±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35522
New Yesterday: 1 Visitors: 98

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Windows 7 MBR system unable to view Windows 8 GPT HDD

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

sgware
Member
 

Re: Windows 7 MBR system unable to view Windows 8 GPT HDD

Post Posted: Feb 08, 14 20:07

I think this discussion is heading in the right direction. Having read the MS docs and Toshiba specs 4K/AF compatibility with Win 7, the write blocker, or others such as drivers etc could be part of the issue.

I think it would be interesting to to see what happens without that hardware write blocker in line. Restoring the image to a test disk (same Toshiba drive) to a Win7 system. If you get to the point where a clone of the disk is mounted to a Win7 machine (SP1 or greater) please run the Fsutil fsinfo ntfsinfo x: (where x: represents the drive that you are checking) command and post the results? I would be interested in seeing how this is resolved.

I can see that a platform to acquire/investigate 4K/AF drives will become a necessity. Thank you for posting this and I hope the group/I can help you to a resolution.
_________________
Scott Ware
MSDF, CFCE 
 
  

jaclaz
Senior Member
 

Re: Windows 7 MBR system unable to view Windows 8 GPT HDD

Post Posted: Feb 08, 14 23:10

To continue on the same path, in the mentioned KB:
support.microsoft.com/...0009/en-us
there is a reference to this other KB, an update to 7 or 7 SP1:
support.microsoft.com/...2018/en-us
which sounds like very related:
This KB article introduces new storage infrastructure to support querying for the physical sector size of the storage device. Additionally, this KB article introduces support in certain key system components for these kinds of disks in order to improve performance, reliability, and general interoperability.

Particularly "issue 5":
Issue 5
Storage drivers do not support correct sector size reporting for Advanced Format disks


Many storage drivers do not support correct sector size reporting for Advanced Format disks. Updates to the following drivers are included in this hotfix:
IaStorV.sys
Amdsata.sys
Nvraid.sys
Nvsata.sys
Note Other third-party storage drivers may not be updated to support these new SBC3 commands. Please contact your storage controller vendor for more information.


and the Note at the end:
Note Support for Advanced Format disks relies on the disk reporting itself as having 4KB physical sectors, and relies on the Storage Driver reporting the physical sector size.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

acarr31
Member
 

Re: Windows 7 MBR system unable to view Windows 8 GPT HDD

Post Posted: Feb 11, 14 00:17

I am very appreciative of the suggestions you have all offered and it seems like we are moving in the right direction. I have had to testify more than usual in the last week so I have had limited time to carry out my experiments but I am going to begin those this week and hopefully will have some extra info for all of you. Once again thank you for all the help you have provided thus far.  
 
  

kiashi
Senior Member
 

Re: Windows 7 MBR system unable to view Windows 8 GPT HDD

Post Posted: Mar 10, 14 21:20

Hello All, I have had an experience similar to this on a case in the last couple of weeks. My analysis machine is running Windows 7 Professional (x64) and one of the images I had in this case contained a Windows 8 installation. EnCase (v6.18) and FTK Imager were able to read and interpret the GPT partitioning and file system correctly, but as soon as I tried to run it through IEF (v5.7) it was unable to see any file system.

Next I attempted to mount the E01 image using FTK Imager resulting in my Windows 7 seeing that there were multiple partitions and assigning each of them a drive letter but when it came to interpreting the OS partition it just gave me a message about the volume being write-protected and would not show anything in Windows Explorer.

I then attempted the same in EnCase using PDE with the same result.

Finally, I mounted it again in EnCase with PDE, however this time I enabled caching and created a cache file for Windows to write to. This was the solution, once I did this Windows Explorer interpreted the volume correctly and IEF was able to run over this mounted drive and extracted all the internet history data for me.

I have not done any further testing or research in to this at this stage due to my current case load but it seems that the common issue here is Windows 7 believing it must have write-enabled access to the disk or partition in order for it to be correctly interpretted. When I get a chance I will take a look at the cache file that was created by the EnCase PDE process and see what is in there.

p.s. the original drive from the Windows 8 machine was a 500GB Seagate ST500DM002.
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders. 
 
  

jaclaz
Senior Member
 

Re: Windows 7 MBR system unable to view Windows 8 GPT HDD

Post Posted: Mar 10, 14 21:49

- kiashi

p.s. the original drive from the Windows 8 machine was a 500GB Seagate ST500DM002.

Yep, but was it a 512 bytes or a 4kb AF?

It seems like that model can be BOTH 512 byte and 4kb AF:
forums.seagate.com/t5/...d-p/155383

(till now the suspicions have been around GPT partitioned 4Kb sectored drive, AF)

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

kiashi
Senior Member
 

Re: Windows 7 MBR system unable to view Windows 8 GPT HDD

Post Posted: Mar 10, 14 22:35

I ran fsutil command on it when it was mounted correctly and this reported 512b/sector
Smile
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders. 
 
  

jaclaz
Senior Member
 

Re: Windows 7 MBR system unable to view Windows 8 GPT HDD

Post Posted: Mar 10, 14 22:46

- kiashi
I ran fsutil command on it when it was mounted correctly and this reported 512b/sector
Smile

Yes/No. Shocked
Meaning that fsutil command has TWO values:
support.microsoft.com/...0009/en-us
"Bytes per sector" is 512 bytes BOTH for "real" 512 bytes/sector disk and for "AF disks".
"Bytes per Physical Sector" is the one that may make a difference:
512/512 -> "normal" plain 512 bytes sector
512/4096 -> AF or "512E" disk
4096/4096 -> "native" 4k disk

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 3 of 4
Page Previous  1, 2, 3, 4  Next