.com" which is a web site that this suspect has somehow been involved with, so I enter "carolina.rr.com" as follows (case insensitive) (later I type all my keywords into the findnextlist.txt file and search for all the keywords at once):

press the Find Next button, and I've got a hit!  First, this message appears:

and I click No because I want to look around at this point.  Right now Begin Sector: shows a value of zero (the first sector):

I set Begin Sector: to sector 8579 (the current sector), so I can continue the search from here later.  The little button to the right of "Begin Sector:" when clicked sets the Begin Sector: value to the currently displayed sector value.  

Let's look at the main display that shows the hit:

I use the navigation buttons (or keyboard) to look at the sectors before and after, and determine there are many sectors in a row that have very useful information, starting with sector 8579 and ending with sector 8603.  I could append the text from each sector to the evidence file, individually, but why bother when I can select the range of sectors and have SectorSpyXP do the rest of the work.  I select the range as follows:

and press the "Append range of sectors to file" button and that's it!  All that data was written to the diskette automatically.  When SectorSpyXP is completed appending the text, it moves back to the Begin Sector: value (8579).  I press the "View file" button to make sure my evidence is being written.  (Make sure "Word Wrap" is turned on within Notepad, under the menu selection "Format").

I continue this same approach over and over, methodically, and thoroughly, examining the hard drive.  I was appending to the evidence file when I got this message:

No problem!  It's just letting me know that the diskette is full, so I replace it with a new blank one, press OK, and the append continues where it left off.

During one of my searches, I made the mistake of misspelling a keyword I was searching for and pressed the "Find Next" button.  I simply pressed the "Cancel action" button to stop the search.

  Examining a diskette for evidence 

Analyzing a diskette is done exactly like a hard drive, except you will want to write the evidence file to a location other than the diskette.  Read the section above entitled "Writing the evidence file to a location other than the A: drive".

  Contact Information  

If you want to contact me (Nick) to offer improvements to SectorSpyXP/98, or to report problems, spelling/grammar errors, or just ask about any computer related problems, contact me at:

E-mail:  LexunFreeware@carolina.rr.com


  Donations Welcomed!  

See web site for details.


  Other Lexun Freeware  

 Web site:  http://home.carolina.rr.com/lexunfreeware