SANS Digital Forensics and Incident Response Blog

Free Windows Drive tools

by Craig Wright

In this post I am going to talk about three free tools that are essential for diagnosing problems with failing drives. These are HDDscan, the USBASPI V2.20 MS-DOS Driver and Partition Find and Mount.

HDDScan

HDDscan allows you to scan the surface, view SMART attributes, adjust AAM, APM (Power Management), etc. on a drive that you are working with.

It will also report on SMART enabled drives. For instance, the report on the SMART enabled USB drive shows that the enclosure does not have adequate airflow. This has the drive running at 54 Celsius. Way too hot. Many of the drive enclosures that we find for USB hard drives are inadequate for continous use and seem doomed to premature failure.

This tool is a good addition for those working in a lab that processes damaged drives. It can be used to control drive states as well as to manually spin-down and spin-up the spindle.

It also rpoovides a good deal of information that is useful in writing a foremsic report.

It also (with many other features) has a utility to conduct surface tests on the drive.

USBASPI V2.20 MS-DOS Driver

This is a small driver that can be loaded into a DOS boot floppy (and yes there are still times when this may be necessary and yes DOS still exists). This driver allows USB drives to be accessed when a system is booted under MS-DOS. There are a number of commercial drive tools that run from drive images under DOS. These include flashing software and other firmware updates from drive manufacturers.

The load the drives, add the following line to the "config.sys" file on the boot disk:

    device=X:\USBASPI.SYS /w /v

The file also has to exist on the disk and the USB drive to be access needs to already be loaded at boot as MS-DOS does not support hot-swapping.

Partition Find and Mount

Partition Find and Mount allows you to recover deleted partitions and mount them. What's unusual in this program is that it also provides the ability to mount lost partitions. This means that you can mount a lost partition into your operating system as if it was good. There is also a commercial version of this called, "Find & Mount Pro". The free version is restricted to non-commercial uses, but the license is inexpensive at under $50. The free version is rate limited to 512 KBytes/sec.

This software supports raw "bitmap" images as well as searching drives. For instance, to load your copied raw image (in this case called image.dd) select "open image" as seen in the following screenshot:

Select the file to load (in this case "image.dd").

This is now loaded into the program.

Next, select the "Scan" tab. This will give you the options on how to scan the image. Start with the default, or if you know the partition information already you can select where you will start the scan from.

The software then scans the drive looking for all of the existing partition tables as well as any that are not valid.

When complete, you get the following message:

You can also image a drive by selecting the "Create Image" tab.

When the partition has been found, you can map it and open it in Explorer as a normal drive.

It also reports on mounted drives and those that are on the disk but that are unmounted:

It does not find MAC or *NIX (such as EXT3) partitions however and this is a limitation. The software is restricted to Windows format types (FAT16, FAT32, NTFS etc). This is a limitation in some environments.

All partitions are mounted as "read-only" which makes life a good deal easier.

Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he is helping to launch a Masters degree in digital forensics. He is starting his second doctorate, a PhD on the quantification of information system risk at CSU in April this year.

1 Comments

Posted February 18, 2009 at 12:15 PM | Permalink | Reply

keydet89

Partition Find & Mount looks pretty cool, but one major limitation is that it does not mount the partition read-only''