Sunday, January 24, 2010

The Data Hustle: forensic tools and deleting a GPT protective partition

The last few days have been spent learning about forensic tools in Linux, I was already familiar with Testdisk and Photorec. I learned to use Gddrescue as well as foremost. My friends external drive used for work was connected to a mac mini when the IT staff re imaged the lab. Well the external drive was recognized as primary drive and was imaged, there went all of the data. I tried Testdisk first but it did not detect any old windows partitions, all it saw was the current Apple GPT and HFS partition. After that I used Photorec to try to recover any files that could be retrieved. Photorec recovered quite a bit of data, no luck with the file we were really looking for, it was and .epg extension. I am not sure if it wasn't found, because it was a format not supported by Photorec or if it was wrote over.  I used Gddrescue to make an image of the raw data and ran foremost to see if I would have any better results. Came up with similar results no .epg's.  Photorec did most of the heavy lifting.

Then came the headache first I partitioned the drive and reformatted it FAT32, with gparted. The formatting seemed to go fine, I tried to mount it in Windows 7 and XP neither would show it as an available drive. In Windows 7 the Disk manger did not give FAT32 as a format option for the drive due to size. I  tried in cmd   format D: /FS:FAT32 that seemed to be going well until at about 93 percent finished, I got an error saying the disk was to big. UGH!  After some reading what I found was that Apple uses the GPT Protected Partition not MBR. What I read was XP, Fdisk, gparted and Win 7 do not read GPT very well or not at all.  Now I new I needed to rewrite the partition tables, I tried to use the Disk Manger Windows 7  that did not work. Then I tried using gparted to do the same, no luck. Neither would delete the GPT Partition. I found Paul Gu's blog post on deleting a GPT Protective Partition. So here is what I did I fired up my netbook booted into Win 7 hit Super+r and ran cmd once the command prompt was up I did this from Paul Gu's blog.

Type in “DiskPart” in command line.

Type in “list disk” in command line to show all disks in this machine.

Use “select” to set the focus to the specified partition, for example “select disk 1″.

Use “clean” command to remove GPT disk from the current in-focus disk by zeroing sectors.
 Here is a example what the output looks like.

After that I opened up Disk manager again and right clicked the external drive and selected “initialize disk “

I safely removed the drive an unplugged it. I logged out of Windows 7, booted Ubuntu, started gparted created a new partition and formatted it FAT32. Everything went fine, then I unmounted and unplugged the drive. The big test came logging back into Win 7 I plugged the disk in and there it was, mounted as drive D: formatted FAT32.

I hate to see things break, but; it always turns out to be a good way to learn.