[NTLUG:Discuss] Hard drive conundrum - unknown data

Leroy Tennison leroy_tennison at prodigy.net
Fri Oct 9 23:04:37 CDT 2009 

Russ wrote:
> I hope one of you can shed some light on this question as to how I can
> remove data from a hard drive that doesn't seem to be neither movable
> nor removable.  While this involves Windows and Ubuntu, I wanted to
> ask the men and women of this LUG because I think overall you're much
> more on the ball that those on M$ forums.
> 
> I acquired an used hard drive for purposes of using it in as the sole
> HD in a dual-boot XP and Ubuntu machine.  I was told that the HD had
> been erased and that was OK with me.  Still, when I installed the hard
> drive I run Knoppix and used 'shred' to run 7 passes with a final pass
> writing zeroes.  I partitioned the hard drive and loaded XP.  In the
> process of the installation of the OS and anti-virus, firewall, etc. I
> decided to do a compress and noticed that there was a large section of
> the hard drive that was apparently blank, even after compression.  I
> was concerned that XP hadn't been written properly so I ran Spinrite
> to check the drive for back blocks, etc.  Everything was fine.  A
> second compression run which would normally remove blank sections to
> create contiguous files failed to change the location or size of the
> blank area.  Then on reboot a screen popped-up with two choices: 1)
> Windows XP Professional and 2) "Unidentified operating system on Drive
> C:".
> 
> Having lots of time on my hands, I decided to wipe the HD again using
> 'shred' with 3 passes and a final write of zeroes.  Then I ran
> Spinrite and noticed that Spinrite was reading zeroes until suddenly
> it got to a portion of the hard drive that displayed random characters
> and then reverted to reading only zeroes for the remainder of the
> scan.  I again partitioned the drive and loaded XP.  Running the
> compression software showed again an apparently large section of the
> drive which appears to be blank.
> 
> Next I ran 'Darik's Boot n Nuke' thinking that 'shred' wasn't doing
> the job.  Long story short... There is a section of the HD that has
> apparent random data written to the drive that I can not erase and can
> not cause to be moved.  In addition, a logical for Drive D:
> (identified as a diskette drive of which there is none) has been added
> to Drive E which was previously Drive D.
> 
> On the positive side, the dual boot is working fine just as one would
> expect with Ubuntu.
> 
> This situation concerns me because had I decided to load only Ubuntu I
> likely would not have been aware of the situation.  Any thoughts,
> other than trashing the HD?  What form might this data have?  Might it
> be encrypted making it resistant to erasure? Might it be that
> something in the hardware has been corrupted?
> 
> --
> Russ
> 
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
> 

A few ideas:

Boot to a Linux Live CD and run dd if=dev/zero of=/dev/hda (or sda or 
whatever).  Now reinstall the OSes.

Check the manufacturer's site for their hard disk utilities.  My first 
experience with Linux needed this kind of fix.  Linux wouldn't see the 
drive at all but Windows 95 still booted fine off of the drive.  I 
remembered that the hard drive manufacturers were required to do things 
to fool Windows 95 into thinking the drive size was only 2GB when it was 
actually larger (so it could be installed) and suspected that as a 
possibility.  I wanted a low level format program but they had pretty 
much disappeared with IDE.  However, Maxtor (the drive brand) had a 
program which "restored the drive to it's original condition" so I used 
it.  Accepting the dire warning about data loss, I let it "do it's 
thing" and Linux saw the drive afterward.  You are looking for this kind 
of program.

Getting more exotic (and assuming this is a SATA or PATA drive), look at 
these links (I ran across the first Googling for something, don't even 
remember what):

http://www.foi.se/upload/rapporter/foi-computer-forensics.pdf

http://www.eevidencelabs.com/article/ATA_Security_Roadblock_to_Computer_Forensics.pdf

Although both deal with low level hardware issues I found the first 
interesting simply because it talked about ?ATA features I wasn't aware 
were available.  It also listed programs which would be helpful in 
analyzing hard drives.  The second article points out a risk of one of 
these features.

More information about the Discuss mailing list