I was wondering if there was any forensic value of the error correction codes found for each sector. I understand the basic idea that they are used to correct errors but let's say data was deleted or overwritten, is it possible to use the ecc to reconstruct data. If not does it have any other uses for data recovery? I've searched around but have not found anything which answers the question I pose. If you have any resources concerning ecc in hard disks could you post them please?
Thanks
I think you will find that the ECC is for just that, error correction. A sector is never 'deleted', it is just written with new data, that maybe blanks. At the same time the ECC will be updated.
ECC is used to correct a small number of errors in sector, eg 2 or 3 bits in sector.
As a disk paltter is never designed to be moved, you will probably also find there is no single standard for ECC, but optimised by each drive manufacturer, and for the type/model of drive.
The ecc write data so that upon opening a file some sort of checksum is calculated and checked against the data already existing. If the checksums or whatever they are are different the attempts are made to correct the errors. Are you saying that the data written has no resemblance to the file it is created for in anyway? If I have the wrong idea to how the process is done then please correct me.
The ecc write data so that upon opening a file some sort of checksum is calculated and checked against the data already existing. If the checksums or whatever they are are different the attempts are made to correct the errors. Are you saying that the data written has no resemblance to the file it is created for in anyway? If I have the wrong idea to how the process is done then please correct me.
The ecc write data so that upon opening a file some sort of checksum is calculated and checked against the data already existing. If the checksums or whatever they are are different the attempts are made to correct the errors. Are you saying that the data written has no resemblance to the file it is created for in anyway? If I have the wrong idea to how the process is done then please correct me.
May I ask how exactly you can (or plan to) read and decode the ECC data?
AFAIK the ECC has nothing to do with "files" and "opening" them and a lot to do with disk sectors writing (and verifying when reading)
http//
and that kind of info is NOT available through software if not by using VERY LOW level software (maybe) provided by the specific hardware manufacturer.
This may help clearing the behaviour
http//
and this may help you further (if you manage to go through it)
http//
Still AFAIK the commonly used Reed Solomon correction codes are actually a "family" of algorithms, and each manufacturer may use a particular version of it even specifically for a given drive model/series, and these specs are rarely made public.
jaclaz
I plan to do a project which would start with a 4k hard drive using 512e and then format it to a pure 4k disk if possible. I would write data to the 512e disk before formatting and then go through the disk with a hex editor (if this is possible, you said I'd need software from the manufacturer) and attempt to locate data written by ecc from before. Then if there was a relation between the data created by the ecc for a certain file, attempt to locate the file that it is linked with. Even if this could not be done I would like to see what sort of information I could get from the data left by the ecc.
I know very little at this current moment about how error correction codes are stored and even less on how to decode them. It is for my final year project and I intend to learn a lot if this can be done. If I have made mistakes in how I believe the project could be done please let me know as I'm trying to figure a lot of this out but there appears to be very little on the subject. Thank you for the links you provided I am reading through them now.
It is for my final year project and I intend to learn a lot if this can be done.
Final year of what (if I may ask)?
If I have made mistakes in how I believe the project could be done please let me know as I'm trying to figure a lot of this out but there appears to be very little on the subject.
I don't think you are doing any "mistake", only you are preventively assuming that you will have access to data that AFAIK you won't be able to access.
Until you find a way to actually access the ECC data (and NO, a disk editor won't do) all the rest is simply "a suffusion of yellow" or "pure theory" (check my signature wink )
Thank you for the links you provided I am reading through them now.
Let's wait until you have gone through those, you might have a more clear idea of the way it works.
jaclaz
Final year of an honours degree in Computer Forensics. Would I be right in assuming that manufacturers will not allow me to use their low level software to access the ecc data. Because if I cannot get at then it pretty much makes this project invalid. Better start thinking of alternative projects. If you have any ideas I would like to hear them. I have looked at the project idea page on FF before it is linked.
A hex editor isn't going to show you ECC. You're layers of abstraction away from them.
My recent experience with people who have done CF subjects in college is leading me to believe that these courses have almost zero value because they fail to teach fundamentals before moving students to the find all evidence button.
I would suggest you try a new project.
ECC, as I said will correct a few bits only, and routines such as Reed Solomn will indicate that that bit 4 in rown 0x87 is incorrect. It it were possible to reconstruct data from ECC, then disks would in effect be twice the capacity.
Another point is that modern drives are not like floppy disks. Floppy disks have nice neat sectors, followed by a simple CRC to validate the data. Physically, HDDs will work on much larger sectors, even though most will show a logical sector of 0x200 bytes. Some new drives have 4K sectors.
I don't think one can see ECC data with PC-3000 which is a tool your college might have. I am currently out of my office so I cannot check.