Computers often contain data stored on a non-volatile disk, like a hard disk. When conducting analysis of a computer, such as for forensic investigations, the contents of a hard disk may be read and copied for further investigation. To read a hard disk, software for copying the disk may rely on partition information specified by a partition table or other documents, such as a master boot record, or an equivalent. The master boot record is typically found in the first (or zero) sector on the hard disk.
In most cases it is possible to edit the master boot record to change the partition information. That leads to the possibility of malicious changes to the partition information to “hide” portions of the memory from read/copy operations that rely on that partition information. In this sense, the hard disk may have “hidden sectors” where data or code may be stored but that may not be accessible to an operating system or software attempting to read the hard drive.
It would be helpful to provide for methods and systems that, at least in part, address some of these shortcomings.
Similar reference numerals may have been used in different figures to denote similar components.