Forums
Main Category
General (Technical,...
Formatted Hard Driv...
 
Notifications
Clear all

Formatted Hard Drive - No data found, next step?

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jaclaz 16 years ago
13 Posts
9 Users
0 Reactions
892 Views
RSS
4Rensics
 4Rensics
(@4rensics)
Reputable Member
Joined: 16 years ago
Posts: 255
Topic starter 09/12/2009 5:27 am  

OK, a quick question, that I'm pretty sure I can answer myself, but I thought I would post here to see if anybody else has any other ideas?

Basically, got a 3.5" 160GB drive. I plugged it into my machine and it came up that it needs to be formatted to run. I ignored this, because I want to examine it. Ran FTK and after several hours, it came up there were no files or anything at all on this disk.

I am looking to "assume" that the disk has been completely wiped and formatted (but don't know what with - because it doesn't like Vista - FAT or NTFS). Its only a personal disc from a friend but he lent it to his friend a year or so ago and doesn't know whats been done with it. He thought there might be a few wedding photo's on it, but I can't get anything from it.

I was considering trying Helix Live, just to verify the results (busy at mo though)

So, hence, said I would post a quick message here to see if I can completely rely on FTK to be honest of its results, or should I try another tool. Also, would formatting it to NTFS on my machine give me different results when running through a forensic / recovery tool?

I know formatting doesn't wipe the data, but just wondering because its coming up with zero files of any type, maybe the fact its not registering when plugged into windows that it 'might' have an affect on it.

Any thoughts or comments welcome and appreciated!

Thanks.


   
Quote
 kovar
(@kovar)
Prominent Member
Joined: 18 years ago
Posts: 805
09/12/2009 5:48 am  

Greetings,

Quick suggestion - run PhotoRec over it.

-David


   
ReplyQuote
 Anonymous
(@Anonymous)
Guest
Joined: 1 second ago
Posts: 0
09/12/2009 6:36 am  

Another quick suggestion Use the Disk View function of FTK and read the hex data on the disk. You can scroll rapidly through the disk and be on the lookout for anything that is not (without quotes)
"………………………………………………………………………
……………………………………………………………………….
……………………………………………………………………….
………………………………………………………………………." etc.

HTH,

-AWT


   
ReplyQuote
4Rensics
 4Rensics
(@4rensics)
Reputable Member
Joined: 16 years ago
Posts: 255
Topic starter 09/12/2009 6:12 pm  

Thanks for the reply guys,

I give both of these a try later if I get a chance. If I get nothing I think its safe to say its well and truly wiped clean!


   
ReplyQuote
 unknown
(@unknown)
Eminent Member
Joined: 17 years ago
Posts: 21
09/12/2009 6:24 pm  

Grab deft or helix do the following in a command sh
fdisk -l
(Look for your device)
strings /dev/????
(after dev substitute ???? with your device identifier)

Check out DBAN if you wanna do a wipe and not worry about the details.

Have fun! )


   
ReplyQuote
 jolly4numb
(@jolly4numb)
New Member
Joined: 17 years ago
Posts: 2
11/12/2009 7:48 pm  

I would try viewing the hex. The only time I have ran into this before is when the disk was partially wiped and it was missing $Boot (NTFS obviously).

So I would try to view the hex and see what really happened in there.

'Jolly


   
ReplyQuote
 cdsforensic
(@cdsforensic)
Active Member
Joined: 17 years ago
Posts: 18
12/12/2009 5:22 am  

(M),

It's possible the HDD is ATA password locked too, which would explain why it is completely zero'd - unless of course you do believe it was wiped.

PM me if you'd like me to analyse it - We're in Dublin (in fact, very close to u I believe)

CK.


   
ReplyQuote
 Anonymous 6593
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
12/12/2009 2:01 pm  

It's possible the HDD is ATA password locked too, which would explain why it is completely zero'd - unless of course you do believe it was wiped.

Is that the expected behaviour of a HDD that has been password locked, then? Returning all zeroes?


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
12/12/2009 4:49 pm  

It's possible the HDD is ATA password locked too, which would explain why it is completely zero'd - unless of course you do believe it was wiped.

Is that the expected behaviour of a HDD that has been password locked, then? Returning all zeroes?

No, AFAIK
http//www.rockbox.org/lock.html
but it is the expected behaviour of a drive that has been erased with ATA internal commands
http//cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

jaclaz


   
ReplyQuote
PaulSanderson
 PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 19 years ago
Posts: 651
15/12/2009 3:42 pm  

It's possible the HDD is ATA password locked too, which would explain why it is completely zero'd - unless of course you do believe it was wiped.

Is that the expected behaviour of a HDD that has been password locked, then? Returning all zeroes?

No, AFAIK
http//www.rockbox.org/lock.html
but it is the expected behaviour of a drive that has been erased with ATA internal commands
http//cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

jaclaz

Yes - some older tools have been known to display a locked drive as a sequence of empty sectors.


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: