Hi,
I'm currently examining an external hard drive, which is a SATA. The sticker reports the size as 320GB. Examination of the partition table shows the presence of one partition, 298GB in size, however the drive itself is only reporting a size of 279GB in total within EnCase. I am getting a read error at sector 596,488,937, however EnCase is only reporting 586,072,368 in the first place.
When viewed through Windows Explorer, it reports a disk size of 298GB. I've hooked it up to Helix and get 298GB, however it displays a bite size equating to 279GB.
The disk sounds fine, although EnCase does stall for fifteen or twenty seconds when I add the drive into the case.
Is the disk damaged, or am I missing something?
Thanks for any help.
I'm currently examining an external hard drive, which is a SATA. The sticker reports the size as 320GB. Examination of the partition table shows the presence of one partition, 298GB in size, however the drive itself is only reporting a size of 279GB in total within EnCase.
HDD manufacturers speak in SIS units, where Giga- means 1000000000.
Computer companies typically speak in binary units where G = 1024*1024*1024. (Encase 6.x uses the same convention – don't know about v7).
So the discrepancy between 320 GB and 298 GB (or GiB) may be due to different interpretation of G.
Where exactly do you see 279Gb in Encase? Acquiry report, or the drive report, or … in the user interface, where?
I am getting a read error at sector 596,488,937, however EnCase is only reporting 586,072,368 in the first place.
EnCase reports that where? And how are *you* getting a read error – what tool are you using? EnCase or something else? Doing what?
Have you looked for HPA or DCO configuration of the disk? A HPA area would cause the drive to report fewer sector that it actually holds. It's not *that* usual, but it happens.
However, I'm not entirely sure I can discount the possibility that you are getting drive size and partition or volume size mixed up.
When viewed through Windows Explorer, it reports a disk size of 298GB. I've hooked it up to Helix and get 298GB, however it displays a bite size equating to 279GB.
Bite size? You've lost me.
Are you quite sure you are not looking at a partition size or a volume size instead of a drive size? Windows Explorer reports volume sizes, not drive sizes, and since it's Windows you should expect GB = GiB, not *real* GB.
I strongly suspect that you have a drive of 320 Gb, containing at least one partition of about 300 Gb, and then you are fighting with software that doesn't use the SIS Giga, but the binary Giga, and end up comparing apples and oranges … or binanas.
The read error need not be anything but a normal read error, though that would indicate that the drive is somewhat old.
Hi Athulin,
Thanks for your response.
I'm aware that 298GB would be the full drive (even though the label states 320GB), however EnCase is reporting 279GB as the disk size when I choose it to be added into the case and when I view it in Report View. I've acquired the disk and it's only picked out the 279GB.
The read error happens in EnCase when I add the drive into the case, however once I click OK it's fine.
I am definitely not mixing up the drive and partition size.
I haven't check the HPA or DCO config.
The disk is definitely reporting as 279GB. What's confusing is the partition size is reporting as 298GB, which I know should be the full disk.
Sorry, when I said 'bite' I meant 'byte'. Helix reported the number of bytes on the disk as equal to 279GB (worked out by dividing by 1024, 1024, 1024).
Does the sector count on the label match the sector count in EnCase?
Hi Chris_Ed,
Unfortunately the label doesn't state sectors or LBA - just the size, serial number, and model. Thanks, Seagate.
Ah, Seagate. The troublesome stepchild of HDDs. Although personally I think they're better than Hitachi. )
If you haven't already, download
If there is a sector discrepancy I guess it could be a DCO or HPA.. but personally I've not come across one which is 20GB before. Hmm.
The disk is definitely reporting as 279GB. What's confusing is the partition size is reporting as 298GB, which I know should be the full disk.
Well, the partition size is just a number in a field – it could be anything, and it need not be related to HDD size.
What is drive size? Max sector address from the device info block, I think. And that's affected by HPA and DCO configurations.
So, you could have some kind of bad partitioning software at work. For example, PowerQuest PartionMagic used to suggest various fixes to file systems, and in some of the versions, some of those fixes were incorrect. After that kind of 'fix', a drive can look quite odd. If you don't know about the buggy software, you probably won't be able to find out what caused it – not easily, anyway.
Same thing if you try out a new hex editor, and forget to open the hard drive in read-only mode. You rarely do it twice.
Or, if you have a perfectly good drive, and run some software that sets up a HPA. That will look rather like what you are seeing – with some reservations for read errors and things.
Or … you could have a bad disk.
What I think you should be doing is list possible explanations, and then start to eliminiate those you can. Bad drive – does it check out OK on the manufacturer's test software or not? HPA or DCO? – also fairly easy to check out, but don't do it until you know the drive is sound. Bugs in EnCase – can you repeat the report using, say, Access Data FTK Imager? etc, etc.
Of course, if it's an evidence drive, you may not have those options.
Hi Chris. Thanks for that - that file was great. The drive should have 625,142,448 sectors, equal to 298GB. Hmm indeed. This is odd.
EDIT EnCase reports the drive as having 586,072,368 sectors, equal to 279.5GB.
Okay, this does now look to be a bad disk. I have investigated the possibility of HPA and DCO; nothing.
I went to the end of the readable disk area, which (luckily for me) was part of a (contiguous) movie file. When viewed, the movie dropped out after three minutes. A check of the data making up this file abruptly stops and turns to 0x00s.
Also, there are several files whose starting sector is beyond the readable section - again, all 0x00s.
So I guess that's it. Thanks athulin and Chris for your help.
I assume that there is no possibility of someone having copied a larger drive image onto a smaller one, which could result in files getting chopped off like that?
Has anyone here ever seen a drive fail in this way? Where the end of the drive storage just dropped off? Sounds fishy.
Also, Windows Explorer reports a GB as 1,024,000,000 bytes, not 1024*1024*1024 bytes. This is because a KB is 1024 bytes, but a MB is not 1024 KB. I believe this to be the correct method for conversion between units. Drive manufacturers go for the greater marketing number by using 1,000,000,000 and software tools are created by programmers who think all numbers have to be binary multiples. Also, there are many more people using Windows Explorer than any other tool. So, that becomes the defacto standard.