On 2005-09-19 Bénoni MARTIN wrote:
I'm currently doing auditing a hacked server (Win 2K3 SP 1) and
something odd happends on a partition with dada (D:):
- Under Win 2K3 (after booting with it), the partition is visible and
found as "free space", but no way to create a partition on it (fatal
error occurs during the task).
- Under Win 2K3 (with the recuperation console), the partition is
visible as "D:", but no way either to check the volume with chkdsk,
chkntfs ot any command like that.
- As there ware some free space on the hard disk (another than the D:
partition), I tried to set up a Fedora Core 4 on it, but failed when
tried to install it with Druid: "HDA is not readeable"
Out of curiosity: why are you trying to *write* to that harddisk when
doing a forensic audit?
I did not tried to format the D: partition as I want first to try to
get the data on it to try to understand what happened.
Anyone has an idea of how can I make the partition be readable again
without formatting it (what can I do if booting under another OS, or
is there a useful tool for recovering data on unreadable partition) ?
I have obviously full access to the box, but I am really at a loss for
an idea to access trhe partition :(
Maybe the MBR of that disk is defective. You could try running the
diagnostic utility of the harddisk vendor to verify that. As for
recovering the data: I would create an image of the entire disk and
restore it to a known-good harddisk. Then you could run gpart [1] or
TestDisk [2] and try to recover the partition.
HTH
[1] http://www.stud.uni-hannover.de/user/76201/gpart/
[2] http://www.cgsecurity.org/index.html?testdisk.html
Regards
Ansgar Wiechers
--
"Another option [for defragmentation] is to back up your important files,
erase the hard disk, then reinstall Mac OS X and your backed up files."
--http://docs.info.apple.com/article.html?artnum=25668
