I have a case where a suspect's HDD(250GB) is bit-by-bit copied to 500GB HDD using Talon. Unfortunatly, I lost the log file which indicated how many sectors I copied. Now, I am albe to see the partitions but I have only one unallocated cluster space. (I believe that the unallocated space from 250GB was merged to the unallocated space from 500GB). As long as I don't know the number of sector I copied, I cannot prove the integrity showing hash match.
Is there any idea of how I can determine the original sector number without a suspect's HDD?
If you know the make and exact model you may be able to establish the lba from the manufacturers website.
Regards
(I believe that the unallocated space from 250GB was merged to the unallocated space from 500GB).
I doubt that. If the image was an image of the physical disk, then the unallocated space for the 250 Gbyte disk should be contained within the image of that drive and the remainder 500 Gbyte drive should be unpartitioned.
In other words, your 500 Gbyte drive should contain one partition of close to (but less than) 250 Gbytes and the rest should be unpartitioned. If your cloning software wrote a pattern to the remaining unpartitioned space (or if you wiped the destination media with a pattern before starting), you should be able to say that the partition on the larger disk is, in fact, a partition replicated from another drive.
Without the original, you won't be able to establish that your copy is forensically identical, but you may be able to make a circumstantial case. For one thing, you should have the device and partition metadata, such as the MBR and the VBR. The former should tell you the partition sizes for any partition that your image contains.
The registry contains a wealth of information about the mounted volumes, including volume signature, make and model, etc. Look, among other places, at HKLM\Software\ControlSet00X (where X is the last known good configuration). Under ENUM\IDE you should be able to find basic information about your drive mode. Certain DELL systems actually contain the Service ID which can be used to get detailed information about the system from their web site (as well as to identify the system to which the image was attached).
Certainly, this would be a lot easier if you had your forensic logs, but you can make a pretty convincing case in the absence of these by doing a little detective work.
Is there any idea of how I can determine the original sector number without a suspect's HDD?
seanmcl - Thanks alot. Great
If you cant find it in the registry then I think the quickest way (for me) would be to write (or modify) an MD5 program and just run it from the start of the disk, after each sector compare the calulated hash with the acquisition hash (you did write that down didn't you?). At some point (roughly 250GB obviously) all being well the two will match and that will be your image size.
@seanmcl
If I may, it is perfectly possible that the unallocated space after the last partition has "merged" with "more general" unallocated space of the target 500 Gb, the only way to know which is which, as you pointed out, is if a Pattern (or the lack of it) is detected and we don't have this info from the OP.
@All
If the drive was originally partitioned using XP, and possibly with most of the partitioning utilities around, it has been partitioned respecting Cylinder boundaries and with a CHS geometry of nx255x63.
Generally hard disk capacity expressed in sectors is NOT a number exactly divisible by 255x63=16,065 and a certain amount of space at the end of the hard disk (after last partition is left unallocated in the partition table).
If the drive has been "automagically" partitioned by any of the most common utilities, the rest is smaller than one whole Cylinder.
I.e. after the end of the last partition any number of sectors in the range
0<=x<16065
can be part of the original 250 Gb image.
In other words anything between 0 and 8,224,768 bytes in 512 bytes steps can be part of the "old" image.
Of course if the drive was partitioned manually, this "slack space can be almost anything, and same applies for anything normally formatted under Vista/7 which by default do not respect cylinder boundary, trying to do "partition alignment".
As an example a typycal 250 Gb drive has
http//
488,397,168 minimum sectors available.
Since 488,397,168/255/63=30,401.3176 Cylinders, Xp would map last cylinder as
30401x255x63=488,392,065
488,397,168-488,392,065=5,103
5,103x512=2,612,736 bytes
So, knowing the exact make and model of the original 250 Gb may narrow the range in which to perform the MD5 hash calculation or check for the pattern.
By checking another same make/model drive, one could also check the "exposed by the XP driver" Cylinder number.
jaclaz