Or maybe the disk head was disabled for some other reasons.
it's my understanding that heads are regularly/often/sometimes disabled when they leave the factory as it allows manufacturers to support many different disk sizes without changing the hardware and allows a problematic disk (with even a transient error on a head) to be used rather than discarded.
it's my understanding that heads are regularly/often/sometimes disabled when they leave the factory as it allows manufacturers to support many different disk sizes without changing the hardware and allows a problematic disk (with even a transient error on a head) to be used rather than discarded.
Yep ) .
And I have seen "refurbished" (second hand) drives that as well had this (besides "reduced size" through HPA or similar).
A related article
http//
and, for NO apparent reason 😯 another POC of what can be done with a hard disk
http//
jaclaz
I have seen some very elaborate hiding schemes.
I have yet to see one where physical bad sectors were used.
Let's remember, the criminal needs to access the data, and often.
Dearv jaclaz,
I accept that there are several reasons where the heads are disabled while after testing by the company and before it is sold but in my case it was done intentionally because of following 2 reasons
1. The label on the Hard Disk was scratched to hide the capacity of Hdd, model and made which was suspicious.
2. Why the suspect only disabled that head of the partition where the OS was installed.
Obviously I cannot reveal the case that whether it was a IT engineer suspected to be a member of an international criminal organization or a middle aged housewife. The case came from one of the Law Enforcements because LEA was not able to get an data from it and asked for special look into it.
Obviously I cannot reveal the case that whether it was a IT engineer suspected to be a member of an international criminal organization or a middle aged housewife.
Yes, I can understand how this would likely - besides violating the privacy of the subjects involved ? - seriously thwart the proceedings of the investigations 😯 .
But I can still say that IF I had to use that kind of method for hiding data, I would have probably applied to the 500 Gb hard disk with the head disabled a 250 Gb hard disk label. twisted
jaclaz
jaclaz
I think you didnt read my whole things above, as you said you would had done it on 500 Gb disabling the head of 250 Gb… In my investigation case, same was the thing, It was a 500 GB and a head disabled 250 Gb. so it was showing only 250 Gb after imaging and while using it with write blockers D
jaclaz
I think you didnt read my whole things above, …
Naah, rest assured I read it thoroughly.
The (smart?) part I introduced in my hypothetical scenario (otherwise identical to your reported case) was that of replacing the label of the 500 Gb disk with one ("fake" or original removed from another disk) for a 250 Gb disk instead of "scratching" the old label, this way, I doubt that anyone would have gone through checking the device.
If you prefer, I (cleverly?) found a way to nullify you point #1
…. but in my case it was done intentionally because of following 2 reasons
1. The label on the Hard Disk was scratched to hide the capacity of Hdd, model and made which was suspicious.
2. Why the suspect only disabled that head of the partition where the OS was installed.
….
jaclaz
2. Why the suspect only disabled that head of the partition where the OS was installed.
This required a highly unusual hard drive geometry, to put it this way.
This required a highly unusual hard drive geometry, to put it this way.
Yep ) .
Which should mean - at least in theory - a very slow drive or one in which head usage is not leveled 😯 .
A reference to "zigzag" (if needed)
http//
jaclaz
I am here because I am taking a class in which we are required to frequent a computer forensic forum and report back on things.
Sounds..
..creepy.
I too have heard that you can hide data this way. Exactly how it works, I am not sure of which is why I wanted to read more about this topic on this thread. It is a shame a real conversation couldn't take place about this topic.
You've missed the point here. I think everyone has heard of it, but whether it has ever been used is the question. Of course it is possible in theory - but if it is unlikely to ever happen then why go through what is a lengthy and expensive process to prove it? As an academic thought-exercise it is interesting, but in real terms it is inpractical to the point of being useless.
In theory you can put a shattered hard disk platter back together and recover the data. In theory you need to overwrite each sector of a hard disk 7 times to remove any residual magnetic field which could mean someone in a lab will recover your data. But do either of these things happen? No.*
* Note - they probably happen in Government security agencies, maybe (who knows?). And I will now inevitably be linked to a Blackhat presentation where a dude has written a simple Python library to set blocks/clusters to "bad" and stick data in them. BUT UNTIL THEN..