±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 1
Overall: 27316
Visitors: 60

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Very Very Old Hard Drive

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Very Very Old Hard Drive

Post Posted: Wed Aug 13, 2014 9:49 pm

I receive a request from a lawyer for a firm that I do lot of forensic work for. It was one of those odd questions that you get when you are in a clients office on another matter, and they all of a sudden remember this issue.

Here is the scenario... His father passed away in 1994 (father was also a lawyer), and they took the items from his office and stored them in his parents garage. His mother passed away recently and while cleaning out the garage, he came across his dad's old work computer. The family is currently involved in a mineral rights law suit over some land that has been in their family for more than 50 years. The son believes that documents pertaining to this mineral rights issue could be on this drive, and has asked me to take a look.

The drive is a very old Maxtor Drive total size of 160mb. The drive actually looks to be in really good shape. I attempted to mount the drive on my forensic machine and it spun up (and actually sounds good) but my machine does not recognize the drive at all. I have tried it on forensic machines in my firm that run Windows 7 and Windows 8, and just for kicks plugged it into one of our iMac's with a portable writeblocker.

One of my partners has suggested that we try a linux machine...which is our next step.....any suggestions? The lawyer believes his dad was running Windows, which at that time would have been Windows 3.1 (i know it was just a shell).

This is an actually important question to me, because besides this case, I also work with a team on unsolved Cold Case Homicides, and many of our investigations are from this span of time and this may become relevant to that area.  

Ehdevlin
Member
 
 
  

Re: Very Very Old Hard Drive

Post Posted: Thu Aug 14, 2014 1:36 am

Hi there

If the drive is not seen by the forensic host, I would check the jumper settings on the drive. From experience, different makes and models of drive can be temperamental and you may need to go through a number of settings before the drive will be recognised.

To start, I would try setting the drive as master or single drive if the option is available. In some cases you may need to remove the jumper altogether to get the write blocker to recognise the drive.

Hope this helps.

James  

JDCoulthard
Senior Member
 
 
  

Re: Very Very Old Hard Drive

Post Posted: Thu Aug 14, 2014 1:43 am

Make and model of the drive would be helpful - without this it is very difficult to give any sort of advice other guess work.
_________________
Paul Sanderson
Forensic Toolkit for SQLite
sandersonforensics.com...ic-Toolkit
www.twitter.com/sandersonforens
www.facebook.com/recon...resoftware 

PaulSanderson
Senior Member
 
 
  

Re: Very Very Old Hard Drive

Post Posted: Thu Aug 14, 2014 2:23 am

We've had similar issues reading older drives and one solution has been to source an older 40 pin IDE cable (as opposed to 80 pin) to connect between the drive and your forensic workstation.  

Chris55728
Member
 
 
  

Re: Very Very Old Hard Drive

Post Posted: Thu Aug 14, 2014 2:29 am

Is it something really old IDE, *like* this one?
www.ebay.ca/itm/Vintag...27e82e6cae

Personally I would buy one of these (if you can find same model) and make tests on the bought item.

Of course Windows 7 is like the LEAST suitable OS to attempt accessing one of these, and a write blocker may well prevent the thing to work.

At the time you had to manually set the hard disk parameters in the BIOS (and I doubt that it's geometry will be ever recognized by a "modern" BIOS Confused ).

As a side note:
Why not attempting to switch on the whole "vintage PC"?
If it was kept well, it is likely it will work fine, it will have lost date/time, but I have re-switched on PC's of similar vintage and usually they do work.

You have to understand how - even once you will have managed to duplicate forensically the hard disk contents it is likely that the "documents" in it will be stored in an archaic format - possibly proprietary - that no recent tool will be able to read/access.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Very Very Old Hard Drive

Post Posted: Fri Aug 15, 2014 10:53 am

The Hard drive is a Maxtor, Model 7170A1.

We actually dont have the computer, just the hard drive.

And the most odd thing about the drive is no jumper settings. I am very familiar with the old master/slave settings on drives (I was building my own computers as a kid using these), and it was the first area I look at.

We have considered the old computer route. We just arent sure we can find one that old.  

Ehdevlin
Member
 
 
  

Re: Very Very Old Hard Drive

Post Posted: Fri Aug 15, 2014 11:33 am

Are you sure there are no jumpers at all?

Some of the older drives that I have worked on have had mini jumpers on the drive PCB rather than in the more normal location next to the IDE connector.

Could you post some pics of the drive?

JC  

JDCoulthard
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next