Tuesday, August 17, 2010

Multiple Partitions on a drive

To most users the hard disk has a single partition, or just the C: drive. When it comes to recovery, it is very common to see three partitions. A typical pattern is
  • FAT16 (hidden)
  • NTFS
  • FAT32 (hidden)

The FAT partitions are actually hidden and are configured for system recovery purposes. ie, they will often keep a copy of the operating system and so allow a complete reload of the drive in the event of failure. This saves the manufacturer about 50 cents on not providing a boot DVD with the system and assumes that a disk will fail, but these partitions will remain. Users are actually asked to make their own recovery DVDs.

As far as recovering user data, the only partition to be concerned about is the big NTFS partition. This is where holiday photos, wedding photos and MP3 music will be found.

Forensically though, it is possible to store data in these hidden partitions. Suspicions would be raised if the partitions are bigger than expected. On standard example I have looked at the FAT16 partition is about 60MB, and the FAT32 is about 3GB. The disk was a 250GB. A significantly larger FAT32, or a hidden NTFS must raise questions, and so these partitions would need careful investigation for possible hidden files.

On NAS (Network attached storage) systems, there are often multiple partitions (sometimes more than 4). They are normally all Linux and most of the partitions are Ext2/3. The final partition is the location that data is stored in. This final partition could be XFS, ReiserFS or Ext2/3. In this type of configuration one would expect the final partition to be large, and the rest fairly small. The warning sign would be a second large partition.

No comments:

Post a Comment