Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > forensics > 03 > 020245.html (Request Expert securityfocus.com Support)

I'm having an image problem...

From: James <security(at)digitallaw.co.uk>
Date: Thu Feb 13 2003 - 16:40:21 EST


Hello,
I've got a small hard disk (formated size appears to be 4.0GB) which has been imaged using a direct copy (Vogon Software). I took md5 checksums of the images from the CD and subsequently my working copies and this was my result. 

edfb2ada75005b94bcf134042f5e17c7	HARDDISK1.IMG
c5c26baffd60cbbee4bc8791073a0d53	HARDDISK2.IMG
3188e0711d34a2f8fa84a2646f6eb4dd	HARDDISK3.IMG
3188e0711d34a2f8fa84a2646f6eb4dd	HARDDISK4.IMG
3188e0711d34a2f8fa84a2646f6eb4dd	HARDDISK5.IMG
3188e0711d34a2f8fa84a2646f6eb4dd	HARDDISK6.IMG
4fd77daee2cea99fd4d6da618f26b20c	HARDDISK7.IMG

These checksums match those obtained from the copies on the hard drives, but we can see that numbers 3, 4, 5 and 6 are identical. Looking more closely at these I find that they basically full of zeros and nothing else. The final drive in the series (number 7) however does have files. The blank section extends from about 2/3 of the way through disk 2 to 1/2 way through disk 7. The disk is formatted with FAT32 which from my understanding would normally have alternating pages/sectors of 00 and FF not all 00, is this correct?

I was looking for some pointers as to what processes may have taken place to put the drive in this condition:

[HEADER]
[SYSTEM FILES + USER FILES, appears partially defragged, data begins to thin
out as we approach the blank clusters in a fashion suggesting the drive was defragged about a month before seizure]
[LARGE BLANK AREA all bytes set to 00]
[SYSTEM FILES]
[UNPARTIONED SPACE]
If the disk had been arranged with system files near the beginning and user files at the end I would find this more believable. An analysis of the registry for installed programs shows no third party disk utilities, leaving only stand alone utilities, software since removed, or events after the disk was imaged as causes of this effect. However other computers seized along which this one have various Norton Utilities installed, but none of the other images contain anything like this.

Any help with the possible drive geometry or the possible cause of this effect would be much appreciated.

Many thanks in advance

James 

-- 
END

"People who are willing to sacrifice essential freedoms for security deserve 
neither freedom nor security."
	--Benjamin Franklin



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com
Received on Fri Feb 14 09:45:24 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library