Hi thanks for all of your responses.
First of all, to clarify, the HDD (it's ok, I know about partitions and volumes, I got that far), the drive was seized on it's own, not near any device, just a drive, nothing else.
It's 40GB so it's not huge and there is no recognisable MBR structure.
As for whether the partitions seem legitimate, I'm not sure how I would know from the data I can see? The only reason I think partitions are present is because Nevis and EDD said so!
Make a work copy of it and boot Sumuri Paladin or Kali Linux to analyze a bit more in depth. Figuring the right logical layout might lead to info of what the drive was used for (if there is any).
If it is a totally encrypted disk without partitions, look in hex for a continuous 2048 bytes data region at the end of the disk, right before all zeros start.
What if the hard disk was wiped on purpose and you see the trails of that ?!
Can you share the first 2048 Bytes per chance?
I've had another look at it and it seems to be 512 bytes between each of the repeating headers all the way through, I adjusted the text view in Encase and could see that the same information was being repeated throughout.
I can't share the contents of the file until I know more about it.
The above makes me think it may have been a wiping system, as the same 512 bytes is repeated all the way through the drive.
I've had another look at it and it seems to be 512 bytes between each of the repeating headers all the way through, I adjusted the text view in Encase and could see that the same information was being repeated throughout.
I can't share the contents of the file until I know more about it.
The above makes me think it may have been a wiping system, as the same 512 bytes is repeated all the way through the drive.
Yep ) , that's exactly why on block devices you need to think in terms of "blocks".
jaclaz
What if the hard disk was wiped on purpose and you see the trails of that ?!
Does anybody have experience on deep analysis in case of wiped hard disks ? Is it possible to reconstruct or partially reconstruct any of the previous data ? Does anybody have experience or results with such a case ?
What if the hard disk was wiped on purpose and you see the trails of that ?!
Does anybody have experience on deep analysis in case of wiped hard disks ? Is it possible to reconstruct or partially reconstruct any of the previous data ? Does anybody have experience or results with such a case ?
Oh noes, not again. roll
A random sample of related threads
http//www.forensicfocus.com/Forums/viewtopic/t=2065/
http//www.forensicfocus.com/Forums/viewtopic/t=3237/
http//www.forensicfocus.com/Forums/viewtopic/t=3387/
http//www.forensicfocus.com/Forums/viewtopic/t=8577
http//www.forensicfocus.com/Forums/viewtopic/t=9172/
http//www.forensicfocus.com/Forums/viewtopic/t=9682/
http//www.forensicfocus.com/Forums/viewtopic/t=9937/
http//www.forensicfocus.com/Forums/viewtopic/t=10120/
http//www.forensicfocus.com/Forums/viewtopic/t=10944/
http//www.forensicfocus.com/Forums/viewtopic/t=12744/
jaclaz
@jaclaz thanks! I browsed some of these before and the search works fine for me too )
I didn't read every thread (yet), but I was hoping somebody got practical results, not just theoretical answers.
I heard about a university lab in Slovakia where magnetic reading of hard disk platters is possible and based on the magnetic level analysis, there are hints for previous sector data. Can anybody confirm this or give other details and alternatives ?
@jaclaz thanks! I browsed some of these before and the search works fine for me too )
I didn't read every thread (yet), but I was hoping somebody got practical results, not just theoretical answers.
I heard about a university lab in Slovakia where magnetic reading of hard disk platters is possible and based on the magnetic level analysis, there are hints for previous sector data. Can anybody confirm this or give other details and alternatives ?
Still no reason to hijack mctriv's topic.
Start a new thread, possibly posting some reference to what you "heard" and we may talk of that.
Anyway
http//www.forensicfocus.com/Forums/viewtopic/t=13587/
jaclaz
Still no reason to hijack mctriv's topic.
If a wipe was done on the hard disk, a platters reading solution could help mctriv with his task.
Sorry if it felt like hijacking the topic, that isn't my purpose (
I have used Nevis (but don't really know what I'm doing) which can see partitions but can't tell me any more.
And what partition types does it claim to see?
I have also thrown IEF Encrypted disk detector at it (when mounted in FTK) which found three partitions which were possibly encrypted or had damaged MBR.
And what partition types does it claim to see?
If it claims partitions containing NTFS volumes, for example, or partitions known to belong to MBR- or GPT-style partitions, you also need to find the additional MBR/GPT structures. If it claims to find Unix-type partitions, then you need to find Unix-type structures.
If you don't really know what you are doing … well, … hand the job over to someone who does.
I've not seen anything like this before so am curious to know whether it's definitely encryped or whether I'm being an idiot and missing something obvious!
I'd start by feeding a raw image to the disktype program (found on Sourceforge). It can identify several common disk structures, although it is not compete – it doesn't do well with big-endian data, for example.
If it fails, and I can't find any recognizable data on the disk, I'd ask what kind of system it was taken from. If I learn it was a disk from a sound mixer from a radio station, or a recording disk from lab equipment, or something that was taken from a laser printer, or something else, I'd have something to research, and possibly be able to apply. Without such information, I would hand the disk back.