How sure are you that your forensic imaging software is actually taking a full image of your suspect hard disk drive? I have been concerned over the last year or so about the accuracy of various imaging tools with regard to the number of sectors imaged with both BIOS and Direct access (as used by Safeback). So I took to performing a bit of R&D and wrote a program to return the different sector counts in the different modes. Whilst researching this I found the following: A facility exists within the ATA specification that allows, with a standard command, the user to limit the addressable range of sectors on a disk to an arbitrary number? i.e. you can make, for example, an 80GB drive report (both via the BIOS and if accessed directly) that it is a 16GB drive! This command also supports a ‘volatile bit’ that when set means the drive can be powered down and will retain the new settings when rebooted or transferred to another machine. This facility has been in the ATA specification since ATA4 (the first revision of this specification was in 1996 and it was last revised in 1998). I believe that both HP and IBM have already used this ‘protected area’ as a recovery area for pre-installed software, possibly utilising an application from StorageSoft. I have verified that Encase, Safeback (irrespective of the access mode used) and the LogiCube Solitaire forensic imaging tools will incorrectly image 16GB in the above example as opposed to the full 80GB. Vogon, I am informed, can correctly image the full 80GB. I have yet to test DD or any other imaging tools. More information, including a tool to correctly resize the drive, is available here: http://www.sandersonforensics.co.uk/html/bxdr.html =================================== Paul Sanderson T. #44 1869 325667 F. #44 1869 369001 M. #44 7808 773856 http://www.sandersonforensics.co.uk =================================== ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 06:11:02 PST