Hiding and hidden partitions

Data recovery and HDD repair discussions

Switch to full style
Data recovery and disk repair questions and discussions related to old-fashioned SATA, SAS, SCSI, IDE, MFM hard drives - any type of storage device that has moving parts
Post a reply
dick
  • dick
  • Posts: 927
  • Joined: January 8th, 2008, 5:21
  • Location: uk

Hiding and hidden partitions

May 13th, 2008, 13:17

Hi, I wondered if anybody has experience working with hidden or even hiding partitions.

We have this drive which appears to have a standard windows xp installation installed. On our test rig the drive reports all the correct info as far as we can tell and shows one single ntfs partition.
Depending which utility we use we get rather strange conflicting info as to partition sizes etc.

Ranish partition manager can not even find the partition and comes up with an error about an overlapping partition. Partition Table doctor will sometimes show this error and also 2 unkown partitions will be shown. I always decline the opportunity to repair these errors.

If the drive is mounted using Ontrack software again we have very confilcting info about the drive size.

The local police officer thinks there are illegal images of children on this drive but up to now we have found nothing out of the ordinary.

The drive is correctly detected by the bios and will boot into windows on a test pc but will not even be seen in the bios on the original laptop, see here: http://forum.hddguru.com/hard-disk-drives-repair-and-data-recovery-f1/can-1-8-zif-hitachi-drive-interface-adapter-damage-a-drive-t8961.html

The owner of this drive/laptop works in IT and might have a high level of knowledge on how operating and filing systems function. We think he might have an encrypted partition hidden from us or might it just be a folder/file?

We know if it is encrypted there is no chance of finding any of the illegal files but at least we could tell the police officers where the data might be located.

Can any Guru explain how to find the tell tell signs in this scenario. Please!
shahij
  • shahij
  • Posts: 1052
  • Joined: March 11th, 2008, 4:35
  • Location: Bangladesh

Re: Hiding and hidden partitions

May 13th, 2008, 15:07

In this situation, I am confused before getting the hdd in my hand.
But it seems to me winhex might help you in this situation.
prodata

Re: Hiding and hidden partitions

May 14th, 2008, 1:41

07 is non Hidden NTFS
17 is Hiden NTFS

if you understand this then you know what to do
dick
  • dick
  • Posts: 927
  • Joined: January 8th, 2008, 5:21
  • Location: uk

Re: Hiding and hidden partitions

May 14th, 2008, 3:31

Hi, yes I understand fully.

I am not refering to simple hidden partitions here. I'm refering to ways of hiding a partition so one can't easily find it. This might include methods of forcing the drive to not truthfully report its size to the os etc.
The drive owner is experienced with more professional non windows operating systems and would for sure have a devious mind.
It is not likely to be a standard ntfs partition.
Could a parition be invisible until some code is executed?
Could any code then report a false capacity to a windows os leaving free space for some secret area?
This is the kind of thing i'm interested in finding out.
Thanks!
pepe
  • pepe
  • Posts: 4754
  • Joined: October 3rd, 2005, 0:40
  • Location: Hungary
  • Website

Re: Hiding and hidden partitions

May 14th, 2008, 11:04

Hi,

if the data is not encrypted images are probably recoverable at least partially without even knowing the filesystem type or structure.
the ways of hiding the data u mentioned are possible, it is only a matter of software. If one intends to do such things and has the required knowledge level of programming, anything can be done...

pepe
jono-ats
  • jono-ats
  • Posts: 3144
  • Joined: June 8th, 2006, 19:44
  • Location: Atlanta, GA
  • Website

Re: Hiding and hidden partitions

May 14th, 2008, 13:09

if you know what you are doing, you can hide info in the G-List and in certain areas of the SA. You could also truncate the size of the drive after storing the data.

Jon
dick
  • dick
  • Posts: 927
  • Joined: January 8th, 2008, 5:21
  • Location: uk

Re: Hiding and hidden partitions

May 15th, 2008, 4:49

jono-ats wrote:if you know what you are doing, you can hide info in the G-List and in certain areas of the SA. You could also truncate the size of the drive after storing the data.

Jon
Yes I have been considering this as a possibility. I don't think the SA would be used as a storage area as such but maybe as a location to store the executable code. As Pepe has pointed out a programmer with the necessary skills could probably do this.

We have have come to a dead end with this drive. We were asked to help out because the local police are unable to take this to their own forensic experts unless they find a minimal quantity of evidence.

The laptop will have to be returned to the owner. It is likely the owner will probably be compensated as the drive remains unseen in the laptop bios (it was working perfectly before the police officer played with it using his zif adapter). As a test we did swap drives with a second identical laptop and it was proven to be the drive not being seen by the bios in both laptops.

I still don't understand why the drive is seen in any standard desktop pc without any problem.

Thanks to all!
Post a reply
Switch to full style

Powered by phpBB © phpBB Group.

Board index