HDD emulators for f...
 
Notifications
Clear all

HDD emulators for forensic research ?

7 Posts
4 Users
0 Likes
146 Views
(@athulin)
Posts: 1156
Noble Member
Topic starter
 

In another thread the problem of just what 'exact copy' would mean if the destination drive is of another make or model or size than the source drive. That triggered my quesion

Are there any soft hard drive emulators that accepts different HDD parameters (C/H/S structure say)?

Such emulator would make it easier to research how different C/H/S or LBA sizes or …whatnot affects drive partitioning. volume creation etc. of a particular operating system

Ideally, I'd like to have some kind of Mount Image Pro-like software that doesn't need an image file to mount, but which accepts C/H/S and/or LBA, and then 'builds' a corresponding virtual drive for me to play with.

Or is it possible to do something like this with loopback mounts in Linux?

 
Posted : 05/10/2009 9:37 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

Is C/H/S an issue. Logically they are not used. The only important element is the LBA of a sector.

Partitioning etc is controlled by MBR, EFI information and BPB etc. is it is just a logical sector which in the past may have been a C 1, H 0, S 0, type address .

An exact copy is correct number of sectors in the correct location.

Details such are Smart information are not included in a normal copy

 
Posted : 05/10/2009 11:08 pm
(@seanmcl)
Posts: 700
Honorable Member
 

The problem that you are going to run into is the fact that modern drives use zone bit recording in which the number of sectors varies as the "cylinder" (track) varies. C/H/S values are, essentially, meaningless for physical addressing purposes.

 
Posted : 06/10/2009 12:02 am
(@athulin)
Posts: 1156
Noble Member
Topic starter
 

The problem that you are going to run into is the fact that modern drives use zone bit recording in which the number of sectors varies as the "cylinder" (track) varies. C/H/S values are, essentially, meaningless for physical addressing purposes.

I'm not concerned with physical addressing – but I am concerned with if and how C/H/S parameters are used to decided appropriate sizes for partitions, and positions for partitions, and volumes, and such.

For instance, in DOS/MBR style partitioning, the first volume boot record is placed in sector 63, sectors 0..62 being reserved for MBR + extra space. That '63' is a magic number, and it is occasionally, but not always, asserted that it comes from 'S' of the hard drive – in other words, the first track is reserved for booting purposes. Similarly, partition sizes were, at least in earlier versions of fdisk, chosen to be full tracks, i.e. even multiples of 'S', and I've seen one old statement that it was even an even multiples of 'H'.

However, these things are very hard to test when all easily available disks claim to have S = 63. If I could find a disk that used S = 18, it might be possible to test them. The easiest way seems to be some kind of HDD emulator.

I haven't found anything in Carrier so far – 63 is apparently taken to be a magic number, and does not appear to be discussed further.

I have no idea if these questions are important or not, but at least they appear to be unanswered. They are questions at the edge of the envelope – I want to push them over the edge it to find out what happens.

There is a related question, which I think I've seen mentioned either in Carrier or a Microsoft document. The statement I noted was that the MBR/VBR signature bytes (0x55 0xAA) are not placed at the end of the sector, but at byte offset 511, as sector sizes might be larger. I've always wondered what drives have larger sectors, and what effect a larger sector size would have on a file system … do the sectors fill out, or are only the first 512 bytes used, leaving the rest as some kind of 'sector slack'? Again, a HDD emulator might help provide the answer.

I'll check if any of the standard virtualization platforms allow for these parameters to be tweaked …

 
Posted : 06/10/2009 11:56 am
(@mscotgrove)
Posts: 938
Prominent Member
 

I don't think a current operating system makes any use of C/H/S numbers.

I have seen an optical NTFS disk with 0x400 byte sectors. I cannot remember any details of 0x55 0xaa bytes.

On larger sectors, the full sector is always used.

 
Posted : 06/10/2009 5:20 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

You can use VDK with a .pln file to use any CHS geometry you may want.

NT based OS default, once booted, NO matter how the device actually is, to geometry nx255x63 AND the OS itself ONLY uses LBA.

The CHS is needed for booting on older machines where BIOS might not be aware of CHS translations, and even to boot NT based systems, as the bootsectors do use CHS.

See here
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1489&postdays=0&postorder=asc&start=38
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1489&postdays=0&postorder=asc&start=42
and here
http//www.911cd.net/forums//index.php?showtopic=21702&st=129
http//www.boot-land.net/forums/index.php?showtopic=8528&pid=73828&st=21

To create an image, it's .pln file and format with an arbitrary geometry, you can use MBRBATCH/MKIMG
http//www.boot-land.net/forums/MBRBatch-001-ALPHA-t3191.html
(just remove in the batches the checks for "known" geometries.

jaclaz

 
Posted : 06/10/2009 7:53 pm
(@athulin)
Posts: 1156
Noble Member
Topic starter
 

You can use VDK with a .pln file to use any CHS geometry you may want.

Thanks for the suggestion – I'll check that out.

I've also located a couple of hard drives, such as WDAC2420, that have track length < 63 sectors, that may be possible to cross-check against. If I can get them to run …

 
Posted : 06/10/2009 8:43 pm
Share: