Hi all.
Several months ago I conducted a validation exercise on work that an independant analyst had done on a Dell system.
The system had 2 partitions, one hidden by the vendor from the user and used to restore the system, the other, larger, partition was the C drive to all intents and purposes.
Analysis had stalled because the analyst had never seen this before, Dell used 2 partitions (1 hidden) until April 2005 and 3 partitions (2 hidden) thereafter.
From the analysis, it appeared that the original drive had been wiped and I found a dell wiping utility on the "hidden" partition. To cut a long story short, the conlusion was that the user had attempted to restore his system and had deliberately stopped the process in an attempt to confuse the investigation (theft of IP).
Several months later the defence have now stated that the original image was faulty, due to faulty hardware, and evidence of "sector rotation" has been found, though this would have been transparent and would not effect the image and verification process (Encase V5 Forensic).
Until I see the exact content of the defence report I am at a loss to understand "sector rotation" in this sense. Has anyone any information on this issue?
Regards,
Jim
Hi Jim, "Sector Rotation" I've never heard of this before. The setup you describe is extremely common (hidden system restore partition), I see it all the time, especially with budget machines like Dell, Medion, etc. It’s surprising that the analyst had never seen this before, and you can draw your own conclusions from that……This sounds very much like some kind of smoke screen the defence are throwing up, to confuse the issue.
To cut a long story short, the conlusion was that the user had attempted to restore his system and had deliberately stopped the process in an attempt to confuse the investigation (theft of IP).
This is a rather strong statement, and unless the suspect has actually admitted as such I would say its hard to prove the ‘deliberate’ aspect, as one could argue that it was accidental.
Several months later the defence have now stated that the original image was faulty, due to faulty hardware, and evidence of "sector rotation" has been found, though this would have been transparent and would not effect the image and verification process (Encase V5 Forensic).
If the image was created in EnCase then you have the acquisition information to hand, this will show all the information you need to refute this. If the acquisition shows no read errors, and the MD5 acquisition and verification match, then the image is not faulty. You have an accurate bit for bit forensically sound working copy of the original hard disk drive data. This statement is really nonsense, and doesn’t actually mean anything…Its like saying there has been some magical set of circumstances that has defeated the forensic imaging process in EnCase and “sector rotation†(a phrase made up by the defence that nobody else has ever heard of) is the culprit.
If the case hangs on this, then I would suggest writing to Guidance software (perhaps on their bbs), asking them to comment on this ‘transparent’ ‘sector rotation’.
Also, what faulty hardware? You need to get them to clarify exactly what they are talking about.
From the brief circumstances you describe, and the fact that the investigation process stopped after a minor obstacle was encountered, I can think of a number of additional processes you can carry out to recover data from this drive. Sorry if I’m teaching you to suck eggs, but has a simple ‘Recover Folders’ command been tried?
Andy