Hello all,

I have a curious disk here. So far:
Full disk image taken of a single HDD, 160GB Seagate 7200.12, just a few hard to read sectors at the end of the disk. File system is partially corrupt, rebuilds with quite a few orphaned files. When opening a file over a certain size (usually somewhere between 128kb and 256kb) the file would be corrupt. I assumed that perhaps the disk had been in a RAID 0 and the customer had not noticed (Dell Desktop), and I noticed that the final sectors on the disk related to a dynamic disk volume (potential for striping).

However, when I examined the the raw data I found an issue I have not seen before. At non-regular intervals throughout the HDD there are 60 sectors of out of place data written to the HDD. This 60 sectors look as if it is pseudo-encrypted or compressed data.

When I am examined the bitmap and the MFT this could be seen clearly. Attached below is an image of part of the MFT where it turns from a normal entry starting FILE0 to the 'corrupt' data.

I've examined the bitmap & mft as a file, assuming the file starts at offset 0 then the following offsets are where the 60 sector corruption starts:
Bitmap: 374, 586, 853, 1163, 1398, 1636, 2395 etc.
MFT: 582 , 843 , 2283 , 2512 , 2701 , 3616 , 4357 etc.

As you can see there is not a regular interval between the start of the 'corrupt' data in each of these files.

Does anyone have any thoughts on this? Unfortunately I was just sent the single HDD, it was removed by the customer's IT support staff member who examined it first. There is of course the opportunity that he ended up writing new data to the drive, but it seems unlikely given how this out of place data is distributed through the HDD.

All the best,
J

You have to ask for more details from customer instead of guessing what type of setup it was used in.

_________________
www.datarecoveryne.com

Did you check the length of consistency in MFT sequence? Can you read properties of MBR or Boot Sector to identify number of sectors in active partition?

Agreed, I am waiting for the customer's IT support to phone me so I can quiz him on what has been done since removing the disk and the original setup.

When examining the MBR I get only one partition table entry found, as follows:

Notable that it is not active.

However, when I scan the disk to find the offset of the main, and what should be the active partition, and it is found at 160,650 with a size of 312,339,350.

WinHex finds traces of the small partition (78.4MB) but pointing to the end of the disk, despite this existing in the 160,650 sectors before the main partition. Winhex reports the partition table at 312,496,380 (correct data at this sector, and at offset where the first partition ends based on the MBR) and the boot record at 312,496,443.

It looks like this MBR is not quite right!

The partition size (312,339,350) is consistent with 160GB, so i think is not part of striped volume.

Partition '80' usually determines if it is bootable, in this case it could have simply been a secondary data drive.

Or maybe was part of a RAID which has been initialized / formatted as single volume?

What is at #63? Can you post that here?

I agree that you are going to need to get clarification from your customer in relation to what actually happened.

The ID of all the MFT records increases sequentially with each record. On a good volume the increments should be '1' consistently from first record. You should check this to follow the sequence.

Yes the lost partition of 312,339,350 sector appears to be the correct one, and I would expect it has not been part of a stripe volume. Obviously some new data has been written to this drive given the incorrect MBR and this mystery 60 sectors of data I find spread frequently through the drive.

Below is a grab of sector 63 & 64 - not the best looking I've seen There's data like that shown all the way from sector 1 through to sector 3720, then "00" data through to sector 132617. From 132618 it is generally "00" up to the start of the main partition, but with the occasional sections of 60 sectors of "corrupt" data.

When I check the MFT record sequence it seems to be OK. When there is a stripe of 60 corrupt sectors the MFT sequence resumes as it would have done after these 60 sectors (i.e. 30 records later), so it looks as if the MFT is in sequence, but with data overwriting parts of it.

I'm still waiting on the customer's IT support to contact me. I have a feeling that these odd sections of data relate to the human handling of the disk.

Thanks,
J

Stripe have to be power of 2. 60 is not power of 2, so it can not be stripe. And as pointed by hddguy, partition size is consistent with 160GB drive size. I would bet on some malicious behaviour (virus or user).
BTW good way of destroying data - have half of it - try to use it.

Yes exactly what I was thinking, 60 sectors is such an unusual number (i.e. not a power of 2). Well I think I'll leave this one now, thanks for the advice. I'll update the post when I get to speak to their IT support.

All the best,
J

Finally spoke to the company's IT support:
Disk was removed from the computer, which was still booting OK but running slowly (explained by the instance of slow/unreadable sectors), and failed a diagnostic test; software made by EuroSoft (??) was used to test the disk. Two days later the staff member went to try and extract the data, at which point the computer would no longer boot to the operating system or have a partition detected.

Sounds like either the Eurosoft software and/or the IT support staff member have collectively made this one unrecoverable. Oh dear