Hi, I wondered if anybody has experience working with hidden or even hiding partitions.

We have this drive which appears to have a standard windows xp installation installed. On our test rig the drive reports all the correct info as far as we can tell and shows one single ntfs partition.
Depending which utility we use we get rather strange conflicting info as to partition sizes etc.

Ranish partition manager can not even find the partition and comes up with an error about an overlapping partition. Partition Table doctor will sometimes show this error and also 2 unkown partitions will be shown. I always decline the opportunity to repair these errors.

If the drive is mounted using Ontrack software again we have very confilcting info about the drive size.

The local police officer thinks there are illegal images of children on this drive but up to now we have found nothing out of the ordinary.

The drive is correctly detected by the bios and will boot into windows on a test pc but will not even be seen in the bios on the original laptop, see here: http://forum.hddguru.com/hard-disk-drives-repair-and-data-recovery-f1/can-1-8-zif-hitachi-drive-interface-adapter-damage-a-drive-t8961.html

The owner of this drive/laptop works in IT and might have a high level of knowledge on how operating and filing systems function. We think he might have an encrypted partition hidden from us or might it just be a folder/file?

We know if it is encrypted there is no chance of finding any of the illegal files but at least we could tell the police officers where the data might be located.

Can any Guru explain how to find the tell tell signs in this scenario. Please!

In this situation, I am confused before getting the hdd in my hand.
But it seems to me winhex might help you in this situation.

_________________
__________
There is no substitute for education and experience
THANK YOU
SHAHI
shahi.mahbub@gmail.com

07 is non Hidden NTFS
17 is Hiden NTFS

if you understand this then you know what to do

_________________
Спасибо
СУТИОНО / АПИНГ

Hi, yes I understand fully.

I am not refering to simple hidden partitions here. I'm refering to ways of hiding a partition so one can't easily find it. This might include methods of forcing the drive to not truthfully report its size to the os etc.
The drive owner is experienced with more professional non windows operating systems and would for sure have a devious mind.
It is not likely to be a standard ntfs partition.
Could a parition be invisible until some code is executed?
Could any code then report a false capacity to a windows os leaving free space for some secret area?
This is the kind of thing i'm interested in finding out.
Thanks!

Hi,

if the data is not encrypted images are probably recoverable at least partially without even knowing the filesystem type or structure.
the ways of hiding the data u mentioned are possible, it is only a matter of software. If one intends to do such things and has the required knowledge level of programming, anything can be done...

pepe

_________________
Adatmentés - Data recovery

if you know what you are doing, you can hide info in the G-List and in certain areas of the SA. You could also truncate the size of the drive after storing the data.

Jon

_________________
http://www.datasaversllc.com

Yes I have been considering this as a possibility. I don't think the SA would be used as a storage area as such but maybe as a location to store the executable code. As Pepe has pointed out a programmer with the necessary skills could probably do this.

We have have come to a dead end with this drive. We were asked to help out because the local police are unable to take this to their own forensic experts unless they find a minimal quantity of evidence.

The laptop will have to be returned to the owner. It is likely the owner will probably be compensated as the drive remains unseen in the laptop bios (it was working perfectly before the police officer played with it using his zif adapter). As a test we did swap drives with a second identical laptop and it was proven to be the drive not being seen by the bios in both laptops.

I still don't understand why the drive is seen in any standard desktop pc without any problem.

Thanks to all!