Theres nothing very sinister about checksums like this. We get this all the time with drives that have been freshly installed or havent been used much and dont have much data written to them. If the drive has lots of free space ..a defrag may not be needed to create this result. most of the time ..if a file can be written in a continuous order to the data blocks, then it will be. Fat only tends to get scary if the drive has been used alot and defragged then used more etc FF on a drive tends to be the lowlevel format marks left by the manufacturer you'll also come across FE or 00 depending on who it is. Adam On Thu, Feb 13, 2003 at 09:40:21PM +0000, James wrote: > Hello, > I've got a small hard disk (formated size appears to be 4.0GB) which has been > imaged using a direct copy (Vogon Software). I took md5 checksums of the > images from the CD and subsequently my working copies and this was my result. > > edfb2ada75005b94bcf134042f5e17c7 HARDDISK1.IMG > c5c26baffd60cbbee4bc8791073a0d53 HARDDISK2.IMG > 3188e0711d34a2f8fa84a2646f6eb4dd HARDDISK3.IMG > 3188e0711d34a2f8fa84a2646f6eb4dd HARDDISK4.IMG > 3188e0711d34a2f8fa84a2646f6eb4dd HARDDISK5.IMG > 3188e0711d34a2f8fa84a2646f6eb4dd HARDDISK6.IMG > 4fd77daee2cea99fd4d6da618f26b20c HARDDISK7.IMG > > These checksums match those obtained from the copies on the hard drives, but > we can see that numbers 3, 4, 5 and 6 are identical. Looking more closely at > these I find that they basically full of zeros and nothing else. The final > drive in the series (number 7) however does have files. The blank section > extends from about 2/3 of the way through disk 2 to 1/2 way through disk 7. > The disk is formatted with FAT32 which from my understanding would normally > have alternating pages/sectors of 00 and FF not all 00, is this correct? > > I was looking for some pointers as to what processes may have taken place to > put the drive in this condition: > > [HEADER] > [SYSTEM FILES + USER FILES, appears partially defragged, data begins to thin > out as we approach the blank clusters in a fashion suggesting the drive was > defragged about a month before seizure] > [LARGE BLANK AREA all bytes set to 00] > [SYSTEM FILES] > [UNPARTIONED SPACE] > > If the disk had been arranged with system files near the beginning and user > files at the end I would find this more believable. An analysis of the > registry for installed programs shows no third party disk utilities, leaving > only stand alone utilities, software since removed, or events after the disk > was imaged as causes of this effect. However other computers seized along > which this one have various Norton Utilities installed, but none of the other > images contain anything like this. > > Any help with the possible drive geometry or the possible cause of this effect > would be much appreciated. > > Many thanks in advance > > James > -- > END - Technical Consultant ----------------------------------------------------------------------- FORENSIC DATA SERVICES PTY LIMITED http://www.forensicdata.com.au ------------------------------------------------------------------------ The information contained in this e-mail is confidential and is intended solely for the addressee. If you received this e-mail by mistake please notify us immediately and delete all copies of this message. You must not disclose or use in any way the information in the e-mail. It is the responsibility of the recipient to virus scan this e-mail and any attachments included. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 18 2003 - 04:54:30 PST