Okay, so here is one that is causing me some frustration.
I'm trying to acquire an image of an old PATA hard drive, however the drive is not being recognised by my analysis machine correctly. Here's what I've tried and what the symptoms are.
Connect source drive to Tableau write blocker as normal and turn it on, everything looks normal until after the host is detected then the activity light stays on constantly (no read head action on HDD after initial scan and start up). I get the normal sounds you associate with a new device being detected by Windows on the analysis machine but then nothing further. The source drive is not recognised by TIM, Xways, Windows, or Windows disk manager tool.
I have tried different PATA cables and different power sources (Tableau, direct from analysis machine, the original machine).
I tried using my TD2 to image the drive, all appears normal however the imaging process never starts, just sits on 0mb average speed and no data read from the source drive.
The source drive comes from a very old computer running Win95, it's some sort of point of sale server system called "check mate".
I was left with the thought that as this computer has been sitting in storage under god knows what kind of conditions for many years that the HDD may have simply failed, so I replaced the HDD into the original machine and booted up with finger on the power switch. Boots normally, HDD can be heard reading and system goes to Win95 logo then checkmate starts up, at this point I pull the power. Not forensically the best I know but I could think of no other way to confirm the HDD works correctly.
The original system has no USB ports, no optical drive so booting to something there is not possible. It has a floppy drive and a NIC, however I don't have EnCase so using Linen for a network acquisition is off the cards.
My thought is at this point getting a pata drive and a Windows 98 install and seeing if I can install a fresh 98 build on my own HDD. The power down, slave off the source drive, attach an optical drive (if I can find a PATA optical lying around somewhere) boot with UBCD with FTK imager and then image that way.
Is it sad that this type of problem excites me far more than trying to rebuild damaged pictures chasing data runs or figure out what obscure hex values might mean? Sometimes the simple problems are far more fun and challenging I think D
Any other thoughts on how to image?
There's a way to image it via parallel port with a 'Laplink' crossover cable and software called Safeback. (I can't take credit for this find - Walt Moore taught me this a few months ago)
You should be able to image it if the drive is good. Maybe try one of those cheap $7.50 IDE / PATA / SATA USB adapters and use it with a USB write blocker (software or hardware)
http//
Did you try the PATA cable from the working source machine with your machine?
There are 2 types of PATA cables, 40pin and 80pin. Most are 40 pin, but in the final years of PATA 80pin was also common.
Did you try the PATA cable from the working source machine with your machine?
There are 2 types of PATA cables, 40pin and 80pin. Most are 40 pin, but in the final years of PATA 80pin was also common.
I hadn't, but I just did and made no difference..but I was excited for a few seconds because usually something obvious but simple like that is overlooked and can work )
I need to order some of those PATA/SATA USB cables anyway but to be honest in the past when trying them they only seem to work on very rare occasions so I'm not hopeful but definitely worth a try.
With regards to safeback I'll try and find that, might have some difficulty finding a machine with a serial port to use as my imaging machine but should be achievable.
I need to order some of those PATA/SATA USB cables anyway but to be honest in the past when trying them they only seem to work on very rare occasions so I'm not hopeful but definitely worth a try.
With regards to safeback I'll try and find that, might have some difficulty finding a machine with a serial port to use as my imaging machine but should be achievable.
They actually use parallel ports (aka LPT), so you could use a USB/parallel converter cable
http//
I don't even know where to get a copy of Safeback anymore.
I found safeback, cost is only $300 so I may get it or I may not.
I can likely borrow an EnCase dongle and boot floppy from a different office, but as they are international I'll likely have to wait a week to get it here.
I'm going to explore other options in the mean time for fun to see if I can come up with a local solution.
Have you checked so there's no physical master/slave configuration on the drive to play around with?
Jumpers have been checked, Tableau WB only recognise when PATA is set to Master and I've tried CS and having no jumper at all.
I have just spotted what I think the problem is. The hard drive is missing a pin. When looking at the connector pins with the drive sitting on the desk, power molex to the right, the pin immediately above and one to the left of the pin that should be missing, is also missing, if that makes sense.
I'm guessing this extra missing pin is causing the weird behaviour.
I have no idea why the original hardware would still see the drive normally unless this missing pin wasn't utilised with really old OS and it's only modern computers that will have an issue, that seems unlikely to me but I've heard of weirder things happening.
Anyone ever see a PATA drive with 2 missing pins before?
It doesn't look like it's broken off or anything it's just completely missing and their is a small square hole where it would normally be mounted.
Edit - I just put the drive back in the original hardware and booted up again to make sure it still worked, just in case I had damaged the pin plugging and unplugging the drive. Still works, the original hardware has no issue seeing and booting from this drive, any other hardware though has no joy
How about this for a wild guess.
Maybe the IDE cable was inserted upside down. The blanked out missing hole on the connector would then break off the pin you are describing if the connector was forced in.
This pin might be for DMA. So the old machine might be working in PIO mode and not need the pin.
I had considered that but there is no scratching or damage to the cable plug that would indicate the blanked part of the plug has been forced onto a pin.
From IDE pin out pages it's pin 21 that is missing, apparently used for DDRQ, and do you think I can find anywhere what the hell DDRQ is? /
I know I could solder a pin on but I have no idea what that might do and am really really hesitant to go making physical changes like that to my clients drive, especially as it works just fine with his machine.
Okay, just took the circuit board off to have a bo-peep and I'd say your theory is correct passmark. Although the cable shows no signs of damage at some point someone has done this as the pin has pushed all the way back through and snapped off. All that's left is the arm if you like that joins the solder on the board and that is bent completely back and touching the circuit board. Looks like my only possible avenue is a network acquisition or slave off another drive and try with a boot CD once I find the hardware I need. Very weird how Win95 have no issues with the missing pin. I might try a VM of Win98 and see if I can get it recognised on the write blocker then