Sign in with
Sign up | Sign in
Your question

Can a floppy disk be traced back to a specific computer?

Last response: in Storage
Share
Anonymous
a b G Storage
March 5, 2005 10:28:43 AM

Archived from groups: comp.sys.ibm.pc.hardware.storage,microsoft.public.storage (More info?)

I saw a story on television last night about the BTK serial killer.
The reporter said that the killer was caught because he sent in a floppy
disk and floppy disks have code written to them that identifies the computer
that the floppy was written on. The story didn't specify whether the code
is written to the floppy during formatting or during a normal write
operation. Is this true?

J.H.
Anonymous
a b G Storage
March 5, 2005 12:19:02 PM

Archived from groups: comp.sys.ibm.pc.hardware.storage,microsoft.public.storage (More info?)

Nope, the volume serial number, etc. is useless for tracing.

Office documents include GUIDs based on the 48-bit MAC address.

"Jimmy Hoffa" <jhoffa@cementshoes.com> wrote in message
news:112j98pir1rl8e4@corp.supernews.com...
> I saw a story on television last night about the BTK serial killer.
> The reporter said that the killer was caught because he sent in a floppy
> disk and floppy disks have code written to them that identifies the computer
> that the floppy was written on. The story didn't specify whether the code
> is written to the floppy during formatting or during a normal write
> operation. Is this true?
>
Anonymous
a b G Storage
March 5, 2005 8:59:08 PM

Archived from groups: comp.sys.ibm.pc.hardware.storage,microsoft.public.storage (More info?)

In comp.sys.ibm.pc.hardware.storage Jimmy Hoffa <jhoffa@cementshoes.com> wrote:
> I saw a story on television last night about the BTK serial killer.
> The reporter said that the killer was caught because he sent in a floppy
> disk and floppy disks have code written to them that identifies the computer
> that the floppy was written on. The story didn't specify whether the code
> is written to the floppy during formatting or during a normal write
> operation. Is this true?
> J.H.

As usual, it depends. I'll try to break it down:

1. Space to store something:

There is space in the boot-sector of a floppy for information.
It does hold some structural info about the floppy and the actual
boot code, if present.

As a consequence in a non-bootable floppy there is around 300 bytes
free space. In a bootable floppy there is less, depending on the boot
loader code.

So there _is_ space. However the boot sector is the only safe space
that can be used for this type of information.

2. "identifies the computer" and how to trace that identity:

There are devices in a modern computer that have unique serial
numbers that can be read by the OS. There are also possible temporary
values that are unique at one point in time. Examples are HDD serial
number, MAC address of the network card and (possibly temporary)
IP address. Also there is a GUID (Globallu Unique ID)
windows generates on installation.

The only one of these relatively easy to trace is the IP address,
and the GUID. It is possiblethat the GUID gets transmitted to MS
on every update and can then be tied to an IP address. Also remember
that you have to register your OS with MS today.

3. When is something stored and what code does it:

On formatting there is a chance that the GUID of the OS is
written to the floppy, I don't know what Windows does.
Maybe somebody else here knows...

On normal floppy access nothing is written to the boot sector.
Nothing is written to identify the accessing computer.

The only two possibilities I see is spyware (never heard of
one that writes any computer ID on the floppy) and the
ID being in, e.g., a MS word document. They contain all
kinds of information that is not supposed to be in a
text file, e.g. the mentioned GUID.


Bottom line:

For a MS box I consider it possible to identify the computer the
floppy was formatted on and it may be easy to identify the computer
a MS word document was created on or worked on.

On the other hand an ASCII file written on a preformatted
floppy or one formatted, e.g., on a Linux box would likely
be impossible to trace.

I consider it far more likely that they identified the computer
from a file and not from the floppy.

Arno
Related resources
Anonymous
a b G Storage
March 6, 2005 4:12:36 PM

Archived from groups: comp.sys.ibm.pc.hardware.storage,microsoft.public.storage (More info?)

Arno Wagner <me@privacy.net> wrote:

> In comp.sys.ibm.pc.hardware.storage Jimmy Hoffa <jhoffa@cementshoes.com> wrote:
> > I saw a story on television last night about the BTK serial killer.
> > The reporter said that the killer was caught because he sent in a floppy
> > disk and floppy disks have code written to them that identifies the computer
> > that the floppy was written on. The story didn't specify whether the code
> > is written to the floppy during formatting or during a normal write
> > operation. Is this true?
> > J.H.
>
> As usual, it depends. I'll try to break it down:
>
> 1. Space to store something:
>
> There is space in the boot-sector of a floppy for information.
> It does hold some structural info about the floppy and the actual
> boot code, if present.
>
> As a consequence in a non-bootable floppy there is around 300 bytes
> free space. In a bootable floppy there is less, depending on the boot
> loader code.
>
> So there _is_ space. However the boot sector is the only safe space
> that can be used for this type of information.

Actually there is more room for data on floppies than the above. A sector
doesn't consist of just 512 bytes but has a preamble that is seen by the
controller and serves to locate the sector CHS, the sector size, and for ECC.
The CHS data and size is written when unconditionally formatting the floppy and
the CRC is re-written by the controller on every "write" to the sector.

The above data occupies just a few bytes of the preamble section which has ample
spare space for extra sectors on the track. Old timers may remember FDFORMAT, a
utility by Christoph H. Hochstaeter that allows formatting floppies to smaller
or larger capacity than the default, by changing the number of sectors per track
and adding extra tracks.

Old timers may also remember the software copy protection schemes that were
based on non-standard tracks that were deliberately created to protect from
software piracy. Both features are based on manipulating data structures that
cannot be accessed normally by the user.

Yet there is no computer-specific data in the preamble area.

> 2. "identifies the computer" and how to trace that identity:
>
> There are devices in a modern computer that have unique serial
> numbers that can be read by the OS. There are also possible temporary
> values that are unique at one point in time. Examples are HDD serial
> number, MAC address of the network card and (possibly temporary)
> IP address. Also there is a GUID (Globallu Unique ID)
> windows generates on installation.
>
> The only one of these relatively easy to trace is the IP address,
> and the GUID. It is possiblethat the GUID gets transmitted to MS
> on every update and can then be tied to an IP address. Also remember
> that you have to register your OS with MS today.
>
> 3. When is something stored and what code does it:
>
> On formatting there is a chance that the GUID of the OS is
> written to the floppy, I don't know what Windows does.
> Maybe somebody else here knows...

It does nothing of the sort.

> On normal floppy access nothing is written to the boot sector.
> Nothing is written to identify the accessing computer.
>
> The only two possibilities I see is spyware (never heard of
> one that writes any computer ID on the floppy) and the
> ID being in, e.g., a MS word document. They contain all
> kinds of information that is not supposed to be in a
> text file, e.g. the mentioned GUID.

If the floppy wasn't pre formatted and out of the box, then it may have
contained erased data that could link the floppy to the computer on which it was
processed. Whether computer specific or not depends on the exact nature of such
data, if there was any.

> Bottom line:
>
> For a MS box I consider it possible to identify the computer the
> floppy was formatted on

There is nothing computer specific in the formatting process.

> and it may be easy to identify the computer
> a MS word document was created on or worked on.

Identify the PC, once it is in the hands of the investigator, yes. Easy? Far
from it.

> On the other hand an ASCII file written on a preformatted
> floppy or one formatted, e.g., on a Linux box would likely
> be impossible to trace.

Plain formatting of a floppy doesn't erase the data area, it just clears the
root directory and the FAT. To clear the entire data area use FORMAT /U
(unconditional formatting).

> I consider it far more likely that they identified the computer
> from a file and not from the floppy.

I wouldn't entirely exclude the floppy option.

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
Anonymous
a b G Storage
March 6, 2005 4:12:37 PM

Archived from groups: comp.sys.ibm.pc.hardware.storage,microsoft.public.storage (More info?)

In article <j0gl215ub3o15j27o17e3gma8bvpecdnlu@4ax.com>,
support@replace_with_domain.com says...
> Plain formatting of a floppy doesn't erase the data area, it just clears the
> root directory and the FAT. To clear the entire data area use FORMAT /U
> (unconditional formatting).

The /U format option is only available with DOS/Win9x/ME. NT/2K/XP
don't support it, although it won't complain about seeing the /U either.
If NT/2K/XP can read data, it will simply clear the directory info and
do a read scan. Only if it's blank or unreadable will it do a true low-
level format. I've had corrupted floppies where I've had to use an old
Win98 computer to force a format on becuase 2K would either just fail or
get stuck.

--
If there is a no_junk in my address, please REMOVE it before replying!
All junk mail senders will be prosecuted to the fullest extent of the
law!!
http://home.att.net/~andyross
Anonymous
a b G Storage
March 6, 2005 4:18:21 PM

Archived from groups: comp.sys.ibm.pc.hardware.storage,microsoft.public.storage (More info?)

"Andrew Rossmann" <andysnewsreply@no_junk.comcast.net> wrote in message
news:MPG.1c94cb927f7bd13d989682@newsgroups.comcast.net...
>
> The /U format option is only available with DOS/Win9x/ME. NT/2K/XP
> don't support it, although it won't complain about seeing the /U either.
> If NT/2K/XP can read data, it will simply clear the directory info and
> do a read scan. Only if it's blank or unreadable will it do a true low-
> level format. I've had corrupted floppies where I've had to use an old
> Win98 computer to force a format on becuase 2K would either just fail or
> get stuck.
>
Given that the format command accepts /U, you would expect it to work. Stupid
MS. All those floppies I threw away were probably good.

The IOCTL_DISK_FORMAT_TRACKS exists in every version of NT, is documented in
Platform SDK, but nothing uses it? Another utility to write...
Anonymous
a b G Storage
March 6, 2005 10:45:01 PM

Archived from groups: comp.sys.ibm.pc.hardware.storage,microsoft.public.storage (More info?)

In comp.sys.ibm.pc.hardware.storage Andrew Rossmann <andysnewsreply@no_junk.comcast.net> wrote:
> In article <j0gl215ub3o15j27o17e3gma8bvpecdnlu@4ax.com>,
> support@replace_with_domain.com says...
>> Plain formatting of a floppy doesn't erase the data area, it just clears the
>> root directory and the FAT. To clear the entire data area use FORMAT /U
>> (unconditional formatting).

> The /U format option is only available with DOS/Win9x/ME. NT/2K/XP
> don't support it, although it won't complain about seeing the /U either.
> If NT/2K/XP can read data, it will simply clear the directory info and
> do a read scan. Only if it's blank or unreadable will it do a true low-
> level format. I've had corrupted floppies where I've had to use an old
> Win98 computer to force a format on becuase 2K would either just fail or
> get stuck.

Well, yes. A plain stupid optimisation on MS's part, given that
flopies are not that reliable. In recovery of overwritten data is
possible on floppies.

Arno
Anonymous
a b G Storage
March 7, 2005 12:21:47 AM

Archived from groups: comp.sys.ibm.pc.hardware.storage,microsoft.public.storage (More info?)

Andrew Rossmann <andysnewsreply@no_junk.comcast.net> wrote:

> In article <j0gl215ub3o15j27o17e3gma8bvpecdnlu@4ax.com>,
> support@replace_with_domain.com says...
> > Plain formatting of a floppy doesn't erase the data area, it just clears the
> > root directory and the FAT. To clear the entire data area use FORMAT /U
> > (unconditional formatting).
>
> The /U format option is only available with DOS/Win9x/ME.

True. I dropped that detail when proof-reading my post before sending it, to not
clutter it with excess of details. ;) 

> NT/2K/XP
> don't support it, although it won't complain about seeing the /U either.
> If NT/2K/XP can read data, it will simply clear the directory info and
> do a read scan. Only if it's blank or unreadable will it do a true low-
> level format. I've had corrupted floppies where I've had to use an old
> Win98 computer to force a format on becuase 2K would either just fail or
> get stuck.

I mentioned this before, in the context of ResQfloppy, a utility I wrote to
recover damaged floppies ( http://www.resq.co.il/iv_tools.php#Resqfloppy ). The
text file packed with the utility suggests: "It is preferable to use RESQFLPY
from *plain true DOS*, not to confuse with the DOS shell opened in Windows,
available only on Windows 9x platforms."

The next time you face a problem with a marginal floppy, start your Win 9x box
in command prompt mode and work from the command line. There is a big
difference how floppies are accessed under true DOS or Windows DVM. There is no
much difference between how the DOS capable Win 32 OS (Win 9x/ME) do it and the
NT derived OS (NT/W2K/XP).

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
Anonymous
a b G Storage
March 7, 2005 2:45:54 PM

Archived from groups: comp.sys.ibm.pc.hardware.storage,microsoft.public.storage (More info?)

"Eric Gisin" <ericgisin@hotmail.com> wrote:
> "Andrew Rossmann" <andysnewsreply@no_junk.comcast.net> wrote in message
> news:MPG.1c94cb927f7bd13d989682@newsgroups.comcast.net...
> >
> > The /U format option is only available with DOS/Win9x/ME. NT/2K/XP
> > don't support it, although it won't complain about seeing the /U either.
> > If NT/2K/XP can read data, it will simply clear the directory info and
> > do a read scan. Only if it's blank or unreadable will it do a true low-
> > level format. I've had corrupted floppies where I've had to use an old
> > Win98 computer to force a format on becuase 2K would either just fail or
> > get stuck.

> Given that the format command accepts /U, you would expect it to work. Stupid
> MS.

Don't take anything for granted. ;-) I just tried FORMAT /U from an XP dropped
CMD shell on used floppies in good condition (readable) and guess what ... they
were unconditionally formatted including the data area (all data sectors were
filled with the F6 byte)!

> All those floppies I threw away were probably good.

They were marginal, at least and they would have failed, eventually.

> The IOCTL_DISK_FORMAT_TRACKS exists in every version of NT, is documented in
> Platform SDK, but nothing uses it? Another utility to write...

It works fine for floppy standard formats. Yet it doesn't work for non-standard
values in the format tables. Checked!

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
Anonymous
a b G Storage
March 14, 2005 10:06:59 AM

Archived from groups: comp.sys.ibm.pc.hardware.storage,microsoft.public.storage (More info?)

Thanks Eric, Arno, Zvi, Andrew, for the replies.

Is the same true for other removable media?
(CDR, CDRW, DVD, Zip, etc.)

J.H.


"Jimmy Hoffa" <jhoffa@cementshoes.com> wrote in message
news:112j98pir1rl8e4@corp.supernews.com...
> I saw a story on television last night about the BTK serial killer.
> The reporter said that the killer was caught because he sent in a floppy
> disk and floppy disks have code written to them that identifies the
computer
> that the floppy was written on. The story didn't specify whether the code
> is written to the floppy during formatting or during a normal write
> operation. Is this true?
>
> J.H.
>
Anonymous
a b G Storage
March 14, 2005 4:24:05 PM

Archived from groups: comp.sys.ibm.pc.hardware.storage,microsoft.public.storage (More info?)

In comp.sys.ibm.pc.hardware.storage Jimmy Hoffa <jhoffa@cementshoes.com> wrote:
> Thanks Eric, Arno, Zvi, Andrew, for the replies.

> Is the same true for other removable media?
> (CDR, CDRW, DVD, Zip, etc.)

The sofwrare discussion basically applies as well except that the
writable CD/DVD formats cannot or cannot easily be written after they
are "closed". And of course they can only be written in a burner.

Zip, DVD-RAM, MOD, removable Harddrives, etc. are basically all
harddrives. In routine operation no identification of the accessing PC
is written to the administrative areas of the filesystems. Biggest
risk is likely again non-cleartext file fromats that can (and often
do) contain more information that the user thinks.

Regards,
Arno
!