Sponsoring website: Emergency Boot Kit

 

The Windows™ XP MS-DOS Startup Disk

An Example in Basic Forensics and Data Recovery

Copyright©2003,2004,2017 by Daniel B. Sedory
[Do not reproduce without permission from the author.]

 

   When you Format a diskette under Windows™ XP (see Fig. 1), there's a checkbox option (see Figure 2) you can use to create an "MS-DOS startup disk" rather than simply formatting it:  
Figure 2.
Figure 1.

The disk that this option creates is a simple MS-DOS Boot Disk. It cannot interact with the Windows™ XP Operating System; and, as you'll soon see, is nothing more than an emasculated version of the Windows™ Me Startup Disk. It's CONFIG.SYS and AUTOEXEC.BAT files have no contents (they are zero-length files), so the disk will only boot up to an A:\> prompt when used. How do we know this diskette started out as a Windows™ Me Startup Disk? Because all of the deleted file names (with the first character replaced by an E5 hex byte) can still be found on this Windows™ XP diskette and compared with those on a Windows™ Me Startup Disk! Some of these files, such as the "?BD.CAB" (EBD.CAB) file, are still fully intact and can still be retrieved with any number of simple file recovery tools; such as Symantec's Norton UNERASE program.

The two Tables on this page (and a downloadable MS-EXCEL file; see below) show all the deleted files and MAC Times from the Windows™ XP (MS-DOS) Startup Disk.

For all previous Microsoft® Startup Diskettes, the Creation Dates/Times shown for most of the files were always the same as the date and time when they were copied to a diskette by the OS (for example, see: The Creation dates/times and Last Accessed dates of this Windows™ 98 SE Startup Disk which was made on April 1, 2003). However, since this is not the case for the Win XP "MS-DOS startup disk," we had to assume that there was some kind of an "image file" for this diskette embedded somewhere in the Windows™ XP Operating System!

NOTE: We wrote this paper in 2004. You may wish to skip to the next section (2017) for data on the Windows XP SP3 Startup Disk!

Data for the Original Windows XP Startup Disk:

After supplying a friend with some search parameters, he was able to find the system file in which the Startup Disk was embedded: If you open the file DISKCOPY.DLL (it should be in any Windows™ XP version's system32 folder; it's 1,501,696 bytes and dated 08-23-2001 5:00:00) in a Hex editor (we like to use FrHEd here), you'll find the whole image beginning at offset 40F0 hex (the only difference is that the file names AUTOEXEC.BAT and CONFIG.SYS are added to the Directory whenever Windows™ XP is used to make a new Startup Disk):


Figure 3.

This file even contains the Volume Serial Number of: 2A87-6CE1 (see the thin red box in Figure 3 above) and an IHC-string in its OEM ID field of: " *-v4VIHC " (the Hex bytes: "2a 2d 76 34 56 49 48 43") both of which are locked-in when the disk is copied [to preserve the data in the IHC-string, make sure to set the write-protect tab on the diskette as soon as you see the Information pop-up window stating "Format Complete."] Using the same data in these fields is also something that Microsoft® had never done before! This means that every Windows™ XP Startup Disk could be the same except for the dates/times found in its Directory for the zero-length files AUTOEXEC.BAT and CONFIG.SYS. The image file contained inside of DISKCOPY.DLL is even padded with "F6" bytes like a freshly formatted diskette to make it exactly 1,474,560 bytes (just like any 1440 KiB diskette).

Each Table below uses the following color codes for its lines:

TAN --- A file that was part of the Windows™ Me disk, but was overwritten.

WHITE --- A file used by the Windows™ XP Startup Disk.

GREEN --- An original Windows™ Me file that can still be fully recovered.


Table 1 shows all the files (including deleted file names beginning with a "?") according to their location by Cluster Number (a "+" sign after the cluster number means that the file used/uses more than just the cluster listed in the table). HIMEM.SYS (at cluster 1272+) is the first of the original Windows™ Me files that can be fully recovered:


Table 1.

Table 2 shows all the MAC times for every file that was or still is on the diskette (the Modified dates/times are listed as "Last Write" Dates/Times in this table):


Table 2.

You can download an MS-EXCEL file with all of the data above (plus a list of the MD5 checksums of the Windows™ XP files) by clicking here: WinXPSDcontents.zip.


Forensic Analysis

Important NOTE: This analysis is based upon the assumption that all the MAC Times on the diskette reflect the occurrence of real events; this is most often the case. But you should keep in mind that it is possible for anyone with knowledge of MAC Times and a Disk Editor to change everything you see here! This is why MACs which are maintained on servers (with a tight enough security that makes physical access impossible for all but an Administrator) and can be proven not to have allowed root access would inherently carry more weight as evidence than MACs found on a suspect's diskette. This may cut both ways though: 1) If you are involved in obtaining evidence against a suspect, you'll have to be a bit wary of diskettes (until you have good reason to believe otherwise). Consider: (a) Is it possible the suspect altered data on it? (b) Make sure every bit of data makes sense. (c) Best if you have other evidence to back it up! 2) If a case exists where a diskette is part of the evidence, then it would not only be up to the defense to point out the possibility of falsification, but to also give a logical argument as to whom may have had an opportunity to change the MACs or other data (and why). That is, of course, the main reason why crime labs must maintain the highest standards in evidence gathering, record keeping and integrity in all aspects of their task; so they'll never be cited as making 'evidence tampering' even a possibility!


The first thing that should be pointed out is that this particular diskette was made on April 25, 2003 at 11:24:44 AM (04-25-2003  11:24:44) as reflected in the MACs for the AUTOEXEC.BAT and CONFIG.SYS files. Your own diskette should have different dates/times for these entries. (See Table 2 for all references to the MAC Times in this discussion.)


From the Modified ("Last Write") Date/Times of the zero-length file EBD.SYS (became "?BD.SYS" when deleted) and MSDOS.SYS (the only file left 'as is' from the original Win ME disk): 04-07-2001 13:40:30, you can see that some Microsoft® employee finished making a new copy of the Windows™ Me Startup Disk (which became the basis for this Windows™ XP Startup Disk) at 30 seconds after 1:40 PM on April 7, 2001. NOTE that the majority of the Creation and Last Access Dates are also April 7, 2001 (04-07-2001).


Chronological Summary of all the Events According to the MAC Dates/Times:

Thursday, Jun 8, 2000 17:00:00 -- This is the Modified ("Last Write") date/time for almost every file (deleted or not) on the disk; the only exceptions are the: AUTOEXEC.BAT, CONFIG.SYS, EBD.SYS (all 3 of these being zero-length files); MSDOS.SYS and IO.SYS. This is also the same exact Modified Date/Time for almost every file on a Windows™ Me Startup Disk.

Saturday, April 7, 2001 -- We already mentioned this as being the day someone made a copy of the Windows™ Me Startup Disk that the Windows™ XP Startup Disk is based on. But from the Last Access Date column, you can also determine that most of the original Windows™ Me files were deleted on this date!

All Microsoft boot disks must have an IO.SYS file (or the MSWIN4.1 Boot Record in Sector 0 would have to be altered in order to boot up the OS from some other file!). One has to wonder if Microsoft was considering doing something with the CONFIG.SYS file (and possibly a new copy of the AUTOEXEC.BAT file) as part of the Windows™ XP Startup Disk, since it wasn't deleted that day; or was this just a mistake in the paperwork! But why did they keep the other files on the disk until many days later (April 27)? However, questions such as this can not be answered by looking at MAC Times!

Monday, April 9, 2001 -- CONFIG.SYS was deleted from the diskette.

Friday, April 27, 2001 -- The files FINDRAMD.EXE, EXTRACT.EXE, FDISK.EXE, EDBUNDO.EXE and HIBINV.EXE are finally deleted from the diskette. IO.SYS was edited (or replaced by an edited version having exactly the same file size) on this date (see the red digits in the "Last Write Date" column of the first line) at 14:01:50 (2:01:50 PM).

Wednesday, May 9, 2001 -- Many files which do not exist on a Windows™ Me Startup Disk were added to the Windows™ XP Startup Disk: EGA2.CPI (at 14:00:32), EGA3.CPI (at 14:00:36), EGA.CPI (at 14:00:40), KEYB.COM (at 14:00:50), KEYBOARD.SYS (at 14:00:52), KEYBRD2.SYS (at 14:00:56), KEYBRD3.SYS (at 14:00:58), KEYBRD4.SYS (at 14:01:02), MODE.COM (at 14:01:04) and DISPLAY.SYS (at 14:01:12). Another copy of the Windows™ Me Startup Disk's COMMAND.COM file (digitally exactly the same, but not in the same physical location as the one on an Me diskette) was added at 14:01:06 along with these other files.

Since the clusters which make up the existing IO.SYS file (clusters 2 through 229) were not overwritten by any of the files listed above, it must have been deleted (notice the "?O.SYS" at the beginning of the very first line of Table 2; see the date 05-09-2001 in red in the "Last Access Date" column of the first line) at some time after 14:01:12 on this date (otherwise the files EGA2.CPI and EGA3.CPI would have overwritten all of these clusters).

Tuesday, May 15, 2001 18:57:42 -- This is when (6:57:42 PM) the last change was made to the Windows™ XP Startup Disk. Whatever changes were made to the IO.SYS file were finally written to the diskette!*



In Figure 4 below, which is a textual representation of all the bytes in the diskette's DIRECTORY, you can see that the very first entry in the Directory (offset 000 Hex) is a deleted file (deleted file names begin with an symbol in this figure) which is highlighted with a yellow background. This is where the Directory entry for the original IO.SYS file (and at least one edited version) is located. At offset 360 Hex, there's another Directory Entry (also highlighted in yellow) with the name IO.SYS. Although this file occupies exactly the same clusters on the diskette as the original IO.SYS file, the OS that was used to add it to the diskette created a separate Directory entry for it. This is not uncommon under the FAT file system.

All of the files which were deleted from the original Windows™ Me Startup Disk are shown with a red bar in front of their file names. Only the MSDOS.SYS file at offset 320 Hex (highlighted with a light green background) was not deleted from the original group of Windows™ Me files.


Figure 4.

 

Data for the Windows XP SP3 Startup Disk:

I can't help but wonder why no one after 2008, who read this paper and took a look at their copy of the Startup Disk, never bothered to write me about any differences they found. I was too busy with other projects to wonder if any changes had ever been made, but there had been! So here we are, at least 9 years later if not more, finally revealing some curious changes Microsoft made in the SP3 update.

Everything we wrote in the Introduction above is the same, except for the file size and date of the new diskcopy.dll file (still in the C:\WINDOWS\system32 folder): 1,504,256 bytes and dated 04-14-2008 5:00:00 AM), and some rather curious additions to the boot diskette that Microsoft employees decided to use; including the name of one such employee in a deleted 'readme.txt' file! In our favorite Hex editor (see HxD here), you'll find the whole image beginning at offset 48F0 hex (By the way, the last 432,640 bytes of the boot floppy are nothing but F6 hex bytes; which is almost 30 percent of the whole disk. And note that this was also true to the same exact number of bytes for the original disk image!

Other points of comparison between the two image files, such as the 303,947 bytes (just prior to where all the 0xF6 bytes begin) being exact byte and positional matches to the previous disk, along with other matches, have led us to conclude that the changes were made to a Windows XP Startup Disk created from the original image file; more than 50 percent of their contents being the same bytes in the same exact locations, not to mention an identical copy of the root directory showing the originally deleted file names!

More details to follow at a later time. Homework assignment: Can you find the name of that Microsoft employee? I'm going to see if he appears in any company records online. Curiously, that text file contains the date "May 25, 2001" (which was prior to the release of Windows XP that August) and makes reference to "whistler" (its project codename). But this image is for a later Service Pack of Windows XP! So why insert this rather old text file, and then delete it?

 


FOOTNOTES

* [Return to Text]  Way back in 2004, I had asked: "There's still one question I have about this for any experts in the field of Computer Forensics: If a new version of the IO.SYS file was added to the diskette on May 15, 2001, then why is the Creation Date and Time (4-7-2001 at 13:39:29) for the new IO.SYS file exactly the same as it was for the file that was deleted on May 9, 2001?"

Well, 12 years later, I finally received a reply from a reader which makes me wonder if any expert who read my pages thought 'he should know that by now' so never took the time to write. The answer is basically this: If a file is opened using a file handle spawned by the OS and then saved (whether or not it was ever changed by a program/editor), it does not need to be placed in the same location, even if the content stays exactly the same. Therefore, ... my apologies, I need more time to review the data before providing a full answer here!

 


First Posted: December 8, 2004.

Major Update: 15 MAR 2017  [15.03.2017]. Updated: 26 APR 2017 (26.04.2017).
Last Update: 9 MAR 2018 [09.03.2018].


The Starman's Realm Index Page

You can write to me at this: Email Address. (Opens in a new window.)