Hi,
Whilst returning from my holiday, a colleague decided it was necessary to use PC 3000 to repair two bad sectors on the 'suspect' drive. This was completed due to ImageMASSter failing, once the bad sectors were re-allocated the ImageMASSter completed two successful clones.
Forensically does this mean the original could be inadmissible in court?
If not, does any one know the workings of PC3000 with respect to write blocking, is it possible for the windows platform to write to the suspect disk inadvertently.
I do not know enough about PC3000 to comment fully, and was hoping some one could portray some more helpful information.
Cheers,
ImageMaster shouldn't fail because of two bad sectors?
Also the use of the word clone, doesn't sound like you create forensically sound copies of the data. Normally a 'clone' is of the live file structure only.
Most forensic tools used for imaging wont fail if they encounter a bad sector (i.e. EnCase, FTK, DD), they simply fill the bad sector copy with zeros.
The ImageMASSter I used did fail, perhaps it may be tempremental and requires replacement, however once the work undertaken on PC3000 was complete, ImageMASSter did manage to duplicate the suspect drive twice onto new hdd media.
The CRC32 Checksum was returned for both drives and were identical.
My main question is the intergrity of the original media and could PC3000 jeapodise the authenticity and be deemed as inadmissible in court?
Cheers for your input Andy,
icon_serf.
If the data was altered, as I suspect it was, you've got some problems. Not insurmountable, as your partner could testify to what he did, which sectors were involved, etc. He would have to testify that he understood the process and hopefully he did. You would need to do research and verify that any further findings were not the result of pc3000.
I am not familiar with pc3000, but I assume it is some type of disk utility. If the drive were attached to a proper write blocker such utilities would not be able to access the drive. You should get an error of some type. Since you say the drive was "fixed" I assume it was not attached to a write blocker. This will also have other implications if it were installed in a machine that was subsequently booted.
I don't think it's insurmountable, but potentially a lot of explaining.
I read up on pc 3000. Looks like an interesting tool. I could see a forensic use for it, but certainly not on drives with two bad sectors. More like those that couldn't otherwise be accessed. Our evidence wont always be perfect, but we should endeavor to deliver the best evidence under the circumstances.
I would try to address the following big questions
What does the process touch, besides the bad sectors?
Does it require a drive be attached then booted?
Is the data protected from Windows in any way during this process?
These could all be addressed with sufficient testing. The big thing is to explain is that the use of pc 3000 does not randomly sprinkle illegal pornography for instance all over the drive.
Are you talking about the ISA or the newer Windows?
pc3000 is a great tool , but for your problem u need to say what hdd are u testing.I mean brand etc…..
It is posibile to take back the realocated sectors and to preserve drive information before examening , so even if u do something u can get it back.But that is a large field and on forum u can get particular but not general info.I use pc3k for years and it is a great tool but it can harm a lot if u do not know how to use it .
Nikola
HTTP//