Hello, I've got a small hard disk (formated size appears to be 4.0GB) which has been imaged using a direct copy (Vogon Software). I took md5 checksums of the images from the CD and subsequently my working copies and this was my result. edfb2ada75005b94bcf134042f5e17c7 HARDDISK1.IMG c5c26baffd60cbbee4bc8791073a0d53 HARDDISK2.IMG 3188e0711d34a2f8fa84a2646f6eb4dd HARDDISK3.IMG 3188e0711d34a2f8fa84a2646f6eb4dd HARDDISK4.IMG 3188e0711d34a2f8fa84a2646f6eb4dd HARDDISK5.IMG 3188e0711d34a2f8fa84a2646f6eb4dd HARDDISK6.IMG 4fd77daee2cea99fd4d6da618f26b20c HARDDISK7.IMG These checksums match those obtained from the copies on the hard drives, but we can see that numbers 3, 4, 5 and 6 are identical. Looking more closely at these I find that they basically full of zeros and nothing else. The final drive in the series (number 7) however does have files. The blank section extends from about 2/3 of the way through disk 2 to 1/2 way through disk 7. The disk is formatted with FAT32 which from my understanding would normally have alternating pages/sectors of 00 and FF not all 00, is this correct? I was looking for some pointers as to what processes may have taken place to put the drive in this condition: [HEADER] [SYSTEM FILES + USER FILES, appears partially defragged, data begins to thin out as we approach the blank clusters in a fashion suggesting the drive was defragged about a month before seizure] [LARGE BLANK AREA all bytes set to 00] [SYSTEM FILES] [UNPARTIONED SPACE] If the disk had been arranged with system files near the beginning and user files at the end I would find this more believable. An analysis of the registry for installed programs shows no third party disk utilities, leaving only stand alone utilities, software since removed, or events after the disk was imaged as causes of this effect. However other computers seized along which this one have various Norton Utilities installed, but none of the other images contain anything like this. Any help with the possible drive geometry or the possible cause of this effect would be much appreciated. Many thanks in advance James -- END "People who are willing to sacrifice essential freedoms for security deserve neither freedom nor security." --Benjamin Franklin ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 14 2003 - 06:45:16 PST